Kraken Announces 'Whitehat' Hacking Fund Return By CertiK Worth IDR 49 Billion

JAKARTA - Kraken confirmed that the US$3 million (approximately Rp49 billion) fund taken by security researchers from CertiK had been returned. However, the action of CertiK which claimed to be a whitehat' operation to strengthen Kraken's security drew controversy among the crypto community.

Kraken announced that the funds taken by CertiK had been returned, although some were lost due to transaction fees. Quoted from CryptoPotato, Nick Percoco, Chief Security Officer of Kraken, revealed this through his tweet last Thursday.

"Update: We can now confirm that the funds have been returned (minus a small fraction lost due to costs)," Percoco wrote on Twitter.

Although Kraken was initially reluctant to reveal the identity of the perpetrators, blockchain security experts at CertiK acknowledged that they were the party behind the hack. Percoco explained that Kraken recently fixed bugs that allow individuals with high technical abilities to artificially increase their balances on the platform, so they could steal large amounts of money since January.

CertiK experts told Kraken about this vulnerability in June, but before depleting 3 million US Dollars from Treasury Kraken as a demonstration. In a few hours, the problem was completely fixed and could not happen again, Percoco explained, adding that client assets are not risky.

CertiK described its actions as a whitehat operation to help strengthen Kraken's security. However, their way of carrying out this action was not accepted either by Kraken or the wider crypto community. CertiK failed to follow the standard procedures of the Kraken whitehat reward program, such as not immediately returning all the stolen funds, and stealing far more money than necessary to demonstrate such vulnerabilities.

When asked to return the funds, CertiK explicitly refused until Kraken gave an estimate of how much money would be at risk if the company did not identify the vulnerability.

On the other hand, CertiK said that they "consistently convinced Kraken that we would return the funds."

Kraken's security operations team has threatened employees of the CertiK individual to pay back the amount of crypto that didn't match at an unreasonable time even without providing a payment address, CertiK denied on Twitter.

The company confirmed on Thursday that all funds had been returned, although in the amount of crypto differing from what Kraken requested. CertiK also confirmed the magnitude of their attack as a necessary measure to test Kraken's warning and risk control limits, which turned out to be malfunctioning despite losing millions.

"We never mentioned a gift request," added CertiK. "In fact, Kraken was the first to mention the prize to us, while we responded that the prize was not a priority topic and we wanted to make sure the matter was fixed."