Crypto security companies CertiK and Kraken are at loggerheads. Will white hats also become black hats?

Written by: Jin Jianzhi, senior lawyer at Shanghai Mankiw Law Offices

The quarrels in the crypto industry are really exciting.SafetyUnicorn CertiK and American Superexchange Kraken’s head-breaking made me become a bad guy in a melon field.

The story goes something like this: CertiKSafetyDuring the testing process, a serious vulnerability was discovered, involving the possibility of artificially increasing the balance of a crypto trading account on the Kraken platform, and the hope was to reach Kraken’s alarm threshold through testing. However, Kraken said that CertiK’s behavior went beyond the normalSafetyThe scope of the research is suspected of exploiting the vulnerability for profit, so CertiK is accused of extortion.

According to CertiK, their testing revealed multipleSafetyVulnerabilities that could lead to hundreds of millions of dollars in losses if left unfixed. CertiK emphasized that their actions were to strengthen network security and protect the interests of all users, and disclosed the complete testing timeline and related deposit addresses to prove their transparency and integrity.

Kraken and its CSO Nick Percoco emphasized through social media and public statements that their bug bounty program has clear rules and requires all researchers who discover vulnerabilities to abide by them. Kraken also stated that CertiK's actions have posed a direct threat to the security of its platform and that it has reported the incident to law enforcement agencies.

This confrontation not only involves technical and security issues, but also touches on the boundaries of law and ethics, especially the boundaries and responsibilities of white hat hacker activities. This provides a rich background and discussion basis for Attorney Mankiw to further explore the legal standards of white hat hackers.

01 Are the actions of white hat hackers legal?

From a strict behavioral perspective, the behavior of white hat hackers is very similar to illegal intrusion into computer systems. However, in most cases, white hat hackers will not be given a legal evaluation of illegal crimes. This is because the purpose and behavior of white hat hackers make them essentially different from illegal crimes.

White hat hackers on the chain help enterprises and organizations build a more secure network environment by discovering and patching vulnerabilities, thereby enhancing the reliability and credibility of the network and making positive contributions to the security and stability of the entire chain.

Will the act of collecting remuneration affect the evaluation of white hat hackers? Remuneration, as an effective incentive mechanism, can attract more talents to invest in the field of network security, thereby improving the security of the entire industry. For enterprises and organizations, it is also a cost-effective way to fix vulnerabilities. At the same time, it can also establish the image of enterprises that attach importance to network security. Therefore, it is generally a convention in the industry for white hat hackers to charge reasonable fees.

02 Is CertiK a white hat hacker this time?

In the dispute between CertiK and Kraken, one of the core issues is the boundary of CertiK’s behavior.walletThe motives and legality of transferring $3 million became the focus of debate.

Behavior is not transparent

CertiK is a security company that Kraken works with, and knowing that Kraken has a bug bounty program, it could have ensured that it was fully authorized before starting testing.CommunityAnd Kraken disclosed that when CertiK reported the vulnerability, it did not mention the specific transfer amount. Instead, after Kraken issued a "refund of $3M", it disclosed its "all test addresses" to prove that it did not transfer the amount accused by Kraken.

The transfer of funds is a fact

According to Kraken and on-chain detective @0xBoboShanti, CertiK security researchers conducted detection and testing as early as May 27, which contradicts CertiK’s timeline of events. At the same time, in subsequent vulnerability tests, although CertiK claimed that the operation was to test whether Kraken’s alarm system could be triggered in time, in actual operation, this test did not only stop at discovering vulnerabilities, but CertiK also transferred the funds to an independentwalletThis behavior goes beyond the scope of conventional security testing. It is disclosed that CertiK has previously conductedexchangeThe same operation was performed, and Tornado Cash was also used to transfer assets and ChangeNOW was used for selling.

The above two situations have most likely exceeded the behavioral boundaries of white hat hackers.

03 Legal definition is key

From a legal perspective, the actions of white hat hackers are generally considered legal, but only if they meet certain norms and conditions.

In the United States, the laws closely related to white hat hacking activities mainly include the Computer Fraud and Abuse Act (CFAA).Xiaobai Navigation, any unauthorized access or access beyond the scope of authorization to protect a computer may constitute a crime. For white hat hackers, their actions usually need to be carried out within the scope of explicit authorization, otherwise, even for the purpose of security testing, they may violate the CFAA. In addition, with the development of technology, some regions have gradually formed more specific regulations to guide and protect the behavior of white hat hackers.

In China, the Cybersecurity Law also specifies the overall requirements for enhancing cybersecurity protection and strengthening cyberspace management. This means that network intrusions, even for the purpose of security testing, may be considered illegal; at the same time, the security law emphasizes the protection of personal data and privacy. Any operation involving personal data in network testing must ensure that the data is secure and the privacy is not violated; when security vulnerabilities are discovered, there is a responsibility to report them to the cybersecurity management agency and the affected network operators in a timely manner. This reporting mechanism is designed to patch vulnerabilities in a timely manner and prevent them from being abused.

However, in the Web3.0 industry, some white hat hackers’ tests also involve the transfer of funds, but usually with the tacit consent of the project (for example, the project has relevant grants), or the encrypted funds are transferred to a specific independentwalletIt is a common practice in the industry to do storage (no longer proceed to the next step), report the vulnerability and obtain compensation from the project party.

However, in the case of CertiK, the actual transfer of funds, especially the subsequent operations, raises complex legal issues. On the one hand, whether CertiK transferred funds for self-interest; on the other hand, CertiK did not comply with Kraken’s explicit requirements for white hat hackers, but instead proved the same vulnerability again by transferring funds; on the other hand, its subsequent operations on the transferred funds may be regarded as illegal profit. In addition, CertiK’s post-action handling, including communication and coordination with Kraken, will also affect the legal evaluation of its actions.

04 Conclusion and Reflection

Although the dispute between Kraken and CertiK is entirely a US legal issue, it is not easy for Attorney Mankiw to express his views under US law. However, if it happened under Chinese law, CertiK's actions would probably not escape the charges of extortion and illegal intrusion into computer systems.

Indeed, white hat hackers can also "go black" in certain circumstances. Even if the original intention is to enhance the security of a system, if they conduct testing without proper authorization or exploit discovered vulnerabilities for private gain, these actions have deviated from the legal and ethical standards of white hat hacking. As the CertiK and Kraken incidents show, unauthorized fund transfers, especially when large amounts of money are involved, can be considered black hat behavior even for testing purposes.

The article comes from the Internet:Crypto security companies CertiK and Kraken are at loggerheads. Will white hats also become black hats?

Related recommendation: From 0 to 1: How to create a strong Web3 brand influence

Measuring a brand’s success is not just about its performance in numbers, but about its impact in the ever-changing crypto space. Xiaobai Navigation Written by: ChainPeak In the fast-paced crypto industry, one question is always at the forefront: How can crypto projects ensure that their brands not only thrive but also excel? In the ever-changing environment of Web3 and crypto enterprises, the challenge is to stay ahead of the ever-escalating pressures of the market…