Kraken Account Takeover Scams
Attackers use phishing, SIM swapping, and social engineering to hijack Kraken accounts and liquidate holdings. Kraken's Global Settings Lock and authenticator-app 2FA are the most effective defenses.
Part of: Account Takeover Scams
Last reviewed: 7 June 2026
Kraken account takeover attacks combine credential theft with 2FA interception to achieve unauthorized access. Kraken's strong security reputation does not protect users from attacks that exploit their own behavior — entering credentials on a phishing page, reading a 2FA code over the phone, or using SMS-based authentication that is vulnerable to SIM swapping.
Kraken accounts can hold significant cryptocurrency across many asset types, and sophisticated attackers specifically target high-balance accounts with coordinated multi-step attack chains. The attacker typically needs: the victim's email address, their Kraken password, and a current 2FA code — all obtainable through a combination of phishing and social engineering.
Kraken offers specific security features that make takeovers far more difficult even if credentials are partially compromised. The Global Settings Lock (GSL) imposes a mandatory time delay on any account setting changes, and the Master Key feature requires an additional password for sensitive operations. Users who activate these features significantly reduce their risk.
How this scam works on the Kraken brand
A Kraken-branded phishing email warns of suspicious login activity and provides a link to secure the account. The victim clicks through to a convincing Kraken login page, enters credentials and their 2FA code, and sees a 'Your account is secure' confirmation. Behind the scenes, the attacker has used those credentials in real time to log into the genuine account and immediately begin changing settings.
A parallel SIM-swap attack starts with the attacker gathering personal information (from social media or data breaches) to convince the victim's mobile carrier to transfer the phone number to a new SIM. With control of the phone number, the attacker receives Kraken's SMS 2FA codes and can request a password reset to gain full access.
Kraken's genuine security emails come from @kraken.com and direct users only to kraken.com. Kraken also proactively warns users about phishing in its security communications. The Security Log in account settings records every login and setting change, allowing users to detect unauthorized access quickly.
Common red flags
- A Kraken security email with a 'Secure Your Account' link going to any domain other than kraken.com
- Unexpected 2FA code SMS messages you did not request for Kraken
- Loss of mobile phone service unexpectedly (may indicate a SIM swap in progress)
- Kraken account login notifications from unfamiliar devices or locations in the Security Log
- A caller claiming to be Kraken asking you to provide a one-time verification code
- Pending 2FA method changes or new withdrawal addresses appearing in account settings you did not initiate
How to protect yourself
- Enable Kraken's Global Settings Lock (GSL) to impose a time delay on all account setting changes
- Replace SMS 2FA with an authenticator app or hardware security key
- Set a Master Key in Kraken security settings for an additional layer on sensitive operations
- Contact your mobile carrier to add a SIM lock PIN and a note requiring in-person verification for SIM changes
- Check the Kraken Security Log regularly for unrecognized activity
- Bookmark kraken.com and navigate only from the bookmark — never from email links
How to report it
- Report account compromise immediately at kraken.com/support to freeze the account
- Forward phishing emails to [email protected]
- Report SIM swap to your mobile carrier's fraud department
- Report to IC3.gov (US) or Action Fraud (UK)
Frequently asked questions
What is Kraken's Global Settings Lock and how do I enable it?
The Global Settings Lock (GSL) prevents changes to account security settings — including 2FA and withdrawal addresses — for a user-defined time period. Enable it in Kraken's Security section. Even if an attacker logs in, they cannot immediately change settings or add withdrawal addresses.
How do SIM swap attacks work against Kraken?
If your Kraken account uses SMS 2FA, an attacker who convinces your mobile carrier to transfer your number to their SIM can receive your verification codes. Switching to an authenticator app removes this vulnerability entirely.
I notice an unfamiliar login in the Kraken Security Log. What should I do?
Immediately change your password, log out all sessions, and review your withdrawal whitelist and API keys. If any are unfamiliar, disable them. Then contact Kraken support at kraken.com/support and change your 2FA method if it is SMS-based.