Web3 Lawyer: Encryption security company CertiK and Kraken tearing each other apart, can white hats also turn black?

The fighting in the encryption industry is really exciting. Just now, the showdown between the encryption security unicorn CertiK and the US super exchange Kraken has made me feel like a bystander.

Here’s the situation: CertiK discovered a serious vulnerability during its security testing process, involving the possibility of artificially increasing the account balance of encrypted transactions on the Kraken platform, and hoped to trigger Kraken’s alert threshold through testing. However, Kraken responded that CertiK’s actions went beyond the scope of general security research and accused CertiK of exploiting the vulnerability for profit, thus accusing CertiK of extortion.

According to CertiK, their tests revealed multiple security vulnerabilities in the Kraken system that, if left unfixed, could result in billions of dollars in losses. CertiK emphasizes that their actions are aimed at strengthening network security, protecting the interests of all users, and has publicly disclosed the complete timeline of the tests and the related deposit address to demonstrate their transparency and integrity.

Kraken and its CSO Nick Percoco have emphasized through social media and public statements that their bug bounty program has clear rules and requires all researchers who discover vulnerabilities to adhere to these rules. Kraken also stated that CertiK’s actions have constituted a direct threat to its platform security and has reported this incident to law enforcement agencies.

This confrontation involves not only technical and security issues, but also touches on the boundaries of law and ethics, especially regarding the limits and responsibilities of white hat hacker activities. This provides a rich background and basis for further discussion of the legal scale of white hat hackers by Lawyer Manquan.

Are the actions of white hat hackers legal?

On-chain white hat hackers help enterprises and organizations establish a more secure network environment by discovering and patching vulnerabilities, thereby enhancing the reliability and credibility of the network, and making positive contributions to the security and stability of the entire chain.

Will receiving compensation affect the evaluation of white hat hackers? As an effective incentive mechanism, reward can attract more talents to invest in the field of network security, thereby improving the overall security of the industry. For companies and organizations, it is also a cost-effective way of vulnerability repair, and can also establish the image of corporate emphasis on network security. Therefore, it is generally accepted in the industry that white hat hackers charge reasonable fees.

**This time, is CertiK a white hat hacker?

In the dispute between CertiK and Kraken, one of the key issues is the behavioral boundary issue of CertiK. CertiK’s behavior, especially the motives and legality of transferring 3 million dollars to an external wallet, has become the focus of the debate.

Opaque Behavior

CertiK is a security company that Kraken works with, and knowing that Kraken has long wick candle Bounty Program for security breaches, it is perfectly possible to ensure that it is fully authorized before starting testing. At the same time, according to the community and Kraken, when CertiK reported the vulnerability, it did not mention the specific number of transfers, but disclosed its “full test address” after Kraken issued a “refund of $3M” to prove that it did not transfer the amount alleged by Kraken.

Capital transfer is a fact

According to Kraken and on-chain detective @0xBoboShanti’s statement, as early as May 27th, CertiK security researchers conducted detection and testing, which contradicts CertiK’s timeline. At the same time, in the subsequent vulnerability testing, although CertiK claimed that the operation was to test whether Kraken’s alarm system could be triggered in time, in practice, this testing not only stopped at discovering vulnerabilities, but CertiK also transferred the funds to an independent wallet address. This behavior goes beyond the scope of routine security testing. It has been disclosed that CertiK has previously performed the same operation on multiple exchanges and has also used Tornado Cash to transfer assets and ChangeNOW for dumping.

Both of the above scenarios have likely exceeded the boundaries of white hat hacker behavior.

Legal Definition Becomes Key

Legally speaking, the actions of white hat hackers are usually considered legal, but on the premise that these actions comply with certain norms and conditions.

In the United States, the laws closely related to white hat hacker activities primarily include the Computer Fraud and Abuse Act (CFAA). According to the CFAA, any unauthorized access or access beyond the authorized scope to a protected computer may constitute a crime. For white hat hackers, their actions usually need to be performed within explicitly authorized boundaries. Otherwise, even for security testing purposes, they may violate the CFAA. In addition, with the advancement of technology, some regions have gradually developed more specific regulations to guide and protect the actions of white hat hackers.

In China, the Cybersecurity Law clearly defines the overall requirements for enhancing cybersecurity protection and strengthening the management of the cyberspace. This means that even for security testing purposes, any network intrusion may be regarded as illegal. At the same time, the law emphasizes the protection of personal data and privacy. Any operation involving personal data in network testing must ensure the security and privacy of the data are not violated. After discovering security vulnerabilities, there is a responsibility to promptly report to the cybersecurity management agency and the affected network operators. This reporting mechanism aims to promptly patch vulnerabilities and prevent their abuse.

However, in the Web3.0 industry, some white hat hackers’ testing may also involve transferring funds, but usually with the project’s consent (such as relevant grants) or transferring encrypted funds to a specific independent wallet for storage (without further action), and then reporting the vulnerabilities and receiving rewards from the project party, which is also an industry convention.

However, in the case of CertiK, the actual transfer of funds, especially the subsequent operations, has raised complex legal issues. On the one hand, whether CertiK transferred funds for personal gain is at issue; on the other hand, CertiK did not comply with Kraken’s explicit requirements for white hat hackers, and instead, by transferring funds, demonstrated the same vulnerability again; additionally, its subsequent handling of the transferred funds may be considered as illegal profit. Furthermore, CertiK’s post-action handling, including communication and coordination with Kraken, will also affect the legal assessment of its behavior.

Conclusion and Reflection

Although the controversy between Kraken and CertiK is purely a matter of U.S. law, Manquan Law Firm cannot comment on the U.S. legal perspective. However, assuming it happened under Chinese law, CertiK’s actions would probably not escape charges of extortion and illegal intrusion into computer systems.

Indeed, white hat hackers can also ‘turn black’ in certain situations. Even if their initial intention is to enhance system security, if they conduct tests without proper authorization or exploit discovered vulnerabilities for personal gain, these actions have deviated from the legal and ethical standards of white hat hackers. As demonstrated by the CertiK and Kraken incidents, unauthorized fund transfers, especially involving substantial amounts of money, can be considered as black hat behavior, even if it is for testing purposes.