Cryptocurrency exchange Kraken is facing an extortion attempt by a criminal group that is threatening to release videos that allegedly show access to internal systems containing customer data, the company said on Monday.
The Wyoming-based firm said it identified and closed two cases of inappropriate access linked to people within its support team, each involving limited customer data.
“Our systems were never breached; funds were never at risk; we will not pay these criminals; we will never deal with bad actors,” said Nick Percoco, chief information and security officer at Payward and Kraken, in a post on X.
The first incident occurred in February 2025, when Kraken received a tip about a video circulating on a criminal forum. An internal investigation identified the individual involved, revoked their access and led to additional security checks. A limited number of affected customers have been notified.
More recently, Kraken received another notice and a similar video. The company said it re-identified the person responsible, terminated their access and notified affected users.
Security incidents remain a persistent problem in the cryptocurrency sector because the industry combines high-value, easily transferable assets with technical and human vulnerabilities. Digital assets can move instantly across borders and are often irreversible once lost, making them attractive targets for malicious actors. At the same time, weaknesses in smart contracts, private key management, and sharing infrastructure can create exploitable entry points, while phishing and social engineering schemes continue to target users directly.
Recent crypto attacks have shown increasing sophistication, with attackers combining smart contract vulnerabilities, social engineering, and rapid movement of funds to maximize impact.
In cases like the Drift exploit, adversaries appear to have used deep knowledge of protocol mechanics and liquidity conditions to manipulate systems in ways that are difficult to detect in real time, underscoring how complex and fast-moving decentralized finance (DeFi) environments can create opportunities for advanced attacks.
Kraken is a US-based cryptocurrency exchange operated by Payward Inc., offering spot and derivatives trading, as well as custody and staking services for digital assets. Founded in 2011, the platform serves retail and institutional clients around the world, providing access to cryptocurrencies such as bitcoin. and ether (ETH), as well as fiat on- and off-ramps. The company is also known for its focus on security and regulatory compliance in multiple jurisdictions.
In both incidents, approximately 2,000 customer accounts were potentially viewed, according to the company. Kraken has millions of customers and the security events affected only 0.02% of its customer base, a person with knowledge of the matter told CoinDesk.
Kraken said it began receiving extortion demands shortly after the last access was cut, and the group threatened to distribute materials from both incidents to the media and on social media. The company said it will not comply.
The exchange added that it has been working with industry partners and law enforcement authorities to investigate what it describes as broader insider recruiting efforts targeting cryptocurrency, gaming and telecommunications companies. He said he believes there is enough evidence to identify and arrest those responsible.
“The security of our clients is our top priority and we remain fully committed to combating the growing global threat of insider trading and constantly improving our security practices to combat new threats,” Percoco added.
Galaxy Digital (GLXY), the digital asset financial services company founded by Mike Novogratz, said it also recently contained a cybersecurity incident involving unauthorized access to an isolated development workspace. No customer funds or account data were accessed or compromised.
Read more: Galaxy Digital testnet comes under attack, but no customer funds or information was compromised
