CertiK Under Scrutiny: The Firm That Grades Crypto Security
CertiK turned formal verification into a $2 billion crypto security brand and now tracks billions in yearly losses. Its Kraken and Huione stumbles show what an audit badge really proves.
When a crypto project wants to tell buyers that its code has been checked, it usually points to one name: CertiK. The New York based security firm has audited thousands of smart contracts, publishes some of the most widely quoted loss figures in the industry, and attaches a live security score to tokens that retail buyers scan before they click buy. Yet halfway through 2026, CertiK is in the headlines for its own missteps almost as often as for the exploits it documents.
From a Yale kernel to a $2 billion auditor
CertiK did not start in crypto. It grew out of academic work on formal verification, the practice of using mathematical proofs to show that software behaves exactly as intended. Co-founders Ronghui Gu, a computer science professor at Columbia University, and Zhong Shao, a professor at Yale, had helped build CertiKOS, described as the first formally verified operating system kernel, completed around 2016. The name nods to that heritage: CertiK is shorthand for certified, and the promise from the start was that code could be proven correct rather than only tested. They launched CertiK in 2018 to bring the same rigor to blockchain code.
The pitch drew serious money. By April 2022 CertiK had reached a $2 billion valuation after an $88 million round co-led by Insight Partners, Tiger Global, and Advent International, part of a run of raises that also pulled in Sequoia, Coatue, Goldman Sachs, Binance, and Coinbase Ventures, as the company announced at the time. Today CertiK sells smart contract audits, real time monitoring, and a public reputation system that has become a fixture of the token market.
How CertiK grades code
A CertiK audit is not a single automated scan. The firm combines manual review by human engineers, automated static analysis, and formal verification for the most sensitive functions. Findings are ranked by severity, usually running from critical and major down through medium, minor, and informational, and the client is expected to fix or acknowledge each one before a report is published.
Formal verification is the piece CertiK leans on hardest in its marketing, and it is genuinely powerful. Instead of testing a contract against a list of known attack patterns, it tries to prove that certain bad states can never occur. The catch is that a proof is only as good as the properties it checks and the assumptions it starts from. Verify the wrong property, or miss an interaction between two contracts, and the math still passes while the money still leaves.
Around the audits sits a consumer facing layer. CertiK Skynet tracks projects in real time and produces a security score, and the CertiK Security Leaderboard ranks tokens and exchanges on those scores. For many retail buyers, that number is the only security signal they ever check, which is exactly why the way CertiK earns and defends it matters so much.
That business model carries a built in tension. The project being reviewed is also the paying client, a dynamic common to the whole audit industry but sharper in crypto, where a favorable report can move a token price. CertiK has always insisted its findings are independent, yet critics note that an auditor has every commercial reason to keep its customers happy.
What the Hack3d reports reveal about 2025
CertiK’s most public product is arguably its research. The quarterly and annual Hack3d reports are cited by nearly every major crypto outlet, and the 2025 edition made for grim reading. CertiK counted about $3.35 billion stolen across 630 on chain security incidents, roughly a 37% jump from the $2.45 billion it recorded in 2024, according to the firm’s 2025 annual report.
The detail that unsettled builders was not the total but the concentration. The average loss per incident climbed to about $5.3 million, up more than 66% year over year, which CertiK read as a sign that attackers are hunting fewer but far larger targets, as it set out in its year end release. Phishing remained the most common attack type, tied to 248 incidents and roughly $723 million in losses, while private key compromises drove the largest share of stolen value.
| Year | Losses tracked by CertiK (USD) | Largest single incident |
|---|---|---|
| 2022 | about $3.7 billion | Ronin Bridge, about $625 million |
| 2023 | about $1.84 billion | Mixin Network, about $200 million |
| 2024 | about $2.45 billion | DMM Bitcoin, about $305 million |
| 2025 | about $3.35 billion | Bybit, about $1.4 billion |
The reports also chart where the pain lands. Centralized services and wallet infrastructure, not just DeFi protocols, absorbed the heaviest losses in 2025, a shift from the bridge and lending exploits that defined earlier years. Access control failures, where an attacker gets hold of the keys or permissions that move funds, keep producing the biggest single payouts, which is why CertiK and its peers now spend as much time on operational security as on contract logic.
Bybit, the hack that broke the charts
One event dominates the 2025 numbers. On 21 February 2025, the exchange Bybit lost around $1.4 billion to $1.5 billion in a single breach, the largest crypto theft on record. The U.S. Federal Bureau of Investigation attributed it to North Korea’s Lazarus Group, also tracked as TraderTraitor and APT38, in a public advisory.
What made Bybit sobering for auditors is that the smart contracts were not the weak point. Attackers compromised a developer machine tied to the multisig platform Safe, then used social engineering to push through a transfer that looked legitimate during a routine move from a cold wallet to a hot wallet. CertiK’s own first quarter report logged more than $1.6 billion stolen in the opening three months of 2025, most of it from this one incident, as the quarterly breakdown shows. Investigators estimated that at least $160 million was laundered within the first 48 hours. The message to the rest of the industry was blunt: an exchange can pass every contract audit and still lose everything to a compromised laptop.
The Kraken standoff
CertiK’s credibility questions are not only about the projects it audits. In June 2024 the firm ended up in an open fight with the exchange Kraken. On 9 June, Kraken received a bug report describing a flaw that let users inflate their account balances before a deposit had fully settled. Rather than simply demonstrate the bug, the researchers, later revealed to be from CertiK, withdrew close to $3 million and declined to return it until Kraken supplied an estimate of the potential damage, according to CoinDesk’s account.
Kraken called it extortion. CertiK said Kraken’s security team had threatened its employees and demanded repayment on unreasonable terms. The dispute grew stranger when on chain researchers noticed that a CertiK linked address had routed funds through Tornado Cash, the mixing service under U.S. sanctions, before the money was eventually returned, a detail that DL News flagged. Security professionals were split, and many argued that moving real customer funds and holding on to them went well beyond responsible white hat testing, a reading echoed in other coverage at the time.
The Huione audit and the limits of a checkmark
The most damaging recent episode had nothing to do with a hack at all. In December 2025, CertiK audited the code behind USDH, a stablecoin issued by Huione Guarantee, a Cambodian marketplace that researchers and law enforcement have tied to human trafficking, forced labor scam compounds, and large scale money laundering. Blockchain analytics firm Elliptic has estimated that more than $24 billion flowed through the wider Huione ecosystem before sanctions and platform bans caught up with it.
The audit surfaced twelve issues, three of them critical, and handed the project a document it could wave as a badge of legitimacy. It was flagged publicly in February 2026 by MetaMask lead researcher Taylor Monahan, and the backlash was immediate. CertiK apologized, said it had been engaged through a third party that obscured the client, donated its fee to charity, and promised tighter know your customer checks, as DL News reported. Co-founder Ronghui Gu conceded that deeper due diligence and extra alerts would have helped.
What a CertiK audit does not tell you
The Huione mess points to a gap that every crypto buyer should understand. A code audit answers a narrow question: does this software do what it claims without obvious flaws. It does not certify that the team is honest, that the business is legal, or that the token is a sound investment. CertiK evaluates code security and functionality; it does not vet the people behind a project or their intentions.
A few limits are worth keeping in mind:
- An audit is a snapshot. Contracts can be upgraded or swapped after the review, so a report describes code as it was on a given date.
- A badge is not an endorsement. A smart contract audit is not the same as registration with the U.S. Securities and Exchange Commission, which has repeatedly warned that many crypto tokens can be unregistered securities.
- Most losses start off chain. Private key theft, phishing, and social engineering, the biggest sources of stolen funds in 2025, sit outside the scope of a contract audit entirely.
A public listing built on trust
All of this arrives as CertiK weighs its next act. Co-founder Ronghui Gu used the World Economic Forum in Davos in January 2026 to float the idea of taking the company public, which would make it the first listed Web3 security firm, though he later stressed there was no fixed timeline, as The Block reported. The firm says it has raised more than $240 million and is pushing into enterprise work, including formal verification for banks.
For a company whose product is essentially trust, the timing is delicate. CertiK has framed the Huione affair as a wake up call rather than an ending, and has moved to tighten client vetting and add post audit monitoring, as CoinDesk detailed. Gu has also pointed to where the danger is heading, naming private key mismanagement, deepfake impersonation, and oracle manipulation as risks that now eclipse classic smart contract bugs.
The takeaway for readers is simple enough. A CertiK score or a CertiK badge is a useful data point, not a verdict. It tells you that someone looked at the code, nothing more, and in a market that lost $3.35 billion last year, the gap between those two ideas is measured in real money.
By the HOGE Wire editorial desk.