Yesterday, Kraken confirmed what security researchers have been warning about for two years: a criminal group recruited exchange employees, had them photograph internal client systems, and is now extorting the company with the footage. 2,000 client accounts exposed. Names. Addresses. Account data. The April 13 insider incident is a data exposure event — no funds moved. No code exploited. No zero-day used. No sophisticated malware deployed.
Just a human with access and no one verifying they should have it.
This is the same attack that hit Coinbase in 2025, where insiders were bribed and attackers demanded $20 million. A dark web listing earlier this year was already offering $1 access to Kraken’s internal support panel. And in March, a single Kraken user lost $18 million through social engineering — 7,784 ETH and 26.5 BTC — with no protocol breach whatsoever.
The playbook is now public. Let me walk you through it.
Three steps to $18 million
Every major exchange insider attack this year followed the same three-step structure. Here’s the exact sequence, reconstructed from the Kraken and Coinbase disclosures:
01 · Recruit the insider (Weeks 1–4)
The attacker identifies customer support staff at the target exchange. Not engineers. Not security. Support agents — the people with the broadest access to client data and the lowest compensation. The approach is direct: a message on Telegram, a LinkedIn DM, an introduction through a mutual contact. The offer is cash — anywhere from $5,000 to $50,000 — to photograph or screen-record internal admin panels.
The support agent logs into the same system they use every day. Same credentials. Same desk. Same VPN. Nothing triggers an alert because nothing technically changed. The authentication layer says this is an authorized user performing an authorized action.
Where step-up verification breaks this: biometric check on every client data access. The bribed agent’s face is now cryptographically tied to every record they viewed. The attack still happens — but the attacker is immediately identifiable, and the audit trail is immutable.
02 · Harvest the data (Weeks 4–8)
The compromised agent accesses client records — names, addresses, phone numbers, transaction histories — and records them externally. Phone cameras. Screenshots. Screen recordings. The data flows out through channels the exchange’s DLP tools can’t see because the agent is using their own phone in their own apartment.
At Kraken, this happened twice — once in February 2025 and again in early 2026. Same playbook. Same vector. A full year apart. The second time, the attacker already knew the pattern worked.
Where step-up verification breaks this: continuous biometric re-authentication during admin sessions. Session tokens expire. The agent must re-verify with a live face scan when accessing sensitive record types. An unauthorized person using the agent’s credentials gets locked out. A bribed agent creates an evidence trail they can’t deny.
03 · Monetize (Week 8+)
The attacker now has two options. Option A: demand a ransom from the exchange. Coinbase was asked for $20 million. Kraken is currently being extorted. Both refused to pay. Option B: use the harvested data to target individual high-value users with social engineering — impersonating exchange support, sending phishing emails with real account details, SIM-swapping phone numbers. This is how the Kraken user lost $18 million in March.
The stolen data is permanently compromised. You can’t un-leak a name and address. The exchange is now liable, the customers are exposed, and the attacker can sell the data set on dark web markets indefinitely.
Where step-up verification breaks this: biometric check before every high-value withdrawal. Even with stolen personal data, the attacker cannot impersonate the customer’s live face. The social engineering fails at the moment it matters — when money moves.
The attacker doesn’t need to break the cryptography. They only need to bribe one of the people the cryptography trusts.
This is not a Kraken problem. It’s an architecture problem.
Kraken handled the disclosure well — they refused to pay, referred the case to law enforcement, and notified affected users. But the attack worked because the architecture assumes that authenticated users are trustworthy users. Once you’re logged in, you’re in. Your session token says you belong. Nobody checks again.
This assumption was already broken at Coinbase. It was broken at Kraken. And right now, every exchange running the same architecture — single authentication event, no re-verification at the point of data access or transaction — is running the same playbook against itself.
- Coinbase · 2025 — 70,000 users exposed via insider bribe. Support staff bribed. KYC data stolen. $20M ransom demanded. Exchange refused.
- Kraken · April 2026 — 2,000 accounts photographed by insider. Support staff recruited. Client data recorded via phone. Data exposure, no funds moved. Extortion in progress.
- Kraken user · March 2026 — $18M stolen via social engineering. 7,784 ETH + 26.5 BTC drained. No protocol breach. Human targeted directly.
- Drift Protocol · April 2026 — $285M drained via pre-signed transactions. North Korean hackers socially engineered multisig signers over six months. Zero code exploited.
Four attacks. Combined losses exceeding $300 million. Zero lines of code exploited.
Every single one targeted the same gap: a human performing a critical action without anyone verifying, at that exact moment, that the right human was doing it.
The deepfakes are catching up
While exchanges are getting attacked from the inside, a darknet tool called JINKUSU CAM is attacking them from the outside. Reported this month and classified as an official AI Incident by the OECD, it’s a purpose-built kit for defeating exchange KYC: real-time face swapping with 478-point facial mesh tracking, voice modulation, virtual camera injection, and Android emulator support. It explicitly targets Binance, Coinbase, Kraken, and OKX.
It defeats standard liveness detection during live video verification.
A report released today by Aware Inc. found that 98% of organizations now signal an urgent need for biometric orchestration as AI-driven fraud surges. iProov’s 2026 threat report documented an 1,151% spike in injection attacks targeting iOS verification flows. The static, one-time KYC check at signup is being systematically dismantled from both sides — insiders and deepfakes.
KYC verifies identity once, at signup. 2FA verifies a device at login. But at the moment a support agent accesses 2,000 client records — or a user initiates an $18 million withdrawal — nothing re-verifies the human. That’s where the money disappears.
What the playbook can’t survive
A bribed insider can hand over their password. They can share their 2FA device. They can let someone use their VPN. But they cannot hand over their face.
If every access to client data required a live biometric check — not a password, not a token, but a real-time face scan with liveness detection and anti-deepfake analysis — the Kraken insider attack produces an immutable evidence trail instead of an anonymous data leak. The Coinbase insider attack becomes a criminal case with biometric proof. The $18 million social engineering attack fails at the withdrawal step because the attacker can’t reproduce the customer’s live face.
// Step 1: Insider accesses client panel
BLOCKED → biometric re-auth required
face scan links access to biological identity
every record viewed = auditable, undeniable
// Step 2: Attacker uses stolen data for social engineering
BLOCKED → withdrawal requires live face verification
stolen names, addresses, phone numbers ≠ enough
attacker cannot reproduce the customer's biometric
// Step 3: Pre-signed transaction (Drift-style)
BLOCKED → you can't pre-sign a biometric
live verification at execution time
durable nonce attack fails entirelyThe playbook has three steps. Biometric step-up verification breaks all three.
Not because the cryptography is better. Not because the code is smarter. But because the one thing an attacker can’t steal, pre-sign, replay, or deepfake at scale is a live human face verified in real-time with injection detection.
Kraken will fix their insider problem. Coinbase fixed theirs. But the architecture that allowed both attacks is running at every exchange that verifies once and trusts forever.
The question isn’t whether the playbook will be used again. It’s whether the next exchange on the list will have a verification layer at the moment it matters.