SIM-Swap Attack Targeting Kraken Exchange Accounts
Criminals port Kraken users' phone numbers to SIMs they control, intercept SMS-based two-factor authentication codes, and use password-reset flows to gain full account access before draining cryptocurrency balances and withdrawing fiat funds.
Part of: SIM Swap Scams
Last reviewed: 8 June 2026
Kraken is a professional-grade cryptocurrency exchange used by both retail and institutional traders. Despite Kraken's strong security practices and reputation, the exchange's SMS-based 2FA option remains a potential vulnerability if a user's phone number is successfully ported away through a SIM-swap attack.
Kraken has publicly encouraged its users to use hardware keys or TOTP apps rather than SMS for two-factor authentication, and has documented that SIM-swap attacks are among the most common vectors its users face. Nevertheless, users who still rely on SMS 2FA — or who use SMS as a fallback recovery method — remain exposed.
A successful SIM swap against a Kraken account is particularly damaging because Kraken supports trading in a wide range of cryptocurrencies and may hold significant fiat balances. The attacker can liquidate positions, initiate withdrawals to external addresses, and change account details before the victim regains their phone number.
How this scam works on the Kraken brand
A SIM swap against a Kraken account follows the same general pattern as other exchanges: the attacker gathers identifying information, impersonates the victim with their mobile carrier, and completes the port. Once in possession of the phone number, they trigger a Kraken password reset, receive the SMS confirmation, set a new password, modify the email address, and begin withdrawing.
Kraken's 2FA settings may require a 'master key' or global settings passcode for certain account changes. If the attacker does not have this, they may face an additional barrier. However, victims who have not set a global passcode on their Kraken account offer a more direct route.
Some SIM-swap attacks against Kraken users are preceded by targeted phishing to obtain the Kraken account email address and password — the SIM swap is then used only to bypass the 2FA layer rather than to reset everything from scratch.
Common red flags
- Your phone loses carrier service unexpectedly
- Kraken sends a password-change or email-change confirmation you did not initiate
- A new-device login alert arrives from Kraken for an unfamiliar location
- Withdrawal confirmations appear in your Kraken account for transactions you did not authorise
- Your carrier account shows an unexpected SIM swap, port, or replacement event
How to protect yourself
- Switch Kraken 2FA to a TOTP authenticator app or hardware security key — disable SMS 2FA entirely if possible
- Set a Kraken global settings password in your Security settings — this adds a layer that SIM swap alone cannot bypass for account changes
- Place a SIM-lock PIN or carrier-level porting restriction on your mobile account
- Use a dedicated email address for Kraken that is not used for other services
- Enable Kraken's API key IP whitelisting if you use automated trading, to prevent attacker-added API keys from functioning
- Review your Kraken security activity log regularly for any unfamiliar events
How to report it
- Contact your mobile carrier immediately to reverse the SIM swap
- Report to Kraken support at support.kraken.com and request an account freeze
- File a report with the FTC at reportfraud.ftc.gov and with identitytheft.gov
- Report to IC3.gov (US) or Action Fraud 0300 123 2040 (UK)
- File a police report for the SIM swap — carriers and law enforcement increasingly take this seriously
Frequently asked questions
Does Kraken recommend SMS 2FA?
No. Kraken explicitly recommends using a hardware security key or TOTP authenticator app over SMS-based 2FA, citing the known risk of SIM-swap attacks. Their documentation at kraken.com/learn covers 2FA best practices.
What is Kraken's global settings password and how does it help?
Kraken's global settings password is a secondary password required to change critical security settings such as 2FA methods, API keys, and master keys. Setting one means an attacker who only gains your login credentials and 2FA still cannot change security settings without this additional password.
Can Kraken freeze my account before attackers drain it?
Contact Kraken support immediately if you suspect a SIM swap is in progress. Kraken has procedures for freezing accounts on an emergency basis. The faster you report, the better the chance of limiting losses, as withdrawal processing may not be instant for all currencies.