{"id":236128,"date":"2025-07-17T11:03:09","date_gmt":"2025-07-17T11:03:09","guid":{"rendered":"https:\/\/krypto-investigation.de\/?p=236128"},"modified":"2026-06-02T12:40:17","modified_gmt":"2026-06-02T10:40:17","slug":"security-incident-at-kraken","status":"publish","type":"post","link":"https:\/\/krypto-investigation.de\/en\/sicherheitsvorfall-bei-kraken\/","title":{"rendered":"Security incidents at Kraken in 2025\/2026: What actually happened at the crypto exchange"},"content":{"rendered":"<p>Contrary to initial reports by various media outlets, the security incident uncovered at Kraken 2025 was not an external hack with a zero-day vulnerability, but a <strong>insider incident<\/strong>A member of the support team recorded videos of internal systems and shared them on a criminal forum. In the spring of 2026, a second, similar incident occurred involving a different employee, along with an extortion attempt which Kraken publicly denied. Approximately [number missing] employees were affected. <strong>2,000 accounts \u2014 0.02 percent of the global user base<\/strong>. Kraken CSO Nick Percoco clarified: No systems were compromised, and no customer funds were at risk. The incident is part of a broader industry trend of a growing wave of insider recruitment campaigns, which are also affecting Coinbase, telecom providers, and gaming companies.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Key facts of the incidents<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>First incident:<\/strong> February 2025<\/li>\n\n\n\n<li><strong>Second incident:<\/strong> Spring 2026, similar situation with another employee<\/li>\n\n\n\n<li><strong>The following extortion attempt:<\/strong> April 2026, publicly rejected by Kraken<\/li>\n\n\n\n<li><strong>Affected accounts:<\/strong> approximately 2,000 (0.02 % of the global user base)<\/li>\n\n\n\n<li><strong>Type of data viewed:<\/strong> exclusively customer support records<\/li>\n\n\n\n<li><strong>Not affected:<\/strong> Wallets, private keys, 2FA codes, customer funds<\/li>\n\n\n\n<li><strong>Statement from CSO Nick Percoco:<\/strong> \u201e&quot;Our systems were never breached; funds were never at risk; we will not pay these criminals.&quot;\u201c<\/li>\n\n\n\n<li><strong>Operator:<\/strong> Payward Inc. (parent company of Kraken)<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">What actually happened \u2014 not a classic hack<\/h2>\n\n\n\n<p>The incident followed a pattern that has increased significantly in the security community over the past two years: <strong>Insider threat instead of external exploit.<\/strong><\/p>\n\n\n\n<p><strong>February 2025.<\/strong> Kraken received a tip about a video circulating on a criminal forum showing an individual navigating internal customer support systems. An internal investigation identified a member of the support team as the source. Access was immediately revoked, additional access controls were implemented, and affected customers were notified. Kraken cooperated with law enforcement agencies in several jurisdictions.<\/p>\n\n\n\n<p><strong>Spring 2026.<\/strong> A second, similar report. Again a support employee, a new video, the same reaction: identification, account suspension, notification of the affected accounts. Then the extortion began\u2014a criminal group demanded payment, threatening to distribute the video footage from both incidents to media outlets and on social networks. Kraken refused and announced legal action.<\/p>\n\n\n\n<p>Important for context: There were <strong>no zero-day exploit, no third-party vulnerability, no external intruder who had gained system access<\/strong>. The employees had legitimate access \u2014 they abused it.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What the attackers really saw \u2014 and what they didn&#039;t<\/h2>\n\n\n\n<p>The term &quot;data leak&quot; is often used generically in reporting. In Kraken&#039;s case, the scope of the data breach was clearly defined:<\/p>\n\n\n\n<p><strong>The following could be viewed:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Customer support tickets and related communication<\/li>\n\n\n\n<li>Master data to the extent that it is visible for support processes (name, email, country if applicable)<\/li>\n\n\n\n<li>Possibly information about account status or verification level<\/li>\n<\/ul>\n\n\n\n<p><strong>Not reviewed or compromised:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Wallet addresses and private keys<\/li>\n\n\n\n<li>2FA codes or authenticator seeds<\/li>\n\n\n\n<li>Passwords or password hashes<\/li>\n\n\n\n<li>Direct access to trading accounts<\/li>\n\n\n\n<li>Ability to initiate trades or withdrawals<\/li>\n<\/ul>\n\n\n\n<p>Compared to real stock market hacks of recent years (Mt. Gox 2014, Coincheck 2018, FTX 2022, Bybit February 2025 with a loss of 1.5 billion USD), the Kraken incident is in a <strong>other category<\/strong>No loss of client funds, no interference with the trading infrastructure.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">The bigger picture \u2014 insider recruitment as an industry trend<\/h2>\n\n\n\n<p>The Kraken case is not an isolated incident, but part of a professional, organized wave. Key characteristics:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Dark Web Recruitment<\/strong> from employees at large crypto exchanges, gaming platforms and telecommunications providers<\/li>\n\n\n\n<li>Payment typically between <strong>3,000 and 15,000 USD per employee<\/strong>, depending on the access level<\/li>\n\n\n\n<li>Recruiters&#039; marketing promise: &quot;No malware needed, complete anonymity&quot;\u201e<\/li>\n\n\n\n<li>Goal: not direct theft, but <strong>Data for phishing attacks<\/strong> on identified customers with high account balances<\/li>\n<\/ul>\n\n\n\n<p>The most prominent comparable case is <strong>Coinbase in May 2025<\/strong>Attackers bribed employees of an Indian customer support provider, gaining access to the data of approximately 70,000 accounts. Coinbase estimated the total damage at around $400 million USD\u2014primarily due to subsequent waves of phishing attacks, in which the leaked account information was used to simulate credibility. Coinbase also rejected a $20 million USD ransom demand and instead offered a reward of the same amount for information leading to the perpetrators&#039; arrest.<\/p>\n\n\n\n<p>Compared to Coinbase, the Kraken incident is orders of magnitude lower in terms of damage and number of affected accounts \u2014 due to both the different insider reach and the early detection by Kraken.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Kraken in a European context: First MiCAR-licensed global provider<\/h2>\n\n\n\n<p>For German and European users, a second development is at least as relevant as the security incident itself: <strong>Kraken became the first major global crypto exchange to receive a full MiCAR license on June 25, 2025.<\/strong> \u2014 issued by the Central Bank of Ireland.<\/p>\n\n\n\n<p>What this means in practice:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Kraken can offer its services directly and in a regulated manner in all 30 EEA countries.<\/li>\n\n\n\n<li>Supervision by the Central Bank of Ireland, in coordination with national authorities (in Germany BaFin)<\/li>\n\n\n\n<li>EU-wide consumer protection standards, transparency obligations, robust supervisory mechanisms<\/li>\n\n\n\n<li>The license covers all seven crypto activities regulated under MiCAR \u2014 custody, trading, portfolio management, payments, etc.<\/li>\n<\/ul>\n\n\n\n<p>You can read more about the European regulatory framework and current ESMA observations in our article on... <a href=\"https:\/\/krypto-investigation.de\/en\/eu-mica-crypto-regulation\/\">MiCA Regulation and Malta&#039;s licensing practice<\/a>.<\/p>\n\n\n\n<p>This regulatory framework is relevant for assessing the insider trading incident: A MiCAR-licensed exchange is subject not only to internal security standards, but also <strong>Reporting obligations to the supervisory authority<\/strong> In the event of security incidents, Kraken addresses the incident through DORA for operational resilience and through the GDPR for data leaks. Kraken has officially handled the incident in both areas.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Significance for users in Germany<\/h2>\n\n\n\n<p>From today&#039;s perspective, the concrete impact on Kraken customers in Germany is manageable. The most important points are:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Those who are not among the 2,000 affected accounts<\/strong>, is practically unaffected by the insider trading incidents.<\/li>\n\n\n\n<li><strong>Who is affected<\/strong>, was informed directly by Kraken. The main risk is an increased likelihood of targeted phishing attempts using real customer data.<\/li>\n\n\n\n<li><strong>Phishing follow-up waves<\/strong> These are the real risks after data breaches of this kind. They use the leaked master data to simulate credibility\u2014for example, fake support calls that mention real account numbers or verification status.<\/li>\n<\/ul>\n\n\n\n<p>Recommendations that are not self-evident in this context:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>2FA with authenticator app<\/strong> instead of SMS (SIM swapping remains the most common attack vector for SMS-2FA)<\/li>\n\n\n\n<li><strong>Withdrawal whitelist<\/strong> Activate at Kraken \u2014 all payouts only to pre-approved addresses<\/li>\n\n\n\n<li><strong>Separate email account<\/strong> for stock market accounts that are not entangled with other services<\/li>\n\n\n\n<li><strong>Hardware Wallet<\/strong> For long-term holdings \u2014 trading accounts only hold what is actively traded.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">What happens if losses do occur \u2014 the consequences of phishing<\/h2>\n\n\n\n<p>In our forensic practice, we regularly see data breaches of this kind. <strong>Phishing follow-up waves with a 4\u20138 week delay<\/strong>. The attackers are specifically using the leaked data and contacting affected customers under the pretext of a &quot;security check&quot; or a &quot;suspicious transaction.&quot; Anyone who obtains a customer&#039;s wallet data or seed phrase in this way can directly withdraw the coins.<\/p>\n\n\n\n<p>In such cases, the forensic procedure is clear:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Immediate securing of evidence<\/strong> \u2014 Wallet addresses, transaction IDs, entire communication history with the supposed &quot;support staff&quot;, see our article on <a href=\"https:\/\/krypto-investigation.de\/en\/evidence-in-cases-of-crypto-fraud-which-evidence-is-crucial-for-filing-a-criminal-complaint-and-demanding-restitution\/\">Evidence in cases of crypto fraud<\/a>.<\/li>\n\n\n\n<li><strong>Initial forensic assessment<\/strong> about a <a href=\"https:\/\/krypto-investigation.de\/en\/wallet-check-2\/\">Wallet check<\/a> \u2014 Clarification of where the coins went and what points of contact exist for tracing them.<\/li>\n\n\n\n<li><strong>Stablecoin blocking requests<\/strong> in case of USDT or USDC losses \u2014 see <a href=\"https:\/\/krypto-investigation.de\/en\/cryptocurrencies-blocked-such-as-stablecoin-issuers-like-tether-and-circle-can-help-those-affected\/\">Cryptocurrencies blocked: How Tether and Circle can help<\/a>. Tether increased its blocking capacity by 2025 through the <a href=\"https:\/\/krypto-investigation.de\/en\/tether-investment-in-crystal-intelligence\/\">Investment in Crystal Intelligence<\/a> further expanded.<\/li>\n\n\n\n<li><strong>Criminal charges<\/strong> \u2014 even if the success rate in solving cases is limited in practice, the report forms the basis for civil prosecution and parallel blocking requests.<\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading\">Conclusion<\/h2>\n\n\n\n<p>The insider incident at Kraken is not evidence of a general insecurity of the platform \u2014 it is evidence that the biggest current threat in the crypto industry is <strong>not in faulty software, but in the recruitment of employees with privileged access<\/strong> Kraken reacted quickly in both cases, informing affected accounts, adhering to regulatory reporting channels, and resisting extortion attempts. This is the right response and clearly distinguishes the incident from cases where exchanges cover things up for months or pay up.<\/p>\n\n\n\n<p>For German users, the second, less widely publicized development is at least as relevant: Since June 2025, Kraken has been the first major global crypto exchange with a full MiCAR license, placing it within a tight EU regulatory framework. Those who consistently implement the key security measures (authenticator app, withdrawal whitelist, separate email address, hardware wallet for holdings) are well-prepared to protect themselves against phishing attacks resulting from insider trading incidents of this kind.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">FAQ \u2013 Frequently Asked Questions about the Kraken Security Incident<\/h2>\n\n\n\n<div data-schema-only=\"false\" class=\"wp-block-aioseo-faq\"><h3 class=\"aioseo-faq-block-question\"><strong>What really happened in Kraken 2025?<\/strong><\/h3><div class=\"aioseo-faq-block-answer\">\n<p>In February 2025, it was revealed that a member of the Kraken support team had recorded videos of internal systems and shared them on a criminal forum. A second, similar incident involving a different employee followed in the spring of 2026, along with an extortion attempt by a criminal group, which Kraken rebuffed. <strong>no external hack<\/strong> \u2014 the individuals concerned had legitimate access and abused it.<\/p>\n<\/div><\/div>\n\n\n\n<div data-schema-only=\"false\" class=\"wp-block-aioseo-faq\"><h3 class=\"aioseo-faq-block-question\"><strong>How many user accounts were affected?<\/strong><\/h3><div class=\"aioseo-faq-block-answer\">\n<p>According to Kraken CSO Nick Percoco, approximately [number missing] incidents occurred across both incidents. <strong>2,000 customer accounts potentially viewed<\/strong> \u2014 This corresponds to approximately 0.02 % of the global user base. The data accessed was limited to customer support information.<\/p>\n<\/div><\/div>\n\n\n\n<div data-schema-only=\"false\" class=\"wp-block-aioseo-faq\"><h3 class=\"aioseo-faq-block-question\"><strong>Were customer funds stolen?<\/strong><\/h3><div class=\"aioseo-faq-block-answer\">\n<p>No. Kraken has publicly stated that its systems were not compromised and no customer funds were at risk. This was a data breach in the support department, not a theft of coins.<\/p>\n<\/div><\/div>\n\n\n\n<div data-schema-only=\"false\" class=\"wp-block-aioseo-faq\"><h3 class=\"aioseo-faq-block-question\"><strong>What specific risks exist for affected customers?<\/strong><\/h3><div class=\"aioseo-faq-block-answer\">\n<p>The main risk is <strong>targeted phishing in the weeks and months following the incident<\/strong>. Attackers use leaked account information to make seemingly genuine contact attempts (&quot;Your account is showing suspicious activity...&quot;). Anyone who discloses seeds, passwords, or 2FA codes at this stage risks losing their coins.<\/p>\n<\/div><\/div>\n\n\n\n<div data-schema-only=\"false\" class=\"wp-block-aioseo-faq\"><h3 class=\"aioseo-faq-block-question\"><strong>Is Kraken regulated in Europe?<\/strong><\/h3><div class=\"aioseo-faq-block-answer\">\n<p>Yes. On June 25, 2025, Kraken became the first major global crypto exchange to receive a full MiCAR license, issued by the Central Bank of Ireland. This entitles Kraken to offer regulated crypto services in all 30 EEA countries and subjects it to EU-wide supervisory and reporting obligations.<\/p>\n<\/div><\/div>\n\n\n\n<div data-schema-only=\"false\" class=\"wp-block-aioseo-faq\"><h3 class=\"aioseo-faq-block-question\"><strong>What should I do if I suspect I am affected?<\/strong><\/h3><div class=\"aioseo-faq-block-answer\">\n<p>If Kraken hasn&#039;t actively contacted you, your account is likely not affected. Regardless, we recommend: enabling 2FA via an authenticator app (not SMS), activating a withdrawal whitelist, using a separate email account for exchanges, and moving funds to a hardware wallet. In case of an actual loss, contact a... <a href=\"https:\/\/krypto-investigation.de\/en\/wallet-check-2\/\">Wallet check<\/a> and file a criminal complaint \u2014 the trail is documented on the blockchain in any case.<\/p>\n<\/div><\/div>","protected":false},"excerpt":{"rendered":"<p>Kraken is one of the largest cryptocurrency exchanges worldwide \u2013 but the security incident shows how vulnerable even market leaders remain.<\/p>","protected":false},"author":4,"featured_media":236130,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"footnotes":""},"categories":[7],"tags":[],"class_list":["post-236128","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-krypto-neuigkeiten"],"acf":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/krypto-investigation.de\/en\/wp-json\/wp\/v2\/posts\/236128","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/krypto-investigation.de\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/krypto-investigation.de\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/krypto-investigation.de\/en\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/krypto-investigation.de\/en\/wp-json\/wp\/v2\/comments?post=236128"}],"version-history":[{"count":1,"href":"https:\/\/krypto-investigation.de\/en\/wp-json\/wp\/v2\/posts\/236128\/revisions"}],"predecessor-version":[{"id":238302,"href":"https:\/\/krypto-investigation.de\/en\/wp-json\/wp\/v2\/posts\/236128\/revisions\/238302"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/krypto-investigation.de\/en\/wp-json\/wp\/v2\/media\/236130"}],"wp:attachment":[{"href":"https:\/\/krypto-investigation.de\/en\/wp-json\/wp\/v2\/media?parent=236128"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/krypto-investigation.de\/en\/wp-json\/wp\/v2\/categories?post=236128"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/krypto-investigation.de\/en\/wp-json\/wp\/v2\/tags?post=236128"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}