I've been Kraken'ed...Hacked. 1-27. with 2FA enabled!!.. Warning!

[PaulyC]

This is a stern warning.  if you are still using Kraken. Without a doubt add any security features ON TOP of 2FA, now....(or whatever layers of security they're now saying you should use to be able to "use" their site confidently..like stones built on sand)....

Over the last week I've been trying to gain access to my Kraken account again, hadn't used for a month or two, it's been a process to say the least, culminating in a video chat review of me and my documents. etc. (which is somewhat alarming since their own security guidelines say they will "never ask you to download software", three emails in with their techs.... they asked me to "please download Zoom". anyways I did let them know that doesn't seem to fall in line with their own guidelines. lol)  Finally I was allowed access again tonight.

I went through the whole process just to gain access again (which I appreciate being extra secure, it's only laughable when seeing what little the hackers had to do to infiltrate my account without having my 2FA).

How this started, I noticed they updated the "look" of their site, a few days ago, so I decided to sign in to see the UI, I don't keep much coin on there, 100-150$ worth max.

"Account locked" weird. I submit a ticket which involves me answering a bunch of security questions.

It's at this point I decide to filter my older emails I received from Kraken, support@kraken.com, these were not spoofs nor phishing attempts, I never click links etc.

It turns out I had about 7 emails in a row on 1-27 while my kraken account was seemingly being hacked, and WITHOUT my 2FA. My 2FA has been enabled with Kraken since 2015.  The email chain starts with the hackers requesting my username.!!  wth.. I'm assuming all the hackers had was my email address at this point.

I of course go full lockdown, business class anti-virus check, malware, all nothing (I don't surf and click stuff, use nothing but hefty 100bit+ PWs etc.)

I then tried to communicate with the techs (fearing there might be a bug and people need to know what's up) but of course since my account was locked they wouldn't discuss anything.

I thought could my email been hacked?

Even though this wouldn't answer for the 2FA being bypassed with Kraken.. I never have my 2FA out of my possession.

Well...... my email also has 2FA and has zero logs from any IP other than mine. I also double-checked with the email provider tech, zero bad actor logins, only my IP, the IP used for every attempt with Kraken was different than mine, but always the same.

I've had back and forth with their tech with zero answers as to how my 2FA could have been bypassed and my funds withdrawn (both have 2FA enabled) and now feel obligated to let everyone know. This happened on 1-27 , so sorry for the delay but wasn't sure I was actually hacked until tonight when they restored my account and I could login and see it actually had been.

From their website I can see my 2FA is still enabled, wow, the funding 2FA is disabled, which goes along with the 2nd to last email which said funding would be locked for now...(really, do you think I'd be adding funds after this..)

they announced their entire website update on 1-29? could there have been a bug, something overlooked while transferring over, something in API? I honestly don't know but I would say to all users,

Proceed with absolute caution.!!!

Update from Kraken as I write this!....... The only answers/recourse Kraken has given me.... "file a police report". lol.  wow..

(Sidenote: May be part of the bug? In 2018 after some back and forth with their tech dept. as to why I couldn't fund my account any longer, I surmised I needed to add their "funding" 2FA as well. This was a bit frustrating because no one in tech nor on their website would answer if adding the 2FA "funding" option would affect my original 2FA I've had since 2015 and had used for funding many times. But it turns out that's all I needed to do and I could then do funding and my original 2FA also worked as always to login.)

[Kraken-Septimus]

Hi PaulyC. I'm so sorry to hear that your account was compromised. Security is our top priority at Kraken and this is the last thing we'd ever want to hear from any of our clients. If you could please provide your ticket number I'll have a look further into this for you. You're welcome to post it here or send me a quick PM.

I've made a note of the fact that you're asked to download Zoom while we ask that you never download software. I can confirm that Zoom is used for these calls and is an independent end-to-end encrypted option for us to conduct video calls with clients that need their identity confirmed. Thanks for pointing that out.

I would also like to note that we have not seen any mass compromise of accounts since the new UI was released. It also sounds like the attack took place on January 27th and the website UI was updated on the 29th, meaning the attack took place before any changes to our website's UI.

As for the funding 2FA, this would be a completely different 2FA from login 2FA. Adding funding 2FA to your account has no affect on your login 2FA and you can use the same method or a different method. For example, if you have a static 2FA (password 2FA) for your login, you could use Google Authenticator for your funding 2FA. We also offer 2FA on trades, a Global Settings Lock so that your information cannot be changed for X days (including adding new withdrawal addresses) and a Masterkey to bypass your 2FA. You can read more about our security features at https://support.kraken.com/hc/en-us/articles/201396837-Securing-Your-Account.

Again, I'm so sorry to hear about your account being compromised. We'll look into what exactly happened in this case and work with you to ensure that this never happens again.

[PaulyC]

I do appreciate your response but the tone seems so much different then the last email reminding me of the obvious, "crypto transactions are designed to be irreversible", and a helpful, " file a police report" as if anyone should be concerned that their account was compromised/hacked with so much as a knowledge of an email? and 2FA enabled and bypassed?

Please understand, I didn't write 500+ words because I'm sore over $100. If someone was able to access my account on Kraken, which is 2FA enabled, and has been since 2015, (and still IS per my last login) without having access to my 2FA, there's much bigger issues here that would need to be discussed.

As far as providing you any more information about my ticket, I'd rather not, as I've now publicly outed this incident, if you'd like to provide ANY theories on how this could have happened with the security measures I've already discussed in place. I'd be more than willing to be helpful and converse with you about them privately.

As my original post was simply a warning to not use 2FA only with Kraken, I would like to thank you as you've seemed to solidify that by now recommending Master Key and GSL for use with Kraken, along with 2FA.

My recommendation is you make those mandatory. Soon.

[Kraken-Septimus]

Unfortunately, it's hard to go into details as to what could have happened without any details of your account or the compromise. Which type of 2FA do you have enabled for login and funding? Our 2FA options from least secure to most secure are static password, Google Authenticator and Yubikey.

I would tend to agree with you when you say that our clients should not solely rely on 2FA. While it can be a good security measure, we have other security measures in place to make your account security rock solid.

For example, if your password and 2FA are both stored on your phone and it was accessed by a bad actor, they could log into your Kraken account. However, if you have a Global Settings Lock set up that means they can't see any of your information (such as address, phone number etc.) and they can't change any details on your account (such as withdrawal address, email address etc.). Essentially they've just accessed an account that they can do absolutely nothing with. The one downside that we see come up with our clients is that if they've set a Global Settings Lock, they need to wait the 3-30 days in order to change details on their Kraken account. Kraken support also cannot remove it or change any details on the account.

This is where the Masterkey comes into play. If you have a Masterkey set up on your Kraken account (which again, can be a static password, Google Authenticator or Yubikey) you can bypass your 2FA as well as the Global Settings Lock. It's a very powerful tool, so it needs to be kept completely separate from where you store your password and 2FA. If a bad actor has your password, 2FA and Masterkey, they've got everything they need to remove funds from your account.

Thanks for your post. I hope this helps in understanding what security measures we offer and how to best protect your hard earned crypto. If you have any other details you'd like to share you can always send me a private message or reply to your ticket again.

[PaulyC]

I won't say too much about what security measures I take only because I don't want that out in the wild,
I will PM some of these details to you.

I will say, I use a 2FA with a separate device that is not connected in anyway to my PW, everything regarding computer or devices are locked or 2FA, there's no other humans that could have physically infiltrated. and nothing touches each other. really all of this wouldn't account for the email chain I received as the hacker's infiltrated my account from Kraken (not phishing/spoof and even if they were, a reminder I only saw these after the hack had happened and I had made a service request from
https://www.kraken.com)

From Kraken, In order. on 1-27. (not the exact language of the emails, I'm abbreviating)

1.Username requested.
2.Password reset requested.
3. Alert Your password has been reset.
4. 2FA bypass requested.
5. Withdrawal Address requested (this would have required a whole new 2FA entry from a device only I Possess)
6. 2FA updated (strange how this was updated but my original 2FA still works now that my account has been unlocked)
7. Withdrawal requested.

Those 7 things were all done within 9 minutes per the emails received. Because I rarely use Kraken those emails were not seen by me at the time, and hidden amongst spam, etc., but really this done in 9 minutes is striking and with me in possession of my 2FA at the time.

I also never received an email confirming the withdrawal was made, which I'm pretty sure I've received in the past, the next email in the chain from kraken is my receipt of service request made.

All of this print screen evidence was provided in the ticket that was concluded as "internal investigation is complete" and with me to "file a police report". I should mention.

FWIW. I haven't even mentioned my PW being bypassed. Simply because I have to concede a password put in the wild IS possible, but is very highly unlikely, and to link it to this account/email/ and first request was a username?...  um.
And again. you know. 2FA

[PaulyC]

No other theories as to how I could have been hacked? Based on my responses I still don't see anything you've provided as a viable answer or providing any clarity to the situation.  Also curious to my points, the official emails sent from support@kraken.com, while being hacked, about my 2FA being bypassed and changed, yet my original login 2FA is still fully functional after being allowed back into my account. Is that not an anomaly, can you please answer this?  

My original warning still stands.

just to reiterate. I received zero answers/responses to any questions from Kraken through email or video chat after the hack.

2FA login/withdrawal enabled with Kraken. since 2015 for login. 2018 for withdrawal.

Emails not hacked and also 2FA protected. No IP intrusions on a private network.

Authenticator not static nor SMS based. 2FA on all emails, 2FA email separate from Kraken PW email. the two PWs also never touch same devices.

2FA key for Kraken, used for Authenticator placed in encrypted file, stays offline, and has not been touched for years.

No virus/keyloggers/Malware found

It's either.

A. I'm a liar and/or an idiot. (I have zero motive to talk nonsense about Kraken, could be user error, but haven't seen any evidence of that yet, and really the chain of emails from Kraken, while being hacked, would throw a lot of user error (phishing, PW exposure, etc. theories out the window, which is why I'm so persistent)

B. Authenticator App compromised. (again kept secure, in my possession, non sms, non static, separate email from anything Kraken, 2FA and no security incidents)

C. Login Email Compromised. ((again 2FA, activity log shows no foreign IP and email tech (one of the top email services) confirmed no one has hacked or been on my email accept me.))

D. Kraken is/was vulnerable and/or compromised, using insufficient security for members who ONLY use 2FA as an extra layer of security. (hopefully uniquely, but at best the internal investigation should not have been closed and me told to "file a police report" forcing me to make these questions public)

If anyone wants to chime in I'm all ears.. I'd love to be the guy who they say. "oh remember that guy who did a combination of stupid things never done before and lost all of a $100."  Much better than hearing it from someone losing much more later.

[Bostraticus]

In fact, if you use a  service with registration, you risk losing your funds. I had a problem with Bittrex, they just blocked me without responding to my tickets. This is resolved, but after that, I stopped using registration services. You can use Changenow for example, without registering and not risking losing funds. Regarding this case, I think that Kraken is playing a dishonest game with you, and most likely a problem on their part, but they don’t want to admit it in order not to spoil their reputation.

[PaulyC]

Ummmm.. and this should help... right?   Guess what's gonna be mandatory next..

https://cointelegraph.com/news/crypto-exchange-kraken-makes-2fa-mandatory-and-forms-new-security-lab

My recommendation is you make those mandatory. Soon.

[cryptochat2017]

My Kraken account is also hacked, is Kraken trustworthy ?

I am mad

https://bitcointalk.org/index.php?topic=5171007.msg52020988#msg52020988

[BillGeo]

My Kraken account is also hacked, is Kraken trustworthy ?

I am mad

https://bitcointalk.org/index.php?topic=5171007.msg52020988#msg52020988

I just did a cursory search on varius forums and I think it's evident that Kraken can no longer be trusted as an exchange.
Also their refusal to provide basic information to their customers for their OWN accounts are very suspicious!

I was hacked 10 days ago, while I had 2FA enabled (Google OTP app) on withdrawals, so and the "hacker" only made
trades and burned trough 1500Euros on Kraken fees! And that is totally suspicious on Kraken's part!

I will be posting a separate post on this informing everybody.

My suggestion: stay away from Kraken, I am currently searching for another European exchange that has low fees for SEPA withdrawals

[figmentofmyass]

I was hacked 10 days ago, while I had 2FA enabled (Google OTP app) on withdrawals, so and the "hacker" only made
trades and burned trough 1500Euros on Kraken fees! And that is totally suspicious on Kraken's part!

I will be posting a separate post on this informing everybody.

My suggestion: stay away from Kraken, I am currently searching for another European exchange that has low fees for SEPA withdrawals

so you didn't have 2fa on login?

what trading pairs was the hacker trading? sometimes they market buy illiquid altcoins with one set of hacked accounts, and sell into them with another set of accounts. binance was targeted this way at pretty large scale.

i've been wary of kraken because of their behavior in this incident too.

[BillGeo]

I was hacked 10 days ago, while I had 2FA enabled (Google OTP app) on withdrawals, so and the "hacker" only made
trades and burned trough 1500Euros on Kraken fees! And that is totally suspicious on Kraken's part!

I will be posting a separate post on this informing everybody.

My suggestion: stay away from Kraken, I am currently searching for another European exchange that has low fees for SEPA withdrawals

so you didn't have 2fa on login?

what trading pairs was the hacker trading? sometimes they market buy illiquid altcoins with one set of hacked accounts, and sell into them with another set of accounts. binance was targeted this way at pretty large scale.

i've been wary of kraken because of their behavior in this incident too.

Yeah, 2FA on withdrawal only, I thought that would be sufficient.

An I still don't understand how one can make money by simply trading pairs (ETH/GBP in my case).
I'm still trying to understand how the funds where drained as I only see trading fees as expenses.
And KRAKEN is being very VERY unhelpful (to a suspicious degree) here!!!

Here is one (of 21) page from the leader...

https://i.postimg.cc/RZtJ0SFq/krak-hack.jpg

[joniboini]

An I still don't understand how one can make money by simply trading pairs (ETH/GBP in my case).

They use your account to sell/buy other pairs. Imagine the hacker control two accounts at the same time, one is yours, and the other is his separate account. Let's say you have 4 ETH balance. The hacker open order with your account to sell the ETH at the X price that he already prepares on his other account. Now, let's say he has X coins with low spread and lack of volume. He can use the ETH/X pair to use your ETH to buy his X coins that should not worth any penny (though this is easy to detect).

As for the fees, it's likely going to Kraken. I never use Kraken, but I doubt users could send fees to specific address/other users except for the exchange itself.

[BillGeo]

An I still don't understand how one can make money by simply trading pairs (ETH/GBP in my case).

They use your account to sell/buy other pairs. Imagine the hacker control two accounts at the same time, one is yours, and the other is his separate account. Let's say you have 4 ETH balance. The hacker open order with your account to sell the ETH at the X price that he already prepares on his other account. Now, let's say he has X coins with low spread and lack of volume. He can use the ETH/X pair to use your ETH to buy his X coins that should not worth any penny (though this is easy to detect).

As for the fees, it's likely going to Kraken. I never use Kraken, but I doubt users could send fees to specific address/other users except for the exchange itself.

I appreciate the explanation man,
but does such scheme make sense for an ETH/GBP pair, as was in my case?

[Slow death]

I just did a cursory search on varius forums and I think it's evident that Kraken can no longer be trusted as an exchange.

with so many cases similar to yours:

https://bitcointalk.org/index.php?topic=5071540.0

https://bitcointalk.org/index.php?topic=1559553.0

https://bitcointalk.org/index.php?topic=2378753.0

it is clear that they are not reliable, note that all exchanges are not 100% reliable

[PaulieOne]

The same thing has just happened to me on March 3, 2021.
Somehow they bypass 2FA and emptied the account.
Not 1 question or enquirer from Kraken, they just closed the door on me and said great news here is your account back.

Kraken is not safe, your funds are only protected by automated emails, no world class security team exists, and 24/7 support is a virtual assistant called kai. Total sham,

[PaulieOne]

Hey PaulyC

sorry to say but I have had almost exactly the same experience, but in 2021, on Wednesday March 3.
Did Kraken ever offer any real help or accountability?

Cheers
P.

[PaulyC]

Hey PaulyC

sorry to say but I have had almost exactly the same experience, but in 2021, on Wednesday March 3.
Did Kraken ever offer any real help or accountability?

Cheers
P.

Wow just seeing these replies. Sorry to hear it. I never had any final response.. A lot of wasted time.

But they def. had a flaw in their 2FA recovery email response (that the other exchanges didn't have) I tried to help.. But unfortunately Kraken has "never been hacked"... and they're sticking to it...
I whitelist any exchange addresses when I have any hot wallets (which is basically never) out there. It's good practice.