TLDR
- Criminals recorded footage of Kraken’s internal systems and are demanding payment to prevent public release
- Chief Security Officer Nick Percoco announced the exchange will refuse all ransom demands
- Approximately 2,000 user accounts were potentially accessed during two incidents in February 2025 and recently
- Federal authorities are investigating, with Kraken successfully stopping one extortion effort already
- A parallel incident occurred at Coinbase in May 2025, involving compromised data from approximately 70,000 users and a $20 million ransom demand
A criminal organization has demanded payment from Kraken after obtaining video recordings of the exchange’s internal systems, threatening public disclosure if their demands go unmet. Chief Security Officer Nick Percoco revealed the extortion attempt through a statement on X this Monday.
According to Percoco, the perpetrators captured footage showing Kraken support personnel working within internal client management systems. This recorded material now serves as the basis for their monetary demands.
“We will not pay these criminals,” Percoco declared. “We will not ever negotiate with bad actors.”
The exchange verified that no complete system breaches occurred. User assets remained secure throughout both security incidents.
This situation stems from two distinct security events. The initial occurrence took place in February 2025, appearing to involve a Kraken support employee recording internal system access. Another incident following the same pattern emerged more recently.
During both episodes, Kraken responded swiftly to detect the security threat and terminate unauthorized access. The exchange reports successfully neutralizing one extortion scheme linked to these activities.
Approximately 2,000 user accounts across Kraken’s platform were potentially visible during these two security events. The company has initiated contact with all potentially affected customers.
Federal Law Enforcement Involved
Federal authorities are now collaborating with Kraken to pursue the criminal organization. Percoco indicated the ongoing investigation may result in criminal arrests.
The platform is partnering with cybersecurity specialists across the industry. Percoco mentioned the company’s efforts to “investigate and disrupt insider recruitment efforts” aimed at cryptocurrency, gaming, and telecommunications firms.
Insider security threats have escalated throughout the cryptocurrency sector. The North Korean-linked Lazarus Group has established a pattern of embedding operatives within legitimate organizations, with security researchers documenting at least 60 confirmed Lazarus-connected developers working for cryptocurrency ventures.
Coinbase Faced a Similar Attack
This extortion attempt represents the second major exchange to confront such threats. During May 2025, Coinbase revealed that cybercriminals demanded $20 million to prevent the release of customer information.
That security compromise impacted approximately 70,000 customers and resulted from bribery schemes targeting international customer service contractors.
Cryptocurrency security incidents overall have shown increasing severity. Blockchain intelligence provider Nominis reports that major crypto-related losses exceeded $178 million during March 2026, representing a significant jump from February’s $49.3 million.
Authorization exploitation emerged as the primary attack vector throughout March, with targets inadvertently approving transactions that granted attackers direct control over their digital assets.
Percoco emphasized that protecting Kraken’s customer base remains the platform’s “highest priority” and affirmed ongoing efforts to strengthen defenses against emerging security challenges.
