Kraken’s Chief Security Officer said fifteen words this week that should reframe every exchange’s security roadmap.
“I consider this priority 1 for any security team until solved.” — Nick Percoco, CSO at Kraken · April 13, 2026
He was not talking about zero-days. Not smart-contract exploits. Not North Korean wallet drainers. The single highest-priority attack vector, according to the CSO of a top-five crypto exchange, is the people already inside the building.
The context: Kraken disclosed this week that a criminal organization is attempting to extort the company with videos purporting to show access to its internal systems. No wallets compromised. No trading infrastructure exploited. Client funds are safe. Two separate insider incidents in Kraken’s customer support operation granted unauthorized access to roughly 2,000 accounts — about 0.02% of its client base. The access wasn’t earned. It was already there. The April 13 disclosure is a data exposure event; no funds moved.
Kraken refused to pay. In an official statement: “Our systems were never breached; funds were never at risk; we will not pay these criminals.” The company is working with law enforcement.
None of that changes what Percoco actually said.
The attack surface moved inside the building — and he said it the same week Kraken filed confidentially for IPO at a $13.3 billion valuation. There is no worse news cycle for an exchange about to meet institutional investors than “our support team has been infiltrated.”
The single highest-priority attack vector, according to the CSO of a top-five exchange, is the people already inside the building.
It’s not isolated. It’s the playbook.
Kraken’s disclosure points to “broader insider recruitment efforts targeting crypto, gaming, and telecommunications firms.” That’s not corporate cover. That’s the actual 2025–2026 attack pattern, and it’s already been measured.
Chainalysis’s 2026 Crypto Crime Report confirmed that North Korean threat actors stole $2.02 billion in cryptocurrency in 2025 — a 51% year-over-year increase. More importantly: DPRK attacks accounted for 76% of all service compromises, and Chainalysis attributes much of that to “embedding IT workers inside crypto services to gain privileged access and enable high-impact compromises.”
Three out of every four exchange compromises in 2025 weren’t hacks in the traditional sense. They were insiders. Either recruited, planted, or socially engineered into granting access to systems that were never “hacked” at all.
The pattern extends beyond crypto. In March 2025, T-Mobile was ordered to pay $33 million in arbitration after an insider-facilitated SIM swap enabled the theft of a customer’s cryptocurrency holdings. Carrier employees have been offered flat payments — documented cases range from $300 to $10,000 per SIM swap — to hand attackers control of a target’s phone number. The insiders aren’t the exception. They’re the market.
The timeline of the past year:
- Mar 2025 — T-Mobile $33M arbitration. Insider-facilitated SIM swap enabled theft of a customer’s crypto holdings. Carrier employees receive $300–$10,000 per swap.
- 2025 total — DPRK $2.02 billion stolen, 76% of all service compromises. North Korean operators embedded as IT workers inside exchanges, custodians, and Web3 firms.
- Mar 31, 2026 — Kraken user $18.2M lost to social engineering. Not an exchange breach. The attacker talked the user into authorizing the withdrawal.
- Apr 13, 2026 — Kraken 2,000 accounts exposed, extortion refused. Two separate insider incidents in customer support. Data exposure, no funds moved. Kraken’s CSO publicly names insider recruitment “priority one.”
Four incidents. Four different mechanisms. One common thread: the access was already inside. No zero-days. No network intrusions. No novel exploits.
Read-only insider access is not a small problem.
Kraken was careful to note that the 2,000 accounts involved “limited client data” and that no funds were at risk. That’s accurate. It’s also incomplete. Read-only access to a support tool enables:
Viewing full KYC documentation. Reading transaction history. Seeing balance and holdings. Reviewing security settings and device fingerprints. In many support stacks, helping a “confused customer” reset MFA or approve a disputed transaction. Even without direct fund-access, this is everything an attacker needs to craft a perfect targeted attack on the account holder — the one the $18 million Kraken user fell for two weeks earlier.
And that’s the point. Two separate events, two separate root causes. On April 13, Kraken disclosed insider read-only access to 2,000 accounts — data exposure, with no funds moved per Percoco. Two weeks earlier, on March 31, a different Kraken user was socially engineered out of $18.2 million in a single attack chain that never touched Kraken’s infrastructure. The connection is not a shared incident. The connection is the gap: the exchange did not need to be breached. KYC data only needs to be good enough to make a phone call credible.
Every exchange running the same security model — KYC at signup, 2FA at login, callback verification for large withdrawals — is defenseless against this chain. SMS MFA is deepfake-vulnerable. Voice callbacks are AI-clonable. Email confirmations are phishable. The only layer an insider cannot replicate is the live face of the actual account holder at the moment the money moves.
2,000 accounts exposed vs. what transaction-layer verification costs.
If Kraken — or any exchange exposed to the same insider pattern — had placed a single biometric verification call between “initiate withdrawal” and “funds sent,” read-only insider access would not translate into transaction fraud. The insider could see the account. They could not produce the face.
One API call. Camera opens, face matches enrolled biometric, signed JWT returned in under 300 milliseconds confirming that a specific human — not a social-engineered account holder, not a compromised support rep — authorized the specific action. Three endpoints: /enroll at onboarding, /verify before any high-risk action, /delete when the user leaves. A competent engineer ships the integration in a single sitting.
Kraken’s CSO is right. Insider recruitment is priority one. The question every exchange board is about to be asked — by regulators, insurers, and their own audit committees — is what transaction-layer control they have that doesn’t depend on internal access being clean.
The audit questions are about to change.
MiCA enforcement hits July 1. Every CASP operating in the EU needs enhanced verification that extends beyond onboarding. NYDFS 23 NYCRR Part 500 already treats insider threat as a named risk category, and its October 2024 AI guidance explicitly flagged SMS, voice, and video MFA as deepfake-vulnerable. FATF’s 2025 update to Recommendation 16 puts further pressure on VASPs to demonstrate traceability and control at the transfer layer, not just onboarding.
Insurance carriers are repricing around this. Chainalysis has already framed 2026 as the year insider-led service compromise becomes the dominant loss category. And Kraken’s CSO just said the quiet part out loud: the attack surface is inside the building, and nothing in the standard stack defends against it.
Kraken didn’t get breached. They got extorted. Two thousand customer accounts were already seen by people who shouldn’t have seen them. Somewhere on a different day, a different account holder on the same platform lost $18 million to someone who probably already knew exactly who they were.
Every exchange running the same model is one recruited support rep away from the same story. The only layer that still works when everything inside has been compromised is the one that lives at the transaction moment.
A live human face. A signed proof. The one layer nobody inside the building can replicate.