Crypto exchange Kraken is facing an extortion attempt by a criminal group threatening to release videos allegedly showing access to internal systems containing client data, the company said on Monday.
The Wyoming-based company said it identified and closed two instances of inappropriate access linked to individuals within its support team, each involving restricted customer data.
“Our systems were never breached; funds were never at risk; we will not pay these criminals; we will never negotiate with bad actors,” said Nick Percoco, Chief Security and Information Officer at Payward and Kraken, in a post on X.
The first incident came in February 2025, when Kraken received a tip about a video circulating on a crime forum. An internal investigation identified the person involved, revoked their access and led to additional security checks. A limited number of affected clients were notified.
Recently, Kraken received another tip and a similar video. The company said it re-identified the person responsible, terminated their access and notified affected users.
Security incidents remain an ongoing problem in crypto because the industry combines valuable, easily transferable assets with technical and human vulnerabilities. Digital assets can be moved instantly across borders and are often irreversible once lost, making them attractive targets for malicious actors. At the same time, weaknesses in smart contracts, private key management and exchange infrastructure can create exploitable entry points, while phishing and social engineering schemes continue to directly target users.
Recent crypto exploits have shown increasing sophistication, with attackers combining vulnerabilities in smart contract, social engineering and rapid fund movement to maximize impact.
In cases like the Drift exploit, it appears that adversaries have used a deep understanding of protocol mechanics and liquidity relationships to manipulate systems in ways that are difficult to detect in real time, underscoring how complex and fast-moving decentralized finance (DeFi) environments can create opportunities for advanced attacks.
Kraken is a US-based cryptocurrency exchange operated by Payward Inc. that offers spot and derivatives trading as well as custody and staking services for digital assets. Founded in 2011, the platform serves retail and institutional clients globally and provides access to cryptocurrencies such as bitcoin and ether (ETH), as well as fiat entry and exit. The company is also known for its focus on security and regulatory compliance across multiple jurisdictions.
Across both incidents, approximately 2,000 client accounts were potentially viewed, according to the company. Kraken has millions of customers, and the security incidents affected only 0.02% of its customer base, a person with knowledge of the matter told CoinDesk.
Kraken said it began receiving extortion demands shortly after the latest access was severed, with the group threatening to distribute materials from both incidents to the media and on social media. The company said it will not comply.
The exchange added that it has been working with industry partners and law enforcement to investigate what it describes as broader insider recruitment efforts targeting crypto, gaming and telecommunications firms. It said it believes there is sufficient evidence to identify and arrest those responsible.
“The security of our customers is our highest priority, and we remain fully committed to combating the growing global threat of insider recruitment and constantly improving our security practices to combat emerging threats,” Percoco added.
Galaxy Digital ( GLXY ), the digital asset financial firm founded by Mike Novogratz, said it also recently contained a cybersecurity incident involving unauthorized access to an isolated development workspace. No client funds or account data were accessed or compromised.
Read more: Galaxy Digital’s testnet suffers from hack, but no client funds or information were compromised
