Skip to main content
TechnologyApr 15, 2026· 4 min read

Kraken Under Extortion After Two Unauthorized Internal Accesses: Funds Safe, Investigation Ongoing

Kraken is at the center of an extortion attempt by a criminal group that threatens to make public videos of the exchange's internal systems if a ransom is not paid. This was announced by Nick Percoco, Chief Security Officer, in a post on X:

"Our systems have never been breached; the funds have never been at risk; we will not pay these criminals; we will never negotiate with those who act in bad faith."

The incident is the result of two separate episodes of improper access to customer support systems by internal employees, either recruited or corrupted by the criminal group. In both cases, access was revoked as soon as it was identified, and potentially exposed users were directly notified. Kraken, operated by Payward Inc. based in Wyoming, is among the largest exchanges in the world, with users in 190 countries and daily volumes in the hundreds of millions of dollars.

Two Incidents, One Campaign

The first episode dates back to February 2025, when Kraken received a report from a trusted source: a video was circulating on a criminal forum showing an individual with access to the internal customer support systems. The internal investigation quickly identified the responsible party as a member of the support team and revoked their permissions. Controls were strengthened and the involved users were notified.

The second incident emerged more recently, with a new report indicating similar material related to a second individual. The same procedure was followed: access revoked, investigation initiated, users informed. It was the revocation of this latest access that triggered the escalation: the criminal group began sending payment demands, threatening to distribute the videos to media and social platforms if Kraken did not comply.

The Extent of the Exposure

Kraken Security Update
We are currently being extorted by a criminal group threatening to release videos of our internal systems with client data shown if we do not comply with their demands. It’s important to start with the most important points: our systems were never
— Nick Percoco (@c7five) April 13, 2026

Percoco clarified that the 2,000 potentially involved accounts represent only 0.02% of the global customer base. The exposed data pertains exclusively to customer support information: no access credentials, no financial data, no access to custody infrastructures or wallets. The core systems of the exchange, meaning trading functions, custody infrastructures, and liquidity, remained intact throughout the duration of the incidents.

The criminal group did not exploit any technical vulnerabilities in Kraken's systems. They worked through the most difficult vector to defend: people. The weak point, as often happens, was with employees who had legitimate access to support tools that, by their nature, require visibility over user accounts.

An Industrial Pattern, Not an Isolated Case

The Kraken incident fits into a series of insider attacks that have affected the entire crypto sector in recent years. In May 2025, Coinbase disclosed a nearly mirrored case: criminals had corrupted customer support contractors based in India to extract user data from the internal systems those employees had authorized access to. The stolen material included names, phone numbers, partially masked identity documents, social security numbers, and account balances, a set of information sufficient to build convincing impersonation attacks. The Coinbase case impacted about 70,000 customers, with estimated damages of around 400 million dollars in settlements and legal fees. In that case as well, the exchange had refused to pay the demanded 20 million dollars ransom.

Kraken itself had already intercepted, in 2025, an infiltration attempt by North Korean operatives who attempted to access the organization through fake job applications. The campaign was discovered during the selection process. According to Percoco, the phenomenon of malicious insider recruitment actively concerns the crypto sector, the gaming industry, and telecommunications in a coordinated manner, with campaigns systematically targeting employees in roles with access to sensitive data.

Customer support roles in an exchange inherently require visibility over accounts to resolve any reported issues. That same visibility becomes a target for anyone looking to extract data without compromising the technical infrastructure. Limiting privileges reduces exposure but does not eliminate it: someone must always be able to open a ticket and see what happens on an account.

Federal Investigation and Internal Response

Kraken stated that it has gathered sufficient evidence to pursue legal action against all individuals involved in the extortion attempt, and is working closely with federal law enforcement in multiple jurisdictions. The exchange is also collaborating with industry partners to combat insider recruitment campaigns affecting multiple organizations in parallel.

On the internal operational front, Kraken has reviewed its access control processes, strengthened monitoring systems, and further reduced the privileges assigned to support roles to limit the exposure surface. The public stance remains firm: no payment, no negotiation, and an active investigation.