Crypto security firm CertiK blames employee for Tornado Cash use during $3 million Kraken hack, raising transparency and ethical concerns.
CertiK, a crypto-security firm, has attributed several Tornado Cash transactions connected to its recent exploit of Kraken to an unauthorized employee.
The blockchain security firm admitted in June that it withdrew $3 million from crypto exchange Kraken. This event led to several criticisms from security experts and researchers, who wondered why a wallet linked to CertiK had sent money through the banned DeFi protocol Tornado Cash.
Tornado Cash Transactions: Unintentional or Compliance Breach?
An official from CertiK has further clarified what really happened. The spokesperson stated that Tornado Cash was not done on purpose and had nothing to do with Kraken. The spokesperson also revealed that a member of the team had sent some of his own money to Tornado Cash and then withdrawn the funds to different addresses owned by the individual. They said:
“These transactions were not executed maliciously, and they were not related to the funds withdrawn from Kraken.”
Tornado Cash is a tool that helps users hide the details of blockchain transactions, which makes it popular with people who launder money. In 2022, the U.S. Office of Foreign Asset Control (OFAC) sanctioned the protocol. Thus, anyone caught breaking the action would face penalties, which could result in paying several millions of dollars, meaning that CertiK, as a U.S. company, is likely subject to these sanctions.
CertiK’s Response: Apologies and Policy Updates
In response to the backlash, CertiK released a statement on August 16 admitting the situation. They noted that they regret their action and are taking necessary precautions to reduce the risk of similar misunderstandings occurring again.
The company has also taken disciplinary action against the team members involved to prevent this from happening again. It has updated its policies and training to ensure compliance with all relevant laws, including OFAC sanctions. However, this public release was not well accepted by some, as it was criticized as barely an apology.
A spokesperson for the firm has rendered more apologies to the customer and community at large. The official said to DL News:
“We are deeply sorry for the inconvenience and confusion caused to our customers and community by the Kraken incident.”
Nick Percoco, Kraken’s chief security officer, on June 19 labeled CertiK’s action as extortion, not whitehat hacking, as the security firm claimed. The Kraken exploit itself has also raised questions, as industry standards typically dictate that security researchers should report bugs to exchanges immediately after they find out rather than continuing to test the vulnerability’s limits.
CertiK has maintained that the incident was a “whitehat” operation designed to test Kraken’s security but has not fully addressed why such a large amount of funds was withdrawn.
The crypto security firm, which claims to serve over 4,700 projects, has faced its own challenges. Last year, it underwent a round of layoffs affecting around 15% of its workforce, attributed to a change in market dynamics.
next