Fake Kraken Two-Factor Reset Scams
Fraudsters impersonating Kraken support engineers social-engineer victims into disabling two-factor authentication under the guise of resolving an account access problem, enabling full account takeover.
Part of: Two-Factor Reset & Social Takeover Scams
Last reviewed: 8 June 2026
Two-factor authentication is one of the strongest protections against unauthorized exchange account access, which is why sophisticated attackers specifically target the reset process. Fraudsters impersonating Kraken support contact users who have posted about login difficulties, claiming they can help resolve the issue — but the real goal is to convince the victim to disable or bypass 2FA.
The attack exploits the fact that genuine Kraken support does sometimes assist users with 2FA resets through a verified identity process. Scammers replicate this process in a fake support flow, persuading victims to visit a phishing page that submits a 2FA disable request, or walking them through disabling authenticator-based 2FA on their real account under a fabricated security pretext.
Kraken's legitimate 2FA reset process involves submitting a formal request through support.kraken.com with identity verification. It does not involve a support agent contacting you proactively on social media or asking you to disable 2FA to 'fix a sync error.'
How this scam works on the Kraken brand
The scammer finds a user who has posted about Kraken login difficulties and reaches out via DM on Twitter/X or Discord. After establishing rapport, the scammer explains that a 'two-factor sync error' has been detected on the account and that the authenticator app must be temporarily unlinked to apply a security patch.
The victim is directed to a fake 'Kraken Security Portal' where they input their email, password, and then the current valid 2FA code — all of which are relayed in real time to the attacker, who uses them to log into the genuine Kraken account. Once inside, the attacker disables the real 2FA before the victim realizes what has happened and immediately initiates withdrawals.
Alternatively, the scammer convinces the victim to disable their 2FA app themselves, assuring them it is a 'routine security maintenance step.' With 2FA removed, a subsequent credential phishing step gives the attacker unobstructed account access.
Common red flags
- A Kraken support agent contacted you on social media rather than you opening a support ticket at support.kraken.com
- Agent requests your current 2FA code as part of a 'sync verification' or 'security maintenance' step
- You are advised to temporarily disable your authenticator app or Google Authenticator to fix a Kraken account issue
- Verification portal URL is not support.kraken.com
- Agent is unusually urgent, warning that your account will be locked or funds frozen if you do not act immediately
- Agent asks for your Kraken account password on any external channel or page
How to protect yourself
- Never disable or reset your 2FA at the request of anyone who contacted you proactively — all legitimate Kraken 2FA processes are initiated by you through support.kraken.com
- Use a hardware security key (FIDO2/YubiKey) as your 2FA method — these are phishing-resistant and cannot be intercepted in real time
- Enable Kraken's global settings lock and withdrawal address whitelist to add additional layers of protection
- Verify that any support communication arrives from support.kraken.com — not from social media DMs or unofficial Discord channels
- If you ever need to reset your 2FA legitimately, open a ticket at support.kraken.com from a recognized device
How to report it
- Report the social media impersonator to the platform and to Kraken at support.kraken.com
- If 2FA was compromised, contact Kraken support immediately via support.kraken.com to freeze withdrawals
- File a complaint with IC3.gov (US) or Action Fraud (UK)
- Document all conversations and screenshots before reporting
Frequently asked questions
Would Kraken ever ask me to disable 2FA to fix an account issue?
No. Kraken's support team will never ask you to disable your 2FA as a troubleshooting step. If 2FA needs to be changed, the process requires formal identity verification initiated by you through support.kraken.com.
Is a hardware security key safer than an authenticator app for Kraken?
Yes. Hardware security keys (FIDO2/WebAuthn) are phishing-resistant because they cryptographically bind to the exact domain — a fake site cannot capture and replay a hardware-key response. Authenticator-app codes can be intercepted and relayed in real time by a man-in-the-middle attack.