Security incidents at Kraken in 2025/2026: What actually happened at the crypto exchange

Contrary to initial reports by various media outlets, the security incident uncovered at Kraken 2025 was not an external hack with a zero-day vulnerability, but a insider incidentA member of the support team recorded videos of internal systems and shared them on a criminal forum. In the spring of 2026, a second, similar incident occurred involving a different employee, along with an extortion attempt which Kraken publicly denied. Approximately [number missing] employees were affected. 2,000 accounts — 0.02 percent of the global user base. Kraken CSO Nick Percoco clarified: No systems were compromised, and no customer funds were at risk. The incident is part of a broader industry trend of a growing wave of insider recruitment campaigns, which are also affecting Coinbase, telecom providers, and gaming companies.

Key facts of the incidents

• First incident: February 2025
• Second incident: Spring 2026, similar situation with another employee
• The following extortion attempt: April 2026, publicly rejected by Kraken
• Affected accounts: approximately 2,000 (0.02 % of the global user base)
• Type of data viewed: exclusively customer support records
• Not affected: Wallets, private keys, 2FA codes, customer funds
• Statement from CSO Nick Percoco: „"Our systems were never breached; funds were never at risk; we will not pay these criminals."“
• Operator: Payward Inc. (parent company of Kraken)

What actually happened — not a classic hack

The incident followed a pattern that has increased significantly in the security community over the past two years: Insider threat instead of external exploit.

February 2025. Kraken received a tip about a video circulating on a criminal forum showing an individual navigating internal customer support systems. An internal investigation identified a member of the support team as the source. Access was immediately revoked, additional access controls were implemented, and affected customers were notified. Kraken cooperated with law enforcement agencies in several jurisdictions.

Spring 2026. A second, similar report. Again a support employee, a new video, the same reaction: identification, account suspension, notification of the affected accounts. Then the extortion began—a criminal group demanded payment, threatening to distribute the video footage from both incidents to media outlets and on social networks. Kraken refused and announced legal action.

Important for context: There were no zero-day exploit, no third-party vulnerability, no external intruder who had gained system access. The employees had legitimate access — they abused it.

What the attackers really saw — and what they didn't

The term "data leak" is often used generically in reporting. In Kraken's case, the scope of the data breach was clearly defined:

The following could be viewed:

• Customer support tickets and related communication
• Master data to the extent that it is visible for support processes (name, email, country if applicable)
• Possibly information about account status or verification level

Not reviewed or compromised:

• Wallet addresses and private keys
• 2FA codes or authenticator seeds
• Passwords or password hashes
• Direct access to trading accounts
• Ability to initiate trades or withdrawals

Compared to real stock market hacks of recent years (Mt. Gox 2014, Coincheck 2018, FTX 2022, Bybit February 2025 with a loss of 1.5 billion USD), the Kraken incident is in a other categoryNo loss of client funds, no interference with the trading infrastructure.

The bigger picture — insider recruitment as an industry trend

The Kraken case is not an isolated incident, but part of a professional, organized wave. Key characteristics:

• Dark Web Recruitment from employees at large crypto exchanges, gaming platforms and telecommunications providers
• Payment typically between 3,000 and 15,000 USD per employee, depending on the access level
• Recruiters' marketing promise: "No malware needed, complete anonymity"„
• Goal: not direct theft, but Data for phishing attacks on identified customers with high account balances

The most prominent comparable case is Coinbase in May 2025Attackers bribed employees of an Indian customer support provider, gaining access to the data of approximately 70,000 accounts. Coinbase estimated the total damage at around $400 million USD—primarily due to subsequent waves of phishing attacks, in which the leaked account information was used to simulate credibility. Coinbase also rejected a $20 million USD ransom demand and instead offered a reward of the same amount for information leading to the perpetrators' arrest.

Compared to Coinbase, the Kraken incident is orders of magnitude lower in terms of damage and number of affected accounts — due to both the different insider reach and the early detection by Kraken.

Kraken in a European context: First MiCAR-licensed global provider

For German and European users, a second development is at least as relevant as the security incident itself: Kraken became the first major global crypto exchange to receive a full MiCAR license on June 25, 2025. — issued by the Central Bank of Ireland.

What this means in practice:

• Kraken can offer its services directly and in a regulated manner in all 30 EEA countries.
• Supervision by the Central Bank of Ireland, in coordination with national authorities (in Germany BaFin)
• EU-wide consumer protection standards, transparency obligations, robust supervisory mechanisms
• The license covers all seven crypto activities regulated under MiCAR — custody, trading, portfolio management, payments, etc.

You can read more about the European regulatory framework and current ESMA observations in our article on... MiCA Regulation and Malta's licensing practice.

This regulatory framework is relevant for assessing the insider trading incident: A MiCAR-licensed exchange is subject not only to internal security standards, but also Reporting obligations to the supervisory authority In the event of security incidents, Kraken addresses the incident through DORA for operational resilience and through the GDPR for data leaks. Kraken has officially handled the incident in both areas.

Significance for users in Germany

From today's perspective, the concrete impact on Kraken customers in Germany is manageable. The most important points are:

• Those who are not among the 2,000 affected accounts, is practically unaffected by the insider trading incidents.
• Who is affected, was informed directly by Kraken. The main risk is an increased likelihood of targeted phishing attempts using real customer data.
• Phishing follow-up waves These are the real risks after data breaches of this kind. They use the leaked master data to simulate credibility—for example, fake support calls that mention real account numbers or verification status.

Recommendations that are not self-evident in this context:

• 2FA with authenticator app instead of SMS (SIM swapping remains the most common attack vector for SMS-2FA)
• Withdrawal whitelist Activate at Kraken — all payouts only to pre-approved addresses
• Separate email account for stock market accounts that are not entangled with other services
• Hardware Wallet For long-term holdings — trading accounts only hold what is actively traded.

What happens if losses do occur — the consequences of phishing

In our forensic practice, we regularly see data breaches of this kind. Phishing follow-up waves with a 4–8 week delay. The attackers are specifically using the leaked data and contacting affected customers under the pretext of a "security check" or a "suspicious transaction." Anyone who obtains a customer's wallet data or seed phrase in this way can directly withdraw the coins.

In such cases, the forensic procedure is clear:

1. Immediate securing of evidence — Wallet addresses, transaction IDs, entire communication history with the supposed "support staff", see our article on Evidence in cases of crypto fraud.
2. Initial forensic assessment about a Wallet check — Clarification of where the coins went and what points of contact exist for tracing them.
3. Stablecoin blocking requests in case of USDT or USDC losses — see Cryptocurrencies blocked: How Tether and Circle can help. Tether increased its blocking capacity by 2025 through the Investment in Crystal Intelligence further expanded.
4. Criminal charges — even if the success rate in solving cases is limited in practice, the report forms the basis for civil prosecution and parallel blocking requests.

Conclusion

The insider incident at Kraken is not evidence of a general insecurity of the platform — it is evidence that the biggest current threat in the crypto industry is not in faulty software, but in the recruitment of employees with privileged access Kraken reacted quickly in both cases, informing affected accounts, adhering to regulatory reporting channels, and resisting extortion attempts. This is the right response and clearly distinguishes the incident from cases where exchanges cover things up for months or pay up.

For German users, the second, less widely publicized development is at least as relevant: Since June 2025, Kraken has been the first major global crypto exchange with a full MiCAR license, placing it within a tight EU regulatory framework. Those who consistently implement the key security measures (authenticator app, withdrawal whitelist, separate email address, hardware wallet for holdings) are well-prepared to protect themselves against phishing attacks resulting from insider trading incidents of this kind.

FAQ – Frequently Asked Questions about the Kraken Security Incident