Topic: KRAKEN HACKED (2 FA & good password), 20k euros lost (Read 452 times)

Hello DavideBaldini,

I'm very surprised that big exchanges still allow this kind of techniques. ( Kraken is operating for years now ... )

Kraken is :
- Still providing the possibility to put any sell / buy order at any price. Seriously, is it a normal situation to sell an asset at 0.01% value of the current market value ?
Some other exchanges (newers) have put limit depending of the order book volume and depth.
- Still providing to hackers a easy way to withdraw money with some illiquid market (no volume and thin order book)
So it become easy to wipe the order book and simulate a withdrawal from 1 to 1.
Is kraken not supposed to protects users by providing markets with high liquidity ?
- No putting circuit breaker ( or at least throwing alert to their system to freeze fund waiting for more investigation ).
- Moreover, i'm curious about KYC / AML. As it's not a withdrawal to an external wallet, we can suppose that Kraken knows the (good or bad) identity of the hacker.

In case of bad identity, Kraken is not supposed to make some lawsuits ?
If not, so what's the purpose of KYC if anyone with a leaked api key ( with trades only ) can withdraw $$$ without any restriction to external wallet.

From victim pov, i really wonder what are the legal recourses to this kind of situation as the exchange (Kraken here) has a part of responsibility :
- Illiquid market ( open door to bypass all withdrawal restriction )
- Market / Sell order with abnormal price ( 0.01 % ). We are in free market ok but it's not derivates ( so no squeeze here ) but we can easily detect a fast transfer of wealth.
- Accepting traders with false KYC ( i guess ) with all possibilities to withdraw fund to terrorist entities / cybercrimes responsible / etc.

- In that case Kraken is not supposed to accept a part a responsibility and reimburse some stolen fund to the user ?

It's like to easy to say "Okay victim, someone with just "trades rights" has stolen billion of dollars, we don't know where it's going and it's not our affairs".

Trading bots commonly found online are pure incompetence. This stuff is designed by script kiddies with no experience and no competitive edge on the market, who run their scripts from cheap unprotected VPSs.

You haven't confirmed whether the theft occurred via API, but as a general advice sharing your API secret keys with these guys is naive. It's akin to giving a perfect stranger your account password and 2fa token.

The bulk of anomalous trades you saw are a known technique to steal funds without having to authorize a withdrawal: the trades are paired against low capitalization coins on which your counterpart places trades against you.

Hello !

I tried to send you a DM but your settings won’t allow that. We are 3 people who have lost their funds in Kraken with a similar case. I would like to talk with you - and any other Person who has lost their funds in Kraken.

We have a good attorney helping us forward.

Kraken was not hacked. I was lead here because of the thread subject.

Your individual Kraken account was hacked. In which case, I'm afraid the exchange does not have the responsibility over your lost funds. But a cooperation from them is much appreciated. However, the process requires you to file a police complaint, divulge some personal info, undergo investigation, among others. That sounds stressful but necessary if you want to give a shot at the possibility, however remote, of getting back your funds.

On another note, this case reminds us that a combination of 2FA and a strong password does not guarantee that everything's safe.

the case was already solved, just read my comment above.
The hakcers used your API key.  Ask kraken suport for every logs they have about those api keys and they will proof that these were used to steal your funds.
And no, you cant get back your funds.

Well from the looks of it, somehow someone got access to your account, stole your funds and vanished.

And kraken can't do anything about it, its crypto, its irreversible like they said. The best possible way to get your money back is to contact cyber crime and give your details that's your best shot. Ask kraken to provide the IP logs, check if your computer is compromised, take all necessary actions, change your email, password everything for all your accounts and use a totally different device if you can.

Help me please, what can I do now ?

I don't know if my computer was hacked. But at least Kraken should help me to understand what has happened.
Another email from them:

As per our previous reply, unfortunately we will not be able to provide any further information about this case until we are contacted by a verified law enforcement official.

We would advise you to file a police report and ask the law enforcement official responsible for this investigation to contact us by submitting a Compliance and Legal web form - https://support.kraken.com/hc/en-us/requests/new?ticket_form_id=648008

I'm very surprised with this answer.
First, I think your title is a bit misleading. From what I understand, it is your computer who has been hacked, but I can't understand Kraken's answer. They should be able to give your complete logins and transactions history. No need to be an official. There's something really wrong here.

I am surprised to see that an individual account is hacked even with 2 FA enabled and what is intriguing here in your case is that there is no other complaint about any other hacks, it is a really unfortunate situation and it looks like a targeted attack by someone you know, phishing and stealing your session cookie is the only way anyone could bypass the 2 FA restriction.

So this is what I receive from Kraken,

I am an user to them, yet when I am hacked they don't help me to know how the hack was done. Terrible

"We have conducted an internal investigation and unfortunately we cannot assist you in recovering these funds as cryptocurrency transactions are designed to be irreversible. For Compliance reasons, any details related to our investigation can only be provided to verified law enforcement. This also includes the release of other sensitive information, such as IP addresses or cryptocurrency addresses.

We would advise you to file a police report and ask the law enforcement official responsible for this investigation to contact us by submitting our Compliance and Legal web form.

Unfortunately we will not be able to provide any further information about this case until we are contacted by a verified law enforcement official."

cryptochat2017,

Once you provide us your ticket number, we can help escalate your ticket if your case is still outstanding. Unfortunately it's difficult to predict what could have happened specifically to your account without any details of your account and/or activity - however the support team is here to help its users, and to ensure the correct security measures are in place ASAP to prevent any further damage and unfortunate situations like this from happening again. Once you're available, please provide us with your ticket number and we can further help and work with you in regards to your case.

Hi,
Would you help me differently from the bad service emails I have from Kraken ?

cryptochat2017,

Please feel free to PM me your ticket number.

Hi Kraken Chase, shall I post ticket number here ? Or private message ?

I suspected the API too but he mentioned not using it for a while, so. (unless the keys were altered long ago and used only now? anyway, the person couldn't transfer out anything since you need email verification for any address you add)


Kraken support is handled by real people. In every communication, I've got a developed discussion and not a canned speech copy-pasted.
Most support tickets can be resolved the same day, but when it's about IT security it takes time to do a proper investigation to check if even it's an IT issue...


Users are automatically logged out after X minutes inactive.

I still don't get why you can't access your Kraken account now. From my understanding, you changed the password, deleted all API keys, and so on. Did you forgot the password somehow or did your account suddenly got locked?

There is a high chance you were 'robbed' by using your API key, which could happen to any exchanges that support API if the user is not careful enough.

there you have it. Not the account was hacked (otherwise they would just withdraw everything), but they got your API Key.
So ask yourself who had access to those API Keys.

cryptochat2017,

Chase from Kraken support here. I'm very sorry to hear that your account was compromised. Security is our top priority and this is the last thing we'd ever want to hear from any of our clients. When or if an account is compromised, a number of security measures are immediately asked - as it’s essential to ensure any potentially affected e-mail accounts and/or devices are safe and secure.

When available, could you please provide us with your ticket number? You currently aren't and haven't been speaking with a bot, as an account security specialist would have responded and assisted you with your individual case.

If you didn't use the API to any 3rd party software it's impossible that someone can access your Kraken with 2fa and a good password. Unless if someone use your laptop where your 2fa software installed.

Did you login your Kraken account to other devices? Maybe you forgot to logout your Kraken account there and someone use the device and trades your balance accidentally?

Do some check first and maybe someone used your Kraken account maybe your child or your wife or a friend.