Kraken, one of the biggest cryptocurrency exchanges, has publicly rejected an extortion demand after criminals gained access to limited internal user data. The company said two separate insider-related incidents exposed a small amount of information linked to around 2,000 client accounts.
Chief Security Officer Nick Percoco said Kraken will not negotiate with those behind the leak and added that law enforcement has already been brought into the case.
The back story
Kraken claimed that the initial case appeared last February, when it was informed about a video circulating in one of the criminal forums.
In the recording, the employee of the support team seemed to have been caught using internal client support tools illegally.
Kraken claimed that it promptly determined the staff member implicated, stripped that individual of access, conducted an internal probe, strengthened its policies and reached out to the impacted users.
The exchange said a second, similar case surfaced later after it received another tip and discovered another video. Kraken again said it identified the person involved and immediately cut off that individual’s access.
Across both incidents, Kraken said around 2,000 client accounts were potentially viewed. The exchange noted that this equals roughly 0.02 percent of its total user base. It also stressed that the exposure was confined to support system interfaces and did not reach its trading infrastructure or wallet systems.
Subsequently, it became an extortion attempt.
Percoco claimed that a group of criminals started threatening the company and demanded money as an exchange to not publish the content. He said the group warned that if Kraken refused, it would send the videos to media outlets and post them online.
Kraken’s message was firm and unambiguous. The exchange said it “will not ever negotiate with bad actors,” making clear that it has no intention of paying the group behind the threats or engaging with its demands.
Insider access, not an external hack
Meanwhile, Kraken reassured users regarding the extent of the incident. The firm added that it only impacted the support-level access and had no effect on the private keys, core trading systems, or client funds.
That distinction is important because it indicates the issue did not come from attackers breaching Kraken’s main infrastructure.
Percoco said, “The security of our clients is our highest priority, and we remain fully committed to combating the growing global threat of insider recruitment and constantly enhancing our security practices to combat new threats.”
Law enforcement is now involved
Kraken claimed that it is currently collaborating with federal law enforcement agencies in various jurisdictions and felt that what it had collected so far was sufficient to aid in tracking down those behind the extortion.
The exchange also said it is coordinating with industry partners as the investigation moves forward.
“Based on intelligence gathered across both incidents, along with extensive ongoing analysis, we believe there is sufficient evidence to support the identification and arrest of those responsible,” Percoco noted.
Kraken responded that they cannot provide additional information yet as the investigation continues. Nevertheless, the company requested that anyone who had any pertinent information communicate with the company directly.
The company said it already contacted the affected users. Reactions on X were mixed. Some users backed Kraken’s decision to refuse payment and stand firm against the threats.
Others also questioned the unnecessary risk that is created by outsourced or contract-based support roles particularly when such teams have access to customer-facing systems.
This case highlights a rising issue in the crypto industry. Insider threats connected to customer support teams are becoming more common. Criminal groups are more frequently targeting employees with access to user information, often using bribery or social engineering tactics.
The same problem was raised at Coinbase in 2025, when the firm announced that foreign customer support workers were bribed to disclose personal information of clients.
In the case of Kraken and that of Coinbase, the exchanges claimed that their systems had not been compromised and that client funds had not been at risk.
The trend of these incidents is also similar. The firms shifted towards terminating access, notifying impacted users, refusing extortion, and collaborating with law enforcers as the investigations persisted.
No exchange can promise complete safety, but Kraken’s response shows that a well-prepared security team can still contain the damage when insider threats emerge.
The company’s refusal to pay also sends a very strong message that extortion will be dealt with by the law and not be done in backdoor deals.