The crypto exchange Kraken has fallen victim to a hack. The attack took place on June 5. According to Chief Security Officer Nick Percoco, the perpetrators were able to steal cryptocurrencies totaling three million US dollars (USD). The hackers allegedly took advantage of a security flaw that allowed them to artificially inflate the account balance. The cryptocurrency security company CertiK is behind the hack.

According to Percoco, the hackers had reported the vulnerability to Kraken. From Kraken's point of view, however, they did not meet all the ethical standards that so-called white-hat hackers should follow. White hat hackers only look for vulnerabilities or exploits when they have legal permission to do so. The hackers allegedly initially obtained only four U.S. dollars. However, they then allegedly exploited the vulnerability again and stole another three million USD in cryptocurrency.

Accordingly, Chief Security Officer Nick Percoco speaks of "criminal activity." He writes on Platform X, "We are treating this as a criminal matter and coordinating with law enforcement agencies accordingly."

We’ll not disclose this research company because they don’t deserve recognition for their actions. We are treating this as a criminal case and are coordinating with law enforcement agencies accordingly. We’re thankful this issue was reported, but that’s where that thought ends.
— Nick Percoco (@c7five) June 19, 2024

CertiK has a different take. CertiK was "threatened" and the corresponding crypto-addresses for repayment of the stolen funds were not provided at all. CertiK writes that in a statement on Twitter.

CertiK recently identified a series of critical vulnerabilities in @krakenfx exchange which could potentially lead to hundreds of millions of dollars in losses.

Starting from a finding in @krakenfx's deposit system where it may fail to differentiate between different internal… pic.twitter.com/JZkMXj2ZCD
— CertiK (@CertiK) June 19, 2024

According to Kraken, at no time were customers' assets compromised. The hackers were able to steal the corresponding assets from the exchange's wallets.

The reputational damage to both companies is immense. The security vulnerability at Kraken does no good to the company's IT infrastructure. CertiK, on the other hand, failed to meet all ethical standards for white-hat hacking, according to current information. It is not clear why it was necessary to withdraw another three million USD in cryptocurrency after the vulnerability was exploited.