Kraken announced that he is being targeted by a extortion in which a group of cybercriminals threaten to post videos showing access to internal systems containing customer information. According to the public message of the platform's head of security, Nick Percoco, there was no massive access to the infrastructure and no risk to users' funds; instead, the internal investigation detected episodes of undue access by support employees recruited by the criminal organization.
The company stressed that it will not negotiate or pay the extortors and that it has acted by revoking the privileges of the accounts of the employees involved, notifying directly the users concerned and strengthening internal controls. Percoco himself shared the information in his X (Twitter) account, where he explained the nature of the incident and the measures taken: public declaration in X. A technical report with more details on the case was published by specialized media, which collect the official version and the chronology of the research ( BleepingComputer).
Kraken estimates that the scope of the incident is limited: it affects about 2,000 accounts, which accounts for about 0.02% of its client base, and the information presented is restricted to data managed by the customer support, not access keys or financial assets. The company further states that it has sufficient evidence to legally prosecute the persons involved and that it cooperates with federal security forces in several jurisdictions to bring the case to justice.
This episode replaces the focus on a risk that is often relativized: that of the internal threat. It is not just remote attacks or technical vulnerabilities; the manipulation, bribery or coercion of personnel with privileges over critical systems can give access to sensitive data without the need to "break" security perimeters. Agencies like the FBI have been warning for years about the impact that malicious or negligent employees can have on organizations that handle valuable information, and offer guides to identify and mitigate that type of risk ( FBI resources).
In the cryptomoneda ecosystem, this problem has recent and costly precedents. In mid-2025, it became public that another important platform suffered a gap linked to workers of an external customer service who were bribed to reveal user information; this incident had a much greater impact on the number of affected and on economic valuation, which shows that the scale of the damage can vary much depending on the circumstances and the type of data committed. The specialized press covered this research and its implications for confidence in the tercerized support processes ( Coverage in Cointelegraph on the case).
Why do they use videos and "screen" material as a extortion tool? Because they serve as visual evidence of access and are easy to spread. For attackers, visual evidence has a double effect: it increases the pressure on the victim to give in and at the same time allows them to demonstrate to potential buyers or criminal networks that information exists. In the face of this, many companies choose a controlled public response and not to succumb to extortion, as paying often makes the victim a recurring target.
For users, the practical recommendation is to strengthen personal barriers: activate authentication of two factors with physical applications or keys, review notifications and access from unknown devices, and keep in cold portfolios (hardware wallets) amounts that are not used in daily operations. It is also appropriate to be attentive to official communications from the platform and to any requests for information from external channels.
For companies operating in cryptography, the lesson is clear: technical controls are not sufficient if they are not accompanied by policies of minimum access, continuous monitoring, separation of functions and regular audits of third parties. Implementing "zero trust" principles, limiting role privileges, rotating credentials and improving the detection of abnormal behaviors are essential steps. In addition, the management of external suppliers and agencies requires scrutiny: a failure in a contractor can spread as a fire.
Kraken's response - public transparency, immediate measures on affected personnel and cooperation with the justice system - is the road map that many companies recommend following in the face of an attempt at extortion. Protecting the integrity of systems, quickly informing potentially exposed users and working with authorities to pursue those responsible help to minimize damage and preserve confidence, although the process does not completely eliminate the reputational risk.
In a sector where assets are digital and legal borders are often diffuse, incidents linked to internal threats recall that resilience not only depends on firewalls and encryption, but also on a corporate culture that combines technical controls with robust human processes. The challenge is twofold: anticipate and avoid the capture of employees, and prepare to respond quickly and in a proportionate way when something unexpected happens.
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...
PinTheft the public explosion that could give you root on Arch Linux
A new public explosion has brought to the surface again the fragility of the Linux privilege model: the V12 Security team named the failure as PinTheft and published a concept t...