Crypto exchange Kraken is facing an extortion attempt from a criminal group threatening to release videos purportedly showing access to internal systems containing client data. The Wyoming-based exchange said it identified and shut down two separate insider-related incidents involving unauthorized access to limited support data, affecting approximately 2,000 client accounts — roughly 0.02% of its total customer base. Kraken says it will not pay and is coordinating with law enforcement to identify and arrest those responsible.
Two Separate Insider Incidents, Both Detected and Shut Down
The first incident dates to February 2025, when Kraken received a tip about a video circulating on a criminal forum showing access to internal systems. An internal investigation identified the individual responsible, revoked their access and prompted additional security controls. A limited number of affected clients were notified at the time.
More recently, Kraken received another tip and a similar video. The exchange again identified the person involved, terminated their access and notified affected users. Shortly after that second access was cut off, the extortion demands began arriving, with the criminal group threatening to distribute materials from both incidents to media outlets and on social media.
Nick Percoco, chief security and information officer of Payward and Kraken, stated in a post on X: “Our systems were never breached; funds were never at risk; we will not pay these criminals; we will not ever negotiate with bad actors.”
Kraken Links Incidents to Broader Insider Recruitment Campaign
Kraken said it has been working with industry partners and law enforcement on what it describes as a broader insider recruitment campaign targeting companies across crypto, gaming and telecommunications. The exchange said it believes there is sufficient evidence to identify and arrest those responsible for the extortion attempt.
Insider threats are a particularly difficult attack surface for crypto exchanges because they bypass technical security measures entirely. Unlike smart contract exploits or wallet vulnerabilities, insider access relies on compromised or recruited employees who already have legitimate system access, making early detection dependent on behavioral monitoring and internal tip lines rather than perimeter defenses.
Kraken is not the only firm dealing with related issues this week. Galaxy Digital, the digital asset firm founded by Mike Novogratz, said it recently contained a cybersecurity incident involving unauthorized access to an isolated development workspace. Galaxy confirmed that no client funds or account data were accessed or at risk.
Exchange Tightens Controls and Notifies Affected Users
Across both incidents, the unauthorized access was limited to support-level data for approximately 2,000 accounts. Kraken said client funds were never accessible or at risk at any point during either incident. All affected users have been notified directly.
The exchange said it has since tightened internal access controls and continues to enhance its security practices in response to what it characterizes as a growing global threat of insider recruitment targeting the crypto industry. Percoco added: “The security of our clients is our highest priority, and we remain fully committed to combating the growing global threat of insider recruitment and constantly enhancing our security practices to combat new threats.”
Founded in 2011, Kraken is operated by Payward Inc. and serves retail and institutional clients globally across spot and derivatives trading, custody and staking services. The exchange has built its reputation in part on security and regulatory compliance across multiple jurisdictions.
