Kraken, a cryptocurrency exchange, has successfully recovered missing funds after a highly publicized bug bounty exploit incident. The stolen digital assets, valued at nearly $3 million, have been returned, marking the conclusion of the Kraken-CertiK saga that commenced on June 9.
Nicholas Percoco, the chief security officer of Kraken, confirmed the recovery of the funds, accounting for transaction fees, in a post on June 20. The initial announcement of the $3 million missing funds was made by Kraken’s CSO on June 19, following the discovery that a “security researcher” had maliciously withdrawn them from the treasury after finding and disclosing an existing bug.
Kraken alleged that it had been extorted by the security researcher, who refused to return the funds and demanded a reward as well as a call with the exchange’s business development team.
Following Kraken’s announcement about the missing funds, CertiK, a blockchain security firm, publicly revealed itself as the “security researcher” responsible for the removal of $3 million in digital assets from Kraken’s accounts. CertiK claimed that it had informed Kraken of an exploit that allowed the removal of millions of dollars from the exchange’s accounts and also stated that it had been threatened by the exchange’s team.
CertiK posted a timeline of events, starting with the identification of the exploit on June 5 and ending with claims that Kraken threatened a CertiK employee on June 18. CertiK stated that it intended to transfer the funds “to an account that Kraken will be able to access.”
Kraken’s Percoco initially mentioned that the first malicious transfer, amounting to just $4, would have been enough to demonstrate the bug and receive “substantial rewards” from Kraken’s bounty program. However, the actual transfer by CertiK was nearly $3 million.
In a subsequent post after the return of the $3 million, CertiK stated that the multimillion-dollar sum was necessary to test the limits of the exchange. Additionally, CertiK claimed that it had not initially requested a bounty, but it was something mentioned by the exchange. CertiK clarified that no Kraken user funds were at risk since the exploited funds were “minted out of air.”