Kraken chief security officer Nick Percoco has confirmed that the crypto exchange has recovered the funds recently stolen from its account after a bug vulnerability.
On June 20, Percoco posted on X that the exchange had managed to recover these funds. Although the Kraken CSO did not mention from where, earlier revelations had identified the security research firm involved in the fiasco as Certik.
Kraken accused the security research firm of being behind the accounts that stole funds from the exchange’s treasury after discovering a bug.
What happened?
Certik posted a statement on X on June 19 identifying its staff as individuals that contacted Kraken about a critical bug discovered in the exchange’s accounts system.
Specifically, Certik said the vulnerability would have allowed exploiters to mint millions in digital assets from Kraken.
Interestingly, the research firm’s employees had proceeded to withdraw $3 million from Kraken, exploiting this same vulnerability. They then demanded that the exchange honors the bug bounty.
According to Kraken and Certik’s post, the said employees did not return the funds when asked.
“After initial successful conversions on identifying and fixing the vulnerability, Kraken’s security operation team has threatened individual CertiK employees to repay a mismatched amount of crypto in an unreasonable time even without providing repayment addresses,” the platform noted.
Kraken called this extortion rather than honest actions of a white hat hackers.
Certik offered to return funds
Later, Certik posted on X that it would move the said funds to a wallet that Kraken could access.
Its statement said:
“Since Kraken has not provided repayment addresses and the requested amount was mismatched, we are transferring the funds based on our records to an account that Kraken will be able to access.”
On Thursday, the Kraken confirmed it had recovered the funds, with a small amount lost to fees. In an earlier report, Kraken told customers that no user funds were lost during the bug fiasco.