Kraken extorted after insider breach exposes 2,000 accounts. Exchange refuses to pay.

Continue reading
Kraken Chief Security and Information Officer Nick Percoco disclosed that the cryptocurrency exchange is currently being extorted by a criminal group threatening to release videos of internal systems containing client data.
The incident stems from two separate insider breaches involving customer support employees who improperly accessed limited client data—one in February 2025 and another more recently in early 2026. Across both incidents, approximately 2,000 client accounts were potentially viewed, representing just 0.02% of Kraken’s total user base of millions of customers across 190 countries. Kraken maintains that its systems were never breached, that no customer funds were at risk, and that the company will not pay or negotiate with the extortionists.
The first incident occurred in February 2025, when Kraken received a tip from a trusted source about a video circulating on a criminal forum that demonstrated unauthorized access to its client support systems. An internal investigation identified a support employee who had been recruited by a threat actor. The employee’s access was immediately revoked, additional security controls were implemented, and affected clients were notified.
The second incident took place in early 2026, following a similar pattern. Kraken received another tip accompanied by a video showing insider access to its systems by a different support team member. The company again responded swiftly—identifying the individual, terminating their access, and notifying affected users.
Shortly after access was cut in the second incident, the criminal group began making extortion demands, threatening to release the recorded material to media outlets and social media platforms if Kraken did not comply. The attackers are reportedly threatening to share videos showing internal systems with client data displayed.
According to Percoco, the incident affects approximately 2,000 accounts, representing 0.02% of Kraken’s total client base. The exposed information is reportedly limited to client support data, with no evidence that private keys, trading infrastructure, or customer funds were accessed. The potentially exposed personal data may include names and addresses, according to subsequent reporting.
Kraken has notified all potentially affected users directly and has advised them to remain cautious about potential outreach attempts. The company has also strengthened its monitoring and access control systems in response to both incidents.
Kraken’s response has been firm and unequivocal. _“Our systems were never breached; funds were never at risk; we will not pay these criminals; we will not ever negotiate with bad actors,”_ Percoco stated publicly on X.
The company is actively cooperating with federal law enforcement across multiple jurisdictions to pursue all individuals involved. Percoco has stated that Kraken’s investigation has gathered sufficient evidence to support the identification and arrest of those responsible. Due to the active investigation, additional details about the criminal group’s identity and the specific demands have not been disclosed.
This is not the first time Kraken has dealt with extortion. In June 2024, an entity claiming to be a security researcher exploited a zero-day vulnerability to withdraw approximately $3 million from the exchange’s treasury, then demanded payment rather than returning the funds. Kraken treated that case as a criminal matter and cooperated with law enforcement. More recently, in March 2026, a Kraken user reportedly lost approximately 7,784 ETH and 26.5 BTC—worth roughly $18.2 million—to a sophisticated social engineering scheme, underscoring the spectrum of threats facing both platforms and customers.
Insider threats and malicious recruitment are increasingly impacting multiple industries, and the cryptocurrency sector has proven particularly vulnerable. Percoco noted that the investigation has uncovered broader insider recruitment efforts targeting not only crypto firms but also gaming and telecommunications companies.
In a parallel incident, Coinbase suffered a data breach in mid-2025 after hackers bribed customer support agents at an India-based outsourcing agency to disclose private client information. That incident impacted approximately 70,000 customers, with Coinbase estimating total financial damages at $400 million. The attackers reportedly demanded a $20 million ransom tied to the stolen data.
Blockchain intelligence firm Nominis reports that more than $178 million was lost through significant crypto-related attacks during March 2026, representing a substantial increase from $49.3 million recorded in February. According to blockchain security company Hacken, Web3 projects lost $464.5 million to hacks and scams across 43 incidents in the first quarter of 2026, with phishing and social engineering accounting for the majority of losses. In January 2026 alone, cryptocurrency stolen through exploits and scams surged to $370.3 million, the highest monthly total in 11 months, according to data from blockchain security firm CertiK.
The pattern documented across both Kraken incidents—an insider recruited or coerced into recording access sessions, followed by an extortion demand—reflects a structural signal about the maturation of insider-threat operations targeting crypto exchanges. According to Kraken’s description, the attack reflects a rising pattern of “internal infiltration + social engineering,” in which outsiders work to compromise or recruit people inside service organizations to gain read‑only access, reconnaissance footage, or limited customer data rather than directly attacking hardened wallet systems.
Kraken is a U.S.-based cryptocurrency exchange operated by Payward Inc., founded in 2011 and serving retail and institutional clients globally. The platform offers spot and derivatives trading, as well as custody and staking services, and provides access to cryptocurrencies including Bitcoin, Ethereum, and more than 200 others. It is considered one of the largest and most established exchanges, with a daily trading volume of hundreds of millions of U.S. dollars. Notably, in March 2026, Kraken became the first crypto company to be granted a Federal Reserve Bank master account, signifying growing institutional acceptance of digital asset companies in the U.S..
The extortion attempt against Kraken highlights a critical vulnerability in cryptocurrency exchange security: the human factor. While technical systems remain robust and customer funds secure, the recruitment of insiders with legitimate access to support systems represents an evolving threat vector that traditional security architectures were not historically designed to defeat at the access-control layer.
As Ari Redbord of TRM Labs noted, as technical defenses improve, attackers may be focusing more on the “human layer,” particularly roles designed to be accessible. Kraken’s refusal to negotiate, combined with active law enforcement cooperation, sends a clear signal that the exchange will not reward criminal behavior—even as the broader industry continues to grapple with the growing challenge of insider threats.cc

148 malicious npm packages masquerading as student proxy and school Wi-Fi bypass tools. Rather than compromising developers during installation