Crypto exchange Kraken has reported two separate incidents of insider-related security breaches, where support staff improperly accessed a limited amount of client data. According to a company statement and comments from Chief Security Officer Nick Percoco, the firm confirmed that no systems were breached, nor were client funds compromised during these events.
Both incidents involved unauthorized access to internal support tools rather than the core trading infrastructure. Once these accesses were identified, Kraken promptly revoked permissions for the involved staff members. Percoco revealed that the company has been subjected to extortion attempts from a criminal group claiming to possess videos showcasing internal systems that include client data. The group has threatened to release this material unless their demands are met. “Our systems were never breached; funds were never at risk; we will not pay these criminals,” Percoco emphasized, reaffirming the company’s stance against negotiation with the attackers.
Approximately 2,000 client accounts have been identified as potentially viewed during these breaches, accounting for about 0.02% of the exchange’s global user base. Affected users have been notified, and the information exposed is said to consist of basic support data rather than any sensitive financial information.
The first of these incidents occurred in February 2025, following a tip about a video circulating on a criminal forum. An internal investigation subsequently revealed that a member of the support team was responsible for the access. In response, Kraken revoked permissions and initiated additional security reviews. A second incident arose after another tip was received regarding similar material associated with a different individual. Again, the source was identified, access terminated, and impacted users were informed, with internal controls further tightened.
Following the conclusion of both access incidents, the attackers escalated their extortion efforts, threatening to distribute sensitive content to various media outlets and social platforms. Kraken stated that it is collaborating with law enforcement across multiple jurisdictions and believes there is sufficient evidence to identify and pursue the perpetrators responsible for these threats.
The exchange has also noted a concerning trend of insider recruitment aimed at firms in the cryptocurrency, gaming, and telecommunications sectors. Security experts have cautioned that insider threats pose a persistent risk in the digital asset markets, where support roles require access to user accounts for troubleshooting purposes. Although such access is usually restricted, it can be vulnerable to coercion or exploitation.
In the wake of these incidents, Kraken is actively revisiting its internal processes, enhancing monitoring capabilities, and limiting access privileges to mitigate future risks. The firm underscored that its core infrastructure remains secure, even as the industry grapples with ongoing security challenges related to both external threats and internal vulnerabilities.
In a related development, Galaxy Digital disclosed a cybersecurity incident involving unauthorized access to an isolated development environment, although it confirmed that no client data or funds were at risk in that situation. Kraken pledged to continue cooperating with investigators and industry partners as this case unfolds, framing the incidents as contained events while simultaneously alerting the broader tech community to the pattern of insider-centric threats.
