On-Chain Tracing Of $3M Exploited And Returned In Kraken White Hat Attack

A dispute broke between Certik, a well-known blockchain security firm, and Kraken, the major cryptocurrency exchange, following a $3 million “white hat” attack by the former on the latter. After various prolonged disputes around bug bounty ethics on the social media website, X, the Chief Security Officer at Kraken confirms the full return of exploited funds.

“We can now confirm the funds have been returned (minus a small amount lost to fees).” -Nick Percoco, Chief Security Officer at Kraken, posted on X.

Established in 2011, Kraken is a household name in the cryptocurrency service providers scene. It boasts diverse coin offerings and a reputation for user security. Kraken upholds a bug bounty program that has been ongoing for 10 years or more. Bug bounty programs are intended to incentivize ethical hackers to find and report vulnerabilities before malicious actors can exploit them.

Certik, founded in 2018, is a blockchain security firm that audits smart contracts and protocols with the proclaimed purpose of protecting Web3. They use tech to identify vulnerabilities and renew trust in major blockchain projects.

The Incident Breakdown

On June 5, 2024, CertiK identified critical vulnerabilities in Kraken’s deposit system. These vulnerabilities, according to CertiK, could potentially allow malicious actors to create insignificant deposit transactions and use them to drain vast amounts of crypto.

CertiK informed Kraken of the vulnerabilities and conducted what they characterize as “tests” to assess the scope of the problem. These tests, according to CertiK, involved depositing crypto into Kraken accounts and subsequently withdrawing a sum of $3 million over several transactions and days without any alert to Kraken’s team.

Kraken’s team was unhappy with the initiative, they portrayed CertiK’s actions as a blatant exploitation of the vulnerability, labeling it a theft of $3 million from their corporate wallets. Kraken further accused CertiK of extortion when they allegedly demanded a much larger sum than the standard bug bounty payout in exchange for returning the exploited funds.

Certik later denied extortion and claimed its acts were white-hat security tests. The security group restored what they had and claimed they tested Kraken’s security limits with huge transfers, contacted Kraken promptly, didn’t ask for a bounty, and supplied enough information for Kraken to identify all transactions.

Tracing $3M Exploited Funds on the Blockchain with QLUE

The graph below from QLUE, our leading blockchain analytics tool, presents a comprehensive flow of the exploited funds, illustrating movements through various entities, including exchanges, intermediary addresses, and TornadoCash, an infamous OFAC-sanctioned mixing service. 

QLUE Graph: The flow of exploited funds from Kraken hot wallets into Certik-controlled addresses until return to Kraken-controlled addresses.

Initially, we observed 7,202 MATIC ($5,135.4) originate from an OKX exchange address to an address belonging to Certik. Over the course of several days, funds from Kraken’s hot wallet moved into the aforementioned address and 2 others all controlled by Certik. 

Oddly, one of the three addresses made three deposits to Tornado Cash about on June 6, 2024.

QLUE Graph: Transactions by an address involved in the Kraken-Certik “white hat” operation.

Tornado Cash Deposit

Tornado Cash Deposit

Tornado Cash Deposit

This stage represents a turning point where the nature of mixing makes it harder to track down funds processed by Tornado Cash.

On June 8, 2024, one of the remaining 2 addresses transferred approximately 154,001 MATIC ($100,001.95) to a cryptocurrency exchange ChangeNOW deposit address, later to be transferred to the Ethereum blockchain as 26.42 ETH. 

QLUE Graph: Major funds flowing out of Kraken hot wallets into addresses attributed to Certik.

The 3 Ethereum addresses labeled as ‘Certik withdrawal address’ are addresses that received major amounts of exploited funds from Kraken hot wallets in the form of USDT and ETH, in addition to the 26.42 ETH transferred from the Polygon blockchain. 

The controller behind the withdrawal addresses converted the exploited USDT tokens amounting to approximately 907,400 tokens ($907,400) to ETH. 

QLUE Graph: Certik-controlled addresses swap USDT funds drained from Kraken hot wallets to ETH

Later, on June 8 and 9, 2024, the 3 withdrawal addresses split 44.98 ETH and 2 ETH to the ChangeNOW exchange. The rest, 389.2 ETH, 345 ETH, and 29,001 USDT, were returned to an address owned by Kraken: 0xa172342297f6e6d6e7fe5df752cbde0aa655e61c, on June 19, 2024.

QLUE Graph: ETH sent to an address controlled by Kraken.

The impact of this incident extends beyond the immediate players. The incident blurs the lines between ethical hacking and exploitation. This has the potential to undermine confidence between businesses and security researchers, which could discourage future cooperation and weaken the industry’s overall security posture.