Kraken Refuses to Negotiate Amid Extortion Threat
By Neil Mathew
Edited by felixakiyama
Updated
4 mins read
Kraken’s Chief Security and Information Officer Nick Percoco disclosed on April 13, 2026, via a post on X, that the exchange is facing an active extortion threat from attackers who obtained videos showing support staff accessing internal client support systems, along with limited client data affecting approximately 2,000 accounts, roughly 0.02% of Kraken’s total user base.
Percoco stated that core systems were never breached, that customer funds remain safe, and that Kraken will not negotiate with the attackers under any circumstances. The exchange has notified all potentially affected clients directly and confirmed it is cooperating with federal law enforcement across multiple jurisdictions, with Percoco characterizing the available evidence as sufficient to support arrests.
We suspect this is less a story about a single extortion attempt and more a structural signal about the maturation of insider-threat operations targeting crypto exchanges – a threat category that combines social engineering, criminal recruitment networks, and leveraged data as a monetization mechanism, and one that exchange security architectures were not historically designed to defeat at the access-control layer.
DISCOVER: Best crypto to buy right now – CoinSpeaker’s updated guide
The mechanism behind the extortion threat functions as follows: in February 2025, Kraken received a tip that a video documenting unauthorized access by a support team member was circulating on a criminal forum; the exchange launched an internal investigation, revoked the relevant access, and implemented enhanced security controls.
A second, structurally identical incident occurred in early 2026, in which another support team member was identified as having accessed internal client support systems without authorization; Kraken terminated that individual’s access and notified affected clients.
Extortion demands emerged immediately after access was cut in the second incident, with the attackers threatening to release the recorded material to media outlets and social platforms if their demands were not met.
Kraken Security Update
We are currently being extorted by a criminal group threatening to release videos of our internal systems with client data shown if we do not comply with their demands. It’s important to start with the most important points: our systems were never…
— Nick Percoco (@c7five) April 13, 2026
The data obtained by the attackers is confined, according to Kraken’s disclosure, to support-level information – client support system records for the approximately 2,000 affected accounts – with no private keys, trading infrastructure, or customer funds implicated. No video footage had been released publicly as of Percoco’s April 13 statement.
Percoco described the exchange’s posture directly: “The security of our clients is our highest priority, and we remain fully committed to combating the growing global threat of insider recruitment” – a characterization that frames the incident explicitly within the context of criminal networks systematically targeting high-value sectors rather than as an isolated operational failure.
It is necessary to flag the epistemic status of several details here: the specific identity of the attackers, the precise nature of their demands, and the full scope of the recorded material remain unconfirmed in Kraken’s public disclosures. What the exchange has confirmed is the timeline, the access scope, the notification posture, and the decision not to pay.
EXPLORE: Best meme coins to watch – CoinSpeaker’s updated rankings
The pattern documented across both Kraken incidents – an insider recruited or coerced into recording access sessions, followed by an extortion demand leveraging that footage – is consistent with what security analysts have characterized as Crime-as-a-Service infrastructure, in which criminal networks provide recruitment pipelines, technical guidance, and monetization channels to operatives embedded inside target organizations.
Crypto exchanges, gaming firms, and telecom providers have emerged as preferred targets given their combination of high-value data, outsourced or contract support roles, and reputational sensitivity to breach disclosure.
I imagine this breaks the record for fastest time between being granted a Fed Master Account and being hit with a massive hack https://t.co/kJGjlY7DQM
— Amanda Fischer (@amandalfischer) April 13, 2026
The $270 million Drift Protocol exploit attributed to North Korean state-linked actors demonstrated the upper bound of damage sophisticated threat actors can inflict on crypto infrastructure; the Kraken incidents illustrate that the lower end of the attack surface – support-tier access, not core systems – carries its own leverage.
We suspect Kraken’s decision to disclose both incidents, coordinate with law enforcement across multiple jurisdictions, and publicly refuse negotiation represents a deliberate signaling strategy as much as an operational response – an attempt to establish, on the record, that extortion against the exchange carries legal rather than financial consequences.
We anticipate further disclosures will follow once the active multi-jurisdictional investigation permits, potentially including details on arrest outcomes and the specific insider-threat controls Kraken implemented after each incident. Unaffected users require no action, according to the exchange’s guidance.
EXPLORE: Kraken Master Account: Inside the Congressional Inquiry From Rep. Maxine Waters
Disclaimer: Coinspeaker is committed to providing unbiased and transparent reporting. This article aims to deliver accurate and timely information but should not be taken as financial or investment advice. Since market conditions can change rapidly, we encourage you to verify information on your own and consult with a professional before making any decisions based on this content.
Neil is a professional cryptocurrency content writer with years of experience. He has written for various cryptocurrency websites to report on breaking news, and been hired by all sorts of cryptocurrency projects, to create content that would increase their exposure and attract more potential investors.
