Crypto exchange Kraken has revealed it was targeted in two separate insider-related security incidents, resulting in unauthorized access to support systems and a subsequent extortion attempt involving client data. Following the incidents, the company said it took immediate actions to limit further exposure, revoke access from those involved, and notify users who may have been affected.
Insider access leads to breach of support tools
Kraken is a leading cryptocurrency exchange based in the United States, offering digital asset trading and custodial services to users worldwide. Founded in 2011, it has grown into one of the largest and most trusted platforms in the industry, with a focus on security and regulatory compliance. The platform provides services to both retail and institutional investors and maintains a significant global user base.
The first incident, traced back to February 2025, began with a tip regarding a video shared on a criminal forum. Kraken launched an internal probe, which identified a support staff member as having accessed restricted internal tools. The company swiftly revoked the employee’s permissions and introduced additional security controls to prevent similar occurrences.
A second episode was detected later, following another warning about material related to a different staff member. In this case, Kraken also isolated the individual involved, ended access, and further tightened internal procedures. Impacted users were informed after each incident.
According to Kraken, around 2,000 user accounts—approximately 0.02% of the platform’s total base—were potentially exposed across both events. The company emphasized that only limited customer support data was accessed, with no evidence of entry to critical financial infrastructure or user funds.
Extortion demands and industry-wide risks
Following Kraken’s mitigation efforts, a criminal group contacted the company with demands, claiming to possess videos displaying internal systems with user data. The attackers threatened to release the material unless their requests were met. Noting the seriousness of the attempt, Kraken made public statements affirming it would not engage with the threat actors.
“Our systems were never breached; funds were never at risk; we will not pay these criminals,” explained Chief Security Officer Nick Percoco, asserting that negotiation was not an option for the company.
Kraken reported that law enforcement agencies in multiple countries have become involved and that enough evidence has been gathered to support further investigation and pursuit of the perpetrators. The company has also pointed to a broader trend, as such attacks increasingly target support positions inside crypto, gaming, and telecom firms.
Security professionals continue to warn about insider threats, noting that support roles often require some level of account visibility that may be exploited if not strictly controlled. In response, Kraken stated it has amplified its reviews of internal protocols, improved monitoring solutions, and reduced access privileges as part of its ongoing efforts to safeguard user data.
Amid these developments, the cryptocurrency sector remains under pressure from both internal vulnerabilities and external attacks, highlighting the ongoing challenge of protecting digital assets in a rapidly evolving market.
Elsewhere, Galaxy Digital, an investment management firm founded by Mike Novogratz, disclosed a cybersecurity incident involving an isolated development environment but clarified that client assets and data remained secure.
Kraken said it will continue collaborating with authorities and industry peers while monitoring for further insider risks, framing the recent events as isolated but part of a wider security challenge across the technology landscape.
