Fake Kraken Password Reset Phishing
Attackers send fake Kraken password-reset emails to capture login credentials and 2FA codes. Genuine Kraken password-reset emails direct you to kraken.com directly — they do not embed action buttons linking to external domains.
Part of: Fake Password Reset Scams
Last reviewed: 7 June 2026
Password reset phishing targets Kraken users by mimicking the exchange's genuine security email format. The attack creates a moment of uncertainty: the recipient sees an email claiming their password was recently changed or that a reset was requested, and naturally wants to investigate or reverse it.
Kraken, like all large platforms, does send genuine password-reset and security-alert emails. This familiarity makes users more likely to engage with a fake version, particularly one that closely matches Kraken's genuine email design. The critical difference between a real Kraken security email and a fake one lies in what action it asks you to take and where the links lead.
Setting up additional security layers in Kraken — particularly the Global Settings Lock and a Master Key — means that even if an attacker obtains a password and OTP, they face additional time-delayed barriers before any damage can be done.
How this scam works on the Kraken brand
A phishing email mimicking Kraken's visual design warns: 'A password reset was initiated for your account from an unrecognized device.' It includes a large 'Cancel This Request' button. Clicking it opens a Kraken-lookalike login page at a domain like kraken-security-update[.]com, where entering credentials and a 2FA code delivers them to the attacker in real time.
A more sophisticated version exploits the real reset flow. The attacker initiates a genuine password reset at kraken.com using the victim's email, which sends a real Kraken reset email. Simultaneously, the attacker sends a spoofed follow-up: 'If you did not request this, click here to lock your account immediately.' The follow-up link is the phishing page — the victim, having just received a genuine Kraken email, is primed to trust the spoofed follow-up.
Kraken's genuine security emails come from @kraken.com and contain account-specific context. They direct users to navigate to kraken.com directly — not through embedded links. The genuine reset link does open kraken.com to set a new password, but the email never asks you to provide your existing password to 'cancel' a request.
Common red flags
- A 'Cancel This Request' button in an email that links to any domain other than kraken.com
- An email asking you to confirm your existing password to reverse a password change
- A follow-up email arriving minutes after a genuine Kraken reset email urging you to 'secure your account'
- Sender address is not @kraken.com
- The login page URL at the end of the link contains words like 'secure,' 'reset,' or 'verify' alongside 'kraken'
- No corresponding activity visible in the Kraken Security Log when you log in directly
How to protect yourself
- If you receive an unexpected Kraken reset email, navigate to kraken.com directly to check your account — do not use the email link
- Enable the Global Settings Lock so any setting changes require an extended cooling period even after login
- Use an authenticator app for 2FA to eliminate SIM-swap vulnerability
- Add a Kraken Master Key for an extra layer on sensitive operations
- Bookmark kraken.com and use only that for all Kraken access
How to report it
- Forward phishing emails to [email protected]
- Report the phishing domain to Google Safe Browsing
- Report to IC3.gov (US) or Action Fraud (UK)
- File the incident via kraken.com/support
Frequently asked questions
How do I verify if a Kraken security email is genuine?
Check the sender address for @kraken.com, then independently log into kraken.com and review your Security Log. If there is no record of the activity mentioned, the email is likely fraudulent. Do not click links in the email to verify.
What does a genuine Kraken password-reset email look like?
A genuine Kraken password-reset email comes from a @kraken.com address, contains your registered email address, and links to kraken.com for setting a new password. It does not ask for your current password or a 2FA code to cancel a request.
If I clicked the link but did not enter credentials, am I at risk?
The risk is lower if no credentials were entered, but some phishing pages can drop malware on visit. Run an antivirus scan and check your Kraken Security Log for unauthorized access attempts. Change your password from a known-clean device as a precaution.