As an experienced cybersecurity analyst, I find the situation between CertiK and Kraken quite intriguing, yet concerning. While CertiK claims to have discovered critical vulnerabilities in Kraken’s exchange that could potentially lead to significant losses, the timeline of events and some of their actions raise questions.
As a crypto investor, I’d put it this way: I recently learned that a security issue in my digital assets was exploited, resulting in the unauthorized withdrawal of approximately $3 million worth of tokens from Kraken’s platform. The responsible party for this breach has since been identified as CertiK, a blockchain security firm.
CertiK, a New York-based blockchain security company, has confessed to being responsible for a bug exploit leading to the illicit withdrawal of approximately $3 million in tokens from the Kraken digital asset exchange.
As a researcher at CertiK, I identified a number of significant vulnerabilities in Kraken’s exchange during our analysis on June 19th. These weaknesses had the potential to result in substantial financial losses, potentially reaching into the hundreds of millions of dollars.
As an analyst, I’ve uncovered some significant vulnerabilities in KrakenFX exchange’s systems, as reported by CertiK. One of these vulnerabilities lies within the deposit system and could potentially result in substantial financial losses, reaching hundreds of millions of dollars, if not addressed. In this particular case, the deposit system may fail to distinguish between various internal transactions effectively.
— CertiK (@CertiK) June 19, 2024
As a security analyst at CertiK, I identified an issue with Kraken exchange as early as June 5th. During our assessment, we discovered that Kraken’s defense-in-depth system had been breached from multiple angles. Our team was able to circumvent the exchange’s withdrawal risk controls undetected, raising concerns about the effectiveness of their security measures.
As a researcher investigating this issue, I’ve uncovered a concerning finding: over one million dollars’ worth of fabricated crypto could be withdrawn from the account and exchanged for legitimate cryptocurrencies. This was discovered during routine testing, yet no alerts were triggered throughout the multi-day period. It wasn’t until after we reported the incident officially that Kraken took action and secured the test accounts.
CertiK
After finding defects, CertiK notified Kraken’s security department, who deemed it a “critical” issue. Subsequently, once the exploit was resolved, CertiK asserts that Kraken’s security personnel pressured CertiK employees for an excessive amount of crypto in a short timeframe, without supplying repayment addresses.
CertiK requested that Kraken halt any menaces towards ethical hackers, reaffirming their dedication to the web3 community in the interest of transparency. Yet, this situation has ignited debate and doubt among blockchain enthusiasts, as experts have identified inconsistencies in CertiK’s account and statements.
Laughing uncontrollably, you’re absolutely incorrect in labeling that behavior as “white-hat security research.”
In no conceivable scenario does Kraken’s situation qualify as such.
Kraken has shown remarkable restraint by not immediately branding this a large-scale theft accompanied by an element of extortion.
— Tay 💖 (@tayvano_) June 19, 2024
According to Meir Dolev, CTO of Cyver, there were signs of suspicious activity on CertiK’s X account, which is linked to multiple blockchain networks, around the time when the Kraken incident was first reported. This discovery raises doubts about the sequence of events disclosed by CertiK.
After the occurrence of the @krakenfx incident, there have been comparable activities identified on the base approximately 26 days ago. The same suspicious hash has also been detected on Polygon around 14 days ago. Therefore, is it plausible that Cetik discovered the vulnerability as late as June 5th according to their stated timeline?
— Meir Dolev (@Meir_Dv) June 19, 2024
As a crypto investor following the CertiK thread, I came across a concerning update from Coinbase director Conor Grogan. In a follow-up post, he revealed that some addresses linked to CertiK had transferred a portion of their withdrawn cryptocurrencies to Tornado Cash – a mixing service under sanction by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC). Since 2019, it is estimated that this platform facilitated around $7 billion in crypto laundering activities. This disclosure raises questions about the security and compliance measures implemented by CertiK.
Reports claim that addresses linked to CertiK were found to have transferred some of the taken cryptocurrency to ChangeNOW, a decentralized exchange. At present, CertiK has remained silent regarding their interactions with Tornado Cash and ChangeNOW. However, they maintain that all withdrawn tokens have been returned to Kraken.
Read More
Sorry. No data so far.
2024-06-20 11:28