Blockchain security firm CertiK has gone public, identifying itself as the “security researcher” that cryptocurrency exchange Kraken claimed stole $3 million worth of digital assets.

In a June 19 X post, CertiK said it had informed Kraken of an exploit that allowed it to remove millions of dollars from the exchange’s accounts. Kraken Chief Security Officer Nicholas Percoco claimed that an unnamed security team — not revealed to be CertiK at the time — had committed “extortion” by refusing to return any funds until the exchange agreed to provide “a speculated $ amount that this bug could have caused if they had not disclosed it.”

“After initial successful conversions on identifying and fixing the vulnerability, Kraken’s security operation team has THREATENED individual CertiK employees to repay a MISMATCHED amount of crypto in an UNREASONABLE time even WITHOUT providing repayment addresses,” said CertiK. “In the spirit of transparency and our commitment to the Web3 community, we are going public to protect all users’ security. We urge [Kraken] to cease any threats against whitehat hackers.”

The security firm posted a timeline of events, starting with identifying the exploit on June 5 and ending with claims Kraken threatened a CertiK employee on June 18. In a statement to Cointelegraph, CertiK said it planned to transfer the funds “to an account that Kraken will be able to access.” 

Related: Crypto phishing attacks reached ‘alarming levels’ — CertiK co-founder

Initial reactions from many crypto users seemed to support Kraken, claiming that CertiK’s actions were not akin to white hat hackers. It’s unclear if Kraken has grounds for pursuing legal action.

Source: Lefteris Karapetsas

CertiK reported in April that there had been roughly $1 billion in digital assets lost to illicit activity in 2023. The firm has previously identified vulnerabilities in the Wormhole bridge on Aptos and the Telegram app.

Magazine: Crypto audits and bug bounties are broken: Here’s how to fix them