CertiK’s Controversial Audit: Crypto Security Firm Apologizes for Ties to Illicit Marketplace

Crypto security giant CertiK has found itself in hot water after conducting a code audit for Huione Guarantee, a Cambodian marketplace allegedly linked to human trafficking operations. The revelation has sparked outrage in the crypto community, raising serious ethical concerns about due diligence in blockchain security services.

CertiK’s Involvement and Apology

In January, Huione Guarantee launched its own stablecoin, claiming it would circumvent the freezing and transfer restrictions imposed on traditional digital currencies. CertiK was hired to audit the code behind this stablecoin, a move that has now drawn scrutiny after reports surfaced linking Huione to illicit activities.

On February 7, Taylor Monahan, a lead security researcher at MetaMask, exposed CertiK’s connection to Huione Guarantee. “They straight up traffic humans to work in massive compounds where they are forced to scam people,” Monahan stated in an X post. The backlash was immediate, forcing CertiK to issue an apology.

“We sincerely apologize to the community,” a CertiK spokesperson told DL News. “We acknowledge that working with high-risk projects can lead to ethical concerns and wider implications. CertiK does not support or condone any of the activities undertaken by Huione.”

What is Huione Guarantee?

According to investigations by DL News and blockchain analytics firm Elliptic, Huione Guarantee is an online marketplace where criminals allegedly buy and sell tools used in forced labor scams. These include electric batons, GPS-tracking shackles, money laundering services, and stolen personal data. While Huione Guarantee states on its website that commerce related to human trafficking, firearms, and terrorism is prohibited, reports suggest otherwise.

CertiK’s Due Diligence Under Fire

CertiK claims the audit request came from a third-party organization that had undergone standard know-your-customer (KYC) checks. However, the firm later discovered concerning issues and requested additional verification, which the third party declined to provide.

Critics argue that CertiK should have recognized Huione’s involvement from the beginning. The firm’s audit report contained the name “Huione,” suggesting that even a basic review could have raised red flags. To mitigate the fallout, CertiK assigned Huione’s stablecoin the lowest possible security rating on its Skynet platform and flagged it with a warning.

Still, Monahan was unimpressed. “I get this industry has an aversion to state-mandated KYC, but you can’t just let scammers run circles around you for their own benefit,” she said.

Not CertiK’s First Controversy

This is not the first time CertiK has been embroiled in scandal. In June, the firm allegedly siphoned $3 million from crypto exchange Kraken. While CertiK insisted the action was part of a “whitehat” security test, Kraken’s security chief, Nick Percoco, described it as extortion. CertiK later blamed the incident on a rogue employee and apologized.

Damage Control: Donating Fees to Charity

Amid growing backlash, CertiK announced that it would donate the fee earned from Huione’s audit to the SENS Research Foundation, a nonprofit focused on regenerative medicine research.

“[We] will be sure to enforce stricter vetting procedures,” CertiK stated.

BitGalactic’s Take: A Wake-Up Call for Crypto Security Firms

From a BitGalactic perspective, this controversy underscores a fundamental problem in the crypto auditing space—lack of transparency and weak vetting procedures. While CertiK may have been unaware of Huione’s alleged crimes at the time of the audit, the failure to recognize red flags calls into question how rigorous these security firms truly are.

In a decentralized industry where trust is paramount, security auditors must go beyond mere code reviews. Ethical considerations should play a critical role in determining which projects receive endorsements. If crypto is to achieve mainstream credibility, firms like CertiK need to prioritize integrity over profit.

This incident is a stark reminder that in the race for blockchain innovation, security firms must hold themselves to a higher standard—or risk undermining the very trust they claim to protect.