It claims that the researchers allegedly used the stolen funds to extort the exchange.

The bug allowed some users to artificially inflate their Kraken account balance without completing a full deposit.

Kraken's chief security officer, Nicholas Percoco, revealed that the bug resulted from a recent user experience (UX) change that credited client accounts before assets fully cleared, creating a false sense of real-time cryptocurrency trades.

Instead of merely reporting the bug, the researcher who discovered it shared it with his mates. They exploited the vulnerability to withdraw nearly $3 million from Kraken's platform. The stolen funds were from Kraken's treasury, not client assets.

The situation escalated when the researchers refused to provide a full account of their actions, demonstrate a proof of concept, or return the withdrawn funds. They demanded a call from Kraken's business development team and insisted on knowing the potential value of the bug if it was undisclosed. Percoco labelled this behaviour as extortion.

Kraken said it treats this as a criminal case and reported the matter to the coppers. The exchange expressed gratitude for the reported issue but remained firm in pursuing justice.

However, the researchers, represented by US-based blockchain security firm CertiK, accused Kraken of misconduct. CertiK claims that Kraken's security team threatened to repay its employees a mismatched amount of crypto unreasonably.

CertiK claimed that it had offered to return the funds and never tried to withhold them, however, the crypto community on X isn't going easy on the company. Several respondents have claimed that wallets associated with CertiK have been caught using US-sanctioned cryptocurrency mixers like TornadoCash and crypto-swapping platform ChangeNOW. In contrast, others highlighted what they claim were inconsistencies with CertiK's public disclosures and records on the blockchain.

Additionally, CertiK said it owed Kraken tens of thousands of dollars less than what Kraken said was stolen.