The question that stumps most of us when trying to get an account re-enabled on kraken is to tell them when you last successfully logged in. This is crazy as we were never told to keep a record of successful log in attempts, why should we if it was successful? Since some of us only log in occasionally (I do about once a month), it's impossible to provide the correct date.
Unfortunately, a friend provided the wrong date (he did say it was a guess) which meant that his account was closed rather than enabled. He lost about 2 BTC and 25 ETH so he's more than a little pissed off. He even correctly mentioned what funds he had and they still closed his account.
Date of last successful log in is the most important security question and you have to get the date correct! If you're a Kraken user, put a mark on your calender EVERY time you log in successfully starting TODAY!. I know, WTF! But it has to be done.
It seems like Kraken may be going the same way as Bittrex who are closing a lot of accounts for no real reason at all.
I'm currently moving ALL funds (even small amounts) from my exchanges now and keeping them on my hardware wallet until we get some sort of regulation in place. Problems like this will really start to drive down crypto prices soon.
Before you ask... yes, he did have 2FA enabled. He thinks that he made a simple error rather than his account being compromised.
Why can't they just issue hardware tokens like banks do or is it too simple?
Topic: Scammed By Kraken ? I am confused. (Read 529 times)
This is the wrong section of the forum for this type of topic. The better place for this kind of thing is in the Service Discussion forum. There are people there who know and have tried Kraken before. If you are lucky a representative from Kraken could even post in the thread.
Maybe the screenshots of the emails with Kraken would come in handy here as proof. These are serious accusations and by making the situation public it is your responsibility to give proof what what you are saying actually happened.
Maybe the screenshots of the emails with Kraken would come in handy here as proof. These are serious accusations and by making the situation public it is your responsibility to give proof what what you are saying actually happened.
i would believe that this should be in the sort of service discussion session, as you are talking about matter of scamming. 
Yea, I did not know where to post that.
If a mod feel like it should be moved out, it will happen soon enough.
i would believe that this should be in the sort of service discussion session, as you are talking about matter of scamming.
Yea, I did not know where to post that.
If a mod feel like it should be moved out, it will happen soon enough.
i would believe that this should be in the sort of service discussion session, as you are talking about matter of scamming.
If your friend's master key is password-type then it's also possible that the hacker got it through keylogger or bruteforce. Though I'm not sure if there's any bruteforce prevention for master keys, and am not gonna try finding out.
But you can't brute force this, as you need to enter the right key, else your account get stuck for hours.
Something that way.
And in order to brute force you would need massive attempt of recovery tries. Wouldn't you ?
Also, the masterkey, is in the Kraken format. A strong key aswell, as he just set that up from kraken way, and never used it, or wrote down even.
If your friend's master key is password-type then it's also possible that the hacker got it through keylogger or bruteforce. Though I'm not sure if there's any bruteforce prevention for master keys, and am not gonna try finding out.
So, a friend of mine who got 2FA enabled on Kraken was not able to log on Kraken last days. He did not log into kraken for a few months.
To his surprise he was not able to log in.
So he sent a support case, and support told him that they don't have an account associated with his email.
After, he provided them with past mail conversations, which clearly show he has an account, they started to ask him 7 questions (the usual questions to help to prove ownership)
such as :
"1) Name, date of birth, and phone number on the account?
2) Address on the account? (only answer this question if you verified your account to tier 2 or higher)
3) Describe the government ID you used for tier 3 verification. Just state the country, type of ID, and expiration date - e.g. "German passport 23-08-2018." (only answer this question if you verified your account to tier 3 or higher)
4) The approximate date of your last successful login?
5) Your approximate account balances?
6) Describe the funding activity on the account - e.g. the last 3 deposits or withdrawals made, including dates, amounts and currencies. The more specific you can be, the better. Information about bank deposits or withdrawals is generally better than information about digital currency deposits or withdrawals. You can look up dates and amounts in your bank account or in your digital currency wallet.
7) Describe the trading activity on the account - e.g. the most recent trades you've made, the currencies you typically trade, currencies you don't trade, etc. The more specific you can be, the better.
We're sorry to ask for all this information, but it's a precaution to help protect against fraudulent access to your account. "
He then went on to share that, and about a day later he received this :
"I am sorry to inform you that an attacker managed to login to your account on 08-07-16 16:26, changed your email and executed a withdrawal of all your litecoins on 08-08-16 18:42. We are sorry for your loss.
Since he was able to change your email address, this means he also had access to the email address of your account. You should change your password immediately and also add Two-Factor Authentication, in example with Google Authenticator (if yahoo mail has this option).
Please get back to me after this is completed.
Best regards,"
And later Kraken said :
""He knew your master key and used it in order to bypass the 2FA for login."
Now, things does not add up right now.
My friend did not ever write down the master key aswell, and as far as I know, in order, to get the master key, you need to log on the account, the very same account that is 2FA protected itself.
So this answer is not good already.
Right now it looks like Kraken made errors while answering, and even if the attaquer managed to have access to the email of my friend, I have a hard time to understand how he got hold of the account.
Obviously the master key statement is even feeling like an insult unless I miss some elements, and this is why I am sharing that story right now.
On top of it, the person receive email notifications and is always checking his emails because of business, and guess what, he never noticed any mails from kraken, or any communication that would not be his one.
So if the attaquer got able to access his mail, he never changed the mail password, and there is no evidence of communication that happened.
It makes the whole thing fishy, if you get me, and I am trying to make sense out of it, before he unfortunately proceed with a police complaint about Kraken.
(I hope it's not confusing).
To his surprise he was not able to log in.
So he sent a support case, and support told him that they don't have an account associated with his email.
After, he provided them with past mail conversations, which clearly show he has an account, they started to ask him 7 questions (the usual questions to help to prove ownership)
such as :
"1) Name, date of birth, and phone number on the account?
2) Address on the account? (only answer this question if you verified your account to tier 2 or higher)
3) Describe the government ID you used for tier 3 verification. Just state the country, type of ID, and expiration date - e.g. "German passport 23-08-2018." (only answer this question if you verified your account to tier 3 or higher)
4) The approximate date of your last successful login?
5) Your approximate account balances?
6) Describe the funding activity on the account - e.g. the last 3 deposits or withdrawals made, including dates, amounts and currencies. The more specific you can be, the better. Information about bank deposits or withdrawals is generally better than information about digital currency deposits or withdrawals. You can look up dates and amounts in your bank account or in your digital currency wallet.
7) Describe the trading activity on the account - e.g. the most recent trades you've made, the currencies you typically trade, currencies you don't trade, etc. The more specific you can be, the better.
We're sorry to ask for all this information, but it's a precaution to help protect against fraudulent access to your account. "
He then went on to share that, and about a day later he received this :
"I am sorry to inform you that an attacker managed to login to your account on 08-07-16 16:26, changed your email and executed a withdrawal of all your litecoins on 08-08-16 18:42. We are sorry for your loss.
Since he was able to change your email address, this means he also had access to the email address of your account. You should change your password immediately and also add Two-Factor Authentication, in example with Google Authenticator (if yahoo mail has this option).
Please get back to me after this is completed.
Best regards,"
And later Kraken said :
""He knew your master key and used it in order to bypass the 2FA for login."
Now, things does not add up right now.
My friend did not ever write down the master key aswell, and as far as I know, in order, to get the master key, you need to log on the account, the very same account that is 2FA protected itself.
So this answer is not good already.
Right now it looks like Kraken made errors while answering, and even if the attaquer managed to have access to the email of my friend, I have a hard time to understand how he got hold of the account.
Obviously the master key statement is even feeling like an insult unless I miss some elements, and this is why I am sharing that story right now.
On top of it, the person receive email notifications and is always checking his emails because of business, and guess what, he never noticed any mails from kraken, or any communication that would not be his one.
So if the attaquer got able to access his mail, he never changed the mail password, and there is no evidence of communication that happened.
It makes the whole thing fishy, if you get me, and I am trying to make sense out of it, before he unfortunately proceed with a police complaint about Kraken.
(I hope it's not confusing).
Jump to: