Crypto Twitter’s blockchain sleuths are zeroing in on CertiK’s researchers, who apparently sent funds to a blacklisted crypto mixer after boosting them from Kraken in what it claims was a white-hat hack.
The crypto exchange’s CSO, Nick Percoco, declared Wednesday that Kraken was treating $3 million in crypto lost as a “criminal case.” A group that had exploited a bug, since patched, was able to “effectively print assets in their Kraken account,” he wrote.
The fracas formed after CertiK claimed responsibility for the exploit, arguing that it had saved Kraken from hefty losses. The company defended itself, citing time and communication as factors that delayed the funds’ return, which it said was imminent.
Kraken’s CSO had slammed the situation as “extortion” because CertiK, purportedly, did not agree to the immediate return of funds. He also claimed that CertiK failed to divulge the scope of assets taken, detailing just $4 lost in a submitted bug bounty.
While notable blockchain sleuths initially raised legal concerns for CertiK—siphoning $3 million from Kraken’s treasury to prove the exploit—sanction concerns have since emerged. Engaging with the U.S.-banned crypto mixer Tornado Cash could create a “huge burden” for the firm, Cinneamhain Ventures Partner Adam Cochran wrote in a tweet.
The link between CertiK’s Kraken hack and Tornado Cash was first pointed out by pseudonymous on-chain sleuth Spreek, who called attention to transactions on Twitter (aka X). The researcher told Decrypt in a written message that around 1,100 MATIC (worth $600, as of this writing) had been sent to Tornado Cash from a single CertiK address.
just testing some tornado cash deposits after testing the kraken withdrawal feature
needed to make sure it still works pic.twitter.com/PL4zi7GzSW
— Spreek (@spreekaway) June 19, 2024
The U.S. government blacklisted Tornado Cash in August 2022, banning American citizens from transacting with the Ethereum coin-mixing tool. Several Ethereum wallet addresses were added to the Specially Designated Nationals List, maintained by the Office of Foreign Assets Control (OFAC), a division of the U.S. Treasury Department.
The government cited Tornado Cash’s frequent use by North Korea’s hacking group Lazarus as justification for the move. A report published last year by the threat intelligence platform Recorded Future estimated Lazarus had stolen $3 billion in cryptocurrency since 2017.
Per CertiK’s website, the crypto security firm established in 2018 is headquartered in New York City, with several locations scattered throughout the West Coast. Additionally, CertiK has locations based in Europe, Africa and Asia.
The OFAC did not immediately respond to a request for comment from Decrypt.
Launched in 2019, Tornado Cash is a protocol that lets users mask the origin and destination of their transactions by pooling together large amounts of cryptocurrency.
Though CertiK’s researchers sent funds to Tornado Cash on Polygon, an Ethereum scaling network, it appears that the deposit address used to engage with the protocol is still listed on OFAC’s website, just under the wrong label, according to Spreek.
CertiK declined a request for comment from Decrypt, citing internal legal procedures that had to be completed before the company could discuss the matter.
An expert in blockchain security, who requested anonymity while speaking about a competitor, told Decrypt that researchers should always do as little as possible to prove that a project can be exploited, which wasn’t the case when it came to CertiK and its apparent multi-million-dollar haul.
“There is no legitimate reason to take that amount as part of a bug bounty,” he said in a written statement. “Imagine a scenario where people break into a bank vault, steal $3 million dollars in cash, engage the black market, and start washing the money.”
Update: We can now confirm the funds have been returned (minus a small amount lost to fees).
— Nick Percoco (@c7five) June 20, 2024
The amount of funds sent to Tornado Cash appear to be de minimis, he wrote, however, suggesting they could be seen as too minor for consideration within the context of law.
In an update, Kraken’s Percoco wrote Thursday that the funds it had lost were successfully returned—aside from those that were lost due to transaction fees.
Edited by Andrew Hayward