According to Nick Percoco, Kraken's chief security officer, the exchange has managed to return its funds following what it described as an "extortion" attempt. It has lost only a small amount of money to fees.
As reported by U.Today, a security researcher from an undisclosed firm notified the exchange about a critical bug that made it possible to effectively print money out of this air by receiving funds without completing deposits.
Instead of submitting a bug report, the researcher initially informed two other individuals about the vulnerability, which resulted in Kraken losing $3 million from its treasury.
The researchers refused to return the funds and started demanding a call with the firm's sales representatives. Kraken accused the firm of extortion and contacted law enforcement.
In another twist, well-known blockchain security firm CertiK revealed that it was responsible for discovering the bug. It claimed that Kraken had started demanding a mismatched amount of funds while threatening its employees. CertikK added that the multi-million withdrawals were actually part of its testing. "The real question should be why Kraken’s in-depth defense system failed to detect so many test transactions," the firm said.
In his original X thread, Percoco claimed that Kraken never had an issue with "legitimate" researchers.
CertiK later clarified that it did not actually participate in Kraken's bounty program and was not seeking a reward. Moreover, it insists that the exchange was informed about the vulnerability in a timely fashion. However, the amount of funds that it has returned is different from the original sum that was requested by Kraken.
This is not the first time that CertiK has become a source of controversy. The firm would previously attract criticism and mockery after multiple projects that passed its audits ended up being hacked.