Two incidents of internal staff accessing and leaking client data have armed a criminal group with KYC documentation and transaction records. Kraken says it will not pay and is working with law enforcement.
Kraken's chief security officer disclosed on Sunday that the exchange is fighting an active extortion campaign after two separate incidents of internal staff accessing and leaking client data, affecting approximately 2,000 accounts — a fraction of the firm's user base, but enough to arm a criminal group with material it's now threatening to release publicly.
Nick Percoco, who leads Kraken's security operation, laid out the situation in a post on X: the exchange identified two instances in which members of its support team accessed client systems without authorisation and passed information to individuals outside the company. The first occurred in February 2025; the second was discovered more recently, though Percoco didn't specify the exact date. Both were caught, the employees were removed, and the access was shut down.
What the criminals obtained, according to Kraken and corroborating reports, includes know-your-customer documentation, transaction histories, and support ticket records from the roughly 2,000 affected accounts. That's 0.02% of Kraken's total client base — a number the exchange has been at pains to contextualise — but KYC data is precisely the kind of information that enables targeted phishing, identity theft, and social engineering attacks against high-value crypto holders.
The extortion group has threatened to distribute videos of internal systems showing client data to media outlets and on social media unless Kraken meets its demands. Percoco's response was unambiguous: "We will not pay these criminals." The exchange is working with federal law enforcement across multiple jurisdictions and has already notified every affected user directly.
Kraken's disclosure follows a particularly rough stretch for exchange security. Bybit blocked a coordinated fake-deposit attack earlier this month that could have drained over a billion dollars' worth of DOT, and the industry is still processing the aftermath of the $1.4 billion Bybit hack attributed to the Lazarus Group. The difference with Kraken is the attack vector: this wasn't a smart contract exploit or a compromised private key. It was people — insiders with legitimate access who chose to monetise it.
The insider threat is arguably the hardest to defend against because it sits inside the perimeter. Kraken can harden its API endpoints and audit its smart contracts, but a support agent with legitimate credentials who decides to screenshot client records operates within the same systems that everyone else uses to do their jobs. The exchange said it has tightened internal access controls since the incidents, though it hasn't detailed what specific changes were made.
Percoco also flagged something broader: Kraken has been working with industry partners and law enforcement to investigate what it described as organised insider recruitment efforts targeting not just crypto firms but also gaming and telecommunications companies. The implication is that the two Kraken incidents may be part of a wider campaign in which criminal groups deliberately place or recruit employees at companies that hold valuable personal data.
No ransom figure has been publicly disclosed, and no videos have surfaced as of Monday. Kraken's decision not to pay is consistent with the approach most major exchanges have taken in similar situations — Binance's $40 million hack in 2019 was met with a public acknowledgement and user reimbursement rather than negotiation with the attackers.
The incident also carries regulatory overtones. Crypto exchanges operating in the United States face increasing scrutiny over data handling and customer protection, and an insider-facilitated data leak — even one affecting a small percentage of users — gives ammunition to regulators arguing that the industry's compliance standards aren't where they need to be. Kraken, which has operated from Wyoming and maintains one of the longer track records among US exchanges, presumably understands this. Its decision to go public rather than settle quietly suggests confidence that transparency will serve it better than silence; the extortion group is betting on the opposite.
