In a dramatic turn of events, Kraken has successfully reclaimed nearly $3 million in stolen digital assets, marking the end of a contentious bug bounty dispute with CertiK. The saga, which began on June 9, reached its climax with Kraken’s Chief Security Officer, Nicholas Percoco, confirming the recovery in a June 20 X post.
“Update: We can now confirm the funds have been returned (minus a small amount lost to fees),” Percoco stated.
The controversy erupted on June 19 when Percoco revealed that a “security researcher” had maliciously withdrawn $3 million after discovering a bug. Kraken accused the researcher of extortion, claiming they demanded a reward and a meeting with Kraken’s business development team in exchange for returning the funds.
CertiK, the blockchain security firm at the center of the controversy, identified itself as the accused “security researcher.” In a June 19 X post, CertiK explained it had informed Kraken of a critical exploit that allowed the removal of millions of dollars. CertiK alleged that Kraken threatened its employees to repay an unreasonable amount in a short time without providing repayment addresses.
CertiK provided a detailed timeline, starting with the identification of the exploit on June 5 and culminating with Kraken’s alleged threats on June 18. CertiK insisted the funds were intended to be transferred to an accessible Kraken account.
Percoco initially suggested that a minimal transfer of $4 could have demonstrated the bug and earned a bounty from Kraken’s program. However, CertiK’s actions escalated, minting nearly $3 million into their Kraken accounts.
CertiK defended its actions, stating the substantial amount was necessary to thoroughly test Kraken’s protection and risk controls. “We wanted to test the limit of Kraken’s protection and risk controls,” CertiK explained, adding that multiple tests across several days failed to trigger any alerts.
In the aftermath, CertiK clarified that they had not initially requested a bounty, contrary to Kraken’s claims. “We never mentioned any bounty request. It was Kraken who first mentioned their bounty to us,” CertiK stated, emphasizing their priority was ensuring the issue was fixed. They also noted that no Kraken user funds were at risk, as the exploited funds were “minted out of air.”