CertiK blames Tornado cash transactions on an employee for exploiting crypto exchange Kraken. The security firm apologized after the outcry that followed the June incident.
Crypto security firm CertiK said in June that a rogue employee was responsible for several Tornado Cash transactions linked to the exploit of crypto exchange Kraken.
The June 19 The incident, which saw the company withdraw nearly $3 million from the exchange, sparked an outcry at the time from crypto security researchers who questioned why a wallet connected to CertiK sent the funds through the sanctioned DeFi protocol.
“These transactions were not maliciously executed and were not related to funds withdrawn from Kraken,” a CertiK spokesperson said. NewsOne of the company's employees confirms that Tornado Cash has been used.
The delegation member, without permission, sent a small amount of his own funds to Tornado Cash and immediately withdrew the funds to several new addresses of his own.
Tornado Cash allows users to break the chain of traceability between blockchain transactions.
CertiK describes this incident as “whitehat” It is unclear why the operation, which was designed to test the security of Kraken, appeared to violate industry standards when investigating and testing a business built on security code for crypto.
'deeply sorry'
CertiK has received new comments since its first publication Official announcement On the August 16 incident, it said steps had been taken to “reduce the risk of such misunderstandings reoccurring”.
Other cybersecurity experts are skeptical.
Join the community to get our latest articles and updates
“That blog is not just an apology,” Hudson Jameson, a member of the Security Alliance Said CertiK's announcement on Telegram — a messaging app.
CertiK has since taken a more apologetic tone.
“We deeply regret the inconvenience and confusion caused by the Kraken incident to our customers and the community,” a company spokesperson said. News.
The August 16 announcement did not mention why assets were sent from a wallet connected to the firm to Tornado Cash.
And CertiK did not respond to a request asking why a team member was sending small amounts through Tornado Cash in the first place.
Although Tornado Cash has legitimate uses, it has been scrutinized by regulators due to its popularity with the Lazarus Group, a North Korean cybercrime syndicate prominent among money launderers.
In 2022, the whirlwind is cash Approved Through the Office of Foreign Assets Control — or OFAC. According to OFAC WebsiteFines for violating the sanctions can exceed several million dollars.
As CertiK is a US-registered company, it strictly adheres to such restrictions.
And Tornado isn't the only unanswered question from the cash transactions debacle.
Another question is why CertiK withdrew such a large amount – nearly $3 million – from Kraken after discovering the bug.
“Our team did this to test the limit of Kraken's defenses and risk controls,” CertiK said. “To our knowledge, no alerts have been triggered and no restrictions have been triggered.”
Industry standards dictate that once a bug is confirmed, the finder should report it at the earliest opportunity — not continue using it to test theoretical limits.
What went wrong?
CertiK, a crypto security firm that boasts of servicing more than 4,700 projects, said it has taken disciplinary action against team members involved in the Kraken exploit while implementing policy and training changes.
This includes ensuring internal compliance with all policies and applicable laws, including OFAC sanctions, the company said.
Last year, CertiK cut 15% of its workforce amid industry-wide layoffs.
CertiK characterized the job cuts as a “strategic workforce adjustment in response to evolving market dynamics.” The company declined to say whether the cuts have affected the quality of its internal processes.
There is Tim Craig News' Edinburgh-based DeFi correspondent. Reach out with tips at [email protected].
Related topics
