Author
Ahmed Balaha
Author
Share
Kraken confirmed Monday it is being extorted by a criminal group holding videos of internal systems containing customer data, and the crypto exchange has publicly refused to comply.
Chief Security Officer Nick Percoco disclosed the threat via X on April 13, 2026, stating the firm is working with federal law enforcement across multiple jurisdictions to pursue arrests.
The refusal is the right call. It’s also a calculated institutional signal at a moment when exchange trust is structurally fragile.
Key Takeaways:
- What was breached: Internal systems containing customer data were accessed via insider recruitment – no full system compromise and no customer funds were at risk, according to Kraken.
- Scope: Approximately 2,000 individuals potentially had their information viewed, representing roughly 0.02% of Kraken’s total user base; all affected users have been contacted.
- Extortion mechanism: Criminals are threatening to release videos of Kraken’s internal systems and distribute customer data fragments to media and social platforms unless demands are met.
- Kraken’s response: Percoco stated publicly: “We will not pay these criminals; we will not ever negotiate with bad actors” – and confirmed active federal law enforcement engagement across multiple jurisdictions.
- Insider pattern: A February 2025 incident involved a similar video shared on a criminal forum; in both cases, an individual from within the company was identified.
- Sector context: Wrench attacks on crypto industry personnel increased more than 75% year-over-year, with CertiK attributing over $40 million in confirmed losses to such attacks last year.
- Watch: Whether law enforcement arrests materialize and how Kraken’s delayed IPO timeline absorbs the reputational exposure from a second consecutive security incident.
How Kraken Crypto Breach and Extortion Mechanics Actually Worked
This was not a credential-scraping exploit or a protocol vulnerability. The entry point in both the February 2025 incident and the current extortion threat was insider recruitment; compromised individuals within Kraken’s organization granted access to internal systems, enabling reconnaissance rather than a full breach.
The access appears to have been read-only, sufficient to capture customer data on video without triggering immediate detection.
Percoco confirmed that Kraken received a tip about a video showcasing sensitive customer information from its internal crypto systems, the same mechanism used in the February 2025 case, when a similar video surfaced on a criminal forum.
In both instances, an internal actor was identified. The criminals are now threatening to distribute those videos and associated customer data to local media and across social networks unless Kraken complies with unspecified demands. The precise dollar figure of the extortion demand has not been publicly disclosed.
The pattern Percoco described is deliberate and scalable. “We have been collaborating with industry partners and law enforcement to investigate and disrupt insider recruitment efforts targeting not only crypto companies, but also gaming and telecommunications organizations,” he said.
That’s not opportunistic hacking. That’s a coordinated recruitment infrastructure operating across high-value data sectors, and Kraken is explicitly naming it as such, which matters for how the industry should respond.
Emerging crypto theft vectors increasingly target infrastructure access rather than on-chain exploits, and insider recruitment fits that same threat profile.
Discover: The best pre-launch token sales
What User Data Was Actually Exposed – and What That Enables
Kraken crypto has not publicly specified which data categories were captured in the videos, including KYC documentation, wallet addresses, transaction history, or account metadata.
What is confirmed: approximately 2,000 individuals had their information viewed, and Kraken states it has already contacted everyone at risk. The access was read-only, and internal systems were not breached in the fuller sense of data being exfiltrated at scale.
The practical risk for affected users is not account takeover; no funds were accessed. The risk is targeted social engineering and physical exposure.
(Source – TRM Labs)
With names, addresses, and account-level data in criminal hands, affected users become targets for the same wrench attack vector that CertiK tracked, resulting in over $40 million in losses last year.
That figure is almost certainly undercounted, given the norms of underreporting. Kraken’s outreach to affected users is the right procedural step; whether that outreach included specific security guidance, hardware key recommendations, address changes, or heightened vigilance is not confirmed.
Discover: The best crypto to diversify your portfolio with
https://cryptonews.com/news/kraken-extorted-stolen-user-data-refuses-pay/
