Crypto exchange Kraken is facing an extortion attempt from a criminal group threatening to release videos purportedly showing access to internal systems containing client data. The Wyoming-based exchange said it identified and shut down two separate insider-related incidents involving unauthorized access to limited support data, affecting approximately 2,000 client accounts โ roughly 0.02% of its total customer base. Kraken says it will not pay and is coordinating with law enforcement to identify and arrest those responsible.
Two Separate Insider Incidents, Both Detected and Shut Down
The first incident dates to February 2025, when Kraken received a tip about a video circulating on a criminal forum showing access to internal systems. An internal investigation identified the individual responsible, revoked their access and prompted additional security controls. A limited number of affected clients were notified at the time.
More recently, Kraken received another tip and a similar video. The exchange again identified the person involved, terminated their access and notified affected users. Shortly after that second access was cut off, the extortion demands began arriving, with the criminal group threatening to distribute materials from both incidents to media outlets and on social media.
Nick Percoco, chief security and information officer of Payward and Kraken, stated in a post on X: โOur systems were never breached; funds were never at risk; we will not pay these criminals; we will not ever negotiate with bad actors.โ
Kraken Links Incidents to Broader Insider Recruitment Campaign
Kraken said it has been working with industry partners and law enforcement on what it describes as a broader insider recruitment campaign targeting companies across crypto, gaming and telecommunications. The exchange said it believes there is sufficient evidence to identify and arrest those responsible for the extortion attempt.
Insider threats are a particularly difficult attack surface for crypto exchanges because they bypass technical security measures entirely. Unlike smart contract exploits or wallet vulnerabilities, insider access relies on compromised or recruited employees who already have legitimate system access, making early detection dependent on behavioral monitoring and internal tip lines rather than perimeter defenses. The pattern of cryptoโs biggest security problem moving away from code and toward people is now well-documented across the industry.
The recruitment campaign Kraken describes overlaps with patterns previously identified in North Korean IT worker operations, where state-affiliated actors have embedded themselves as legitimate employees inside crypto firms before pivoting to extraction. The Ethereum Foundation publicly exposed roughly 100 DPRK operatives across 53 crypto projects last year. Whether the actors targeting Kraken are connected to the same network has not been confirmed, but the playbook โ long-term infiltration followed by privileged access abuse โ is identical.
Kraken is not the only firm dealing with related issues this week. Galaxy Digital, the digital asset firm founded by Mike Novogratz, said it recently contained a cybersecurity incident involving unauthorized access to an isolated development workspace. Galaxy confirmed that no client funds or account data were accessed or at risk.
Exchange Tightens Controls and Notifies Affected Users
Across both incidents, the unauthorized access was limited to support-level data for approximately 2,000 accounts. Kraken said client funds were never accessible or at risk at any point during either incident. All affected users have been notified directly.
The exchange said it has since tightened internal access controls and continues to enhance its security practices in response to what it characterizes as a growing global threat of insider recruitment targeting the crypto industry. Percoco added: โThe security of our clients is our highest priority, and we remain fully committed to combating the growing global threat of insider recruitment and constantly enhancing our security practices to combat new threats.โ
Founded in 2011, Kraken is operated by Payward Inc. and serves retail and institutional clients globally across spot and derivatives trading, custody and staking services. The exchange has recently acquired Bitnomial for $550 million as part of a broader push into U.S. derivatives markets, expanding its regulated footprint at the same time it manages the operational fallout of these insider incidents.
