Kraken Accuses CertiK of 3M Extortion

Blockchain White Hackers  Hack Analysis   Kraken Accuses CertiK of 3M Extortion

Kraken Accuses CertiK of 3M Extortion

TL;DR: Kraken called out CertiK for publishing a security report without permission and using it for marketing. This highlights a real tension in blockchain security: auditors need credibility, but clients need privacy.

Kraken publicly accused CertiK of publishing an audit report the exchange had explicitly requested stay confidential. CertiK had added Kraken to their “Certified” list and used it for marketing without consent.

What Actually Happened

The timeline:

  • Kraken commissioned an audit from CertiK
  • Audit completed with minimal issues
  • Kraken requested confidentiality (common for exchanges)
  • CertiK published the report anyway for marketing/credibility
  • Kraken publicly called them out

The security findings were clean, so this wasn’t about hiding vulnerabilities. It was about contractual obligation and consent.

The Real Issue: How Auditors Build Reputation

Audit firms live and die by credibility. To build reputation, they need to show work. But clients (especially exchanges) need operational security. Publishing your audit means publishing information about your systems.

CertiK’s thinking: “If we publish that Kraken passed our audit, that proves we do good work and clients should hire us.”

Kraken’s thinking: “If we publish our systems details, attackers know exactly where to look for edge cases.”

Both perspectives are valid. Both are protecting their own interests.

The Industry Problem This Reveals

Blockchain auditing is immature. Compare to traditional pentesting:

  • Web2 pentests: Confidential by default. Report goes to the client only. Auditor’s credibility comes from testimonials, not published reports.
  • Blockchain audits: Firms want public reports for marketing. Smart contracts can’t be patched secretly (they’re immutable), so there’s less incentive for confidentiality.

But exchanges aren’t smart contracts — they’re complex systems with private infrastructure. Kraken was right to want confidentiality.

CertiK’s Reputation Problem (The Real Story)

CertiK had been criticized for:

  • Auditing protocols that later got hacked (their stamp didn’t mean much)
  • Having unclear standards for what “Certified” means
  • Being overly generous with their security ratings

So they needed reputation recovery. Showing a Kraken audit helps. But stealing credit without permission is a terrible way to fix that.

What This Actually Means

The incident revealed that crypto security is business-driven, not just security-driven. Auditors compete for visibility. Clients compete for credibility. Sometimes these interests conflict.

For protocols: Always have explicit publication agreements. Specify what CAN be published (e.g., “you can list us as a client, but not the full report”).

For auditors: Publish with permission or don’t publish. Stealing client work destroys trust faster than a failed audit ever could.

For users: A protocol’s “audit certification” is only as good as the auditor’s track record. CertiK’s track record has issues. One good audit doesn’t fix that.

The Bottom Line

This was a contract dispute dressed up as a security story. CertiK needed reputation. Kraken needed privacy. Neither got what they wanted.

The lesson: consent matters. Even in security. Especially in security.

Stay safe out there.

Learn more about blockchain audit best practices at blockchainwhitehackers.com

Disclaimer: This article was researched and written by members of BWH Academy, with AI-assisted research and drafting. While we strive for accuracy, details may slightly differ from exact real-world scenarios. All content is provided for educational and learning purposes only — not as professional security advice.

No Comments
Leave a Comment:
Skip to main content