Some white hat hacker behavior is ‘weird,’ Ledger CTO says

After the Kraken-CertiK incident earlier this week, Ledger’s Charles Guillemet weighed in on white hat hackers

article-image

Maor_Winetrob/Shutterstock modified by Blockworks

share

The back and forth between CertiK and Kraken this week left more questions than answers. 

So to get some potential answers — and to pick his brain — Blockworks chatted with Ledger Chief Technology Officer Charles Guillemet.

Outside of the use of Tornado Cash by the US-based CertiK, he also highlighted the withdrawal of XMR — a privacy coin on Monero, in case you’ve skipped some of Empire’s previous segments — as suspicious because, well, it’s a privacy coin.

Add ChangeNow, a self-styled non-custodial exchange, into the mix. In Guillemet’s experience, ChangeNow is generally one of the top picks for attackers who are trying to hide crypto. It’s often used by bad actors because it doesn’t require proper KYC checks before facilitating swaps from one token to another.

It was also weird that there were video calls between CertiK and Kraken. And don’t even get him started on the millions withdrawn (he maintains you can exploit as little as $5 to prove the bug and then report it for a bounty). 

Read more: Empire Newsletter: DJT and Kraken bring the drama

However, the five-day time period in which the researchers were testing the exploit isn’t that strange. 

“So the five day period is not suspicious, per se. But what is suspicious is what they did during the meantime,” he told Blockworks.

The silver lining in this is the speed in which Kraken assessed the issue (47 minutes, according to Kraken’s Chief Security Officer Nick Percoco) and investigated the issue.

Kraken had everything in place in order to verify what happened on their platform and to find out that the vulnerability was actually exploited several times, by three accounts and not only by one,” he added. 

Guillemet was in the security world before swapping over to crypto in 2017. 

With that experience, he said that the “behavior that we see in blockchain and crypto when it comes to white hat [hacking] is really weird from my standpoint.”

Read more from our opinion section: We need to talk about the dangers of custody on exchanges

“Sometimes you have a white hat, supposedly, who finds a vulnerability on some smart contract. It completely drains the smart contract and then gives back like 90%, choosing its reward [of] 10%. This kind of behavior, for me, is extortion. It seems to be okay. It seems to be white hat behavior,” Guillemet continued.“But I completely disagree with this. When you do security research, you don’t choose your reward.”

“In crypto, it’s not always the case, and it’s a bit disturbing for me, and it’s also disturbing for other security guys in the field.”

CertiK said it wasn’t trying to exploit or “extort” funds from the exchange, unlike claims made by Percoco. On Thursday, Kraken confirmed it received the funds back sans a bit lost to fees.

The simplest way to improve the space is obviously investing in security, but the more difficult path forward is for security teams to stay humble, Guillemet said. 

“Attackers will get better and better and we as an ecosystem must be humble and always raise the bar for security because this is a cat-and-mouse game and the stakes are getting higher.”

A shorter version of this article appeared in Friday’s Empire Newsletter. Sign up here to never miss an issue.


Get the news in your inbox. Explore Blockworks newsletters:

Tags

Decoding crypto and the markets. Daily, with Byron Gilliam.

Upcoming Events

Old Billingsgate

Mon - Wed, October 13 - 15, 2025

Blockworks’ Digital Asset Summit (DAS) will feature conversations between the builders, allocators, and legislators who will shape the trajectory of the digital asset ecosystem in the US and abroad.

recent research

Unlocked by Template (10).png

Research

Innovations on Aptos’ technical design through Raptr, Shardines, and Zaptos approach near-optimal latency and throughput by unlocking 100% utilization of network resources, with the capacity to settle 260k transactions per second with latencies less than 800ms. The original Move language was revamped with the launch of Move 2, supporting more expressivity in smart contract logic and a scalable ability to interact with high volume datasets. The ecosystem has benefitted from strong asset inflows, now hosting over $1.3B in stablecoins, $450M in bridged BTC, and $530M in RWAs. Activity in the Aptos ecosystem has grown notably over the past year, with monthly application revenue reaching ~$835k and monthly DEX volumes growing to over $5B, both at new all time highs.

article-image

The fund group has submitted proposals in recent months for other funds that would hold litecoin, solana, XRP, HBAR, Sui and others

article-image

Momentum’s back — BTC leads, risk assets follow

article-image

Ondo Finance’s acquisition of blockchain development company Strangelove follows its buy of Oasis Pro

article-image

Cryptocurrency and stock traders alike had a lot to unpack Wednesday

article-image

The government says Storm was a money-hungry aid to criminals; the defense says it’s not his fault that people used his code for illicit activities.

article-image

EigenLayer, Lido and Taiko are buying verifiable compute