Unverified community reports. Claims on this site are allegations by users. Not legal advice. We moderate but do not investigate.About our data →
Case study № 001 · Documented · Unverified

“Security above everything.” Then, in ten minutes, about $400,000 was gone.

“Security above everything” is Kraken's own security tagline. This is one customer's documented account of what happened anyway — told in anonymised form from the case file, including the exchange's own account-activity report. It is the reporter's allegation, not a finding of fact. Read it beside Kraken's security promises, and judge for yourself.

This is a user-submitted, unverified account. It represents the reporter's allegation only. Kraken (Payward Ltd) denies liability and attributes the loss to a compromise of the customer's security information outside its systems. Nothing here is legal advice or a finding of fact.
What the records show

A timeline reconstructed from the exchange's own activity report.

  1. A first-ever device signs in. The login comes from a Windows machine the account had never once used — its entire history is Mac and iOS — on a different network from the account's usual ISP. The unfamiliar device is waved through after an email approval.
  2. Two devices, at the same time. Within the same two minutes, two separate sessions act on the account at once: a Windows browser on one IP adding brand-new withdrawal addresses, while an iOS phone on another IP deletes the account's long-standing trusted ones. Two sessions simultaneously tearing down and rebuilding the withdrawal list is a textbook takeover signal.
  3. The whitelist is replaced wholesale. Every saved, trusted address is removed and new ones — labelled to look internal (“Kraken”, “Kraken1”, “Ledger”) — are added in their place.
  4. Drained in ~60-second windows. About 80,009 XRP and 214,449 XLM — roughly $400,000 — leave the account, withdrawn to addresses that had been added around sixty seconds earlier.
  5. The block comes too late. The account is locked only after both withdrawals have already completed. The funds are gone.

Two points the reporter adds. On location: the log shows both sessions as “UK” because the mobile network home-routes roaming traffic through the UK — so a phone abroad still appears as a UK exit. The reporter was in fact in another country at the time, meaning the single “UK” location masks two people in two places. On the email approvals: yes, the new device and the new addresses were each “approved via email confirmation” — but that is exactly the point. The behavioural red flags here — a first-ever device, two simultaneous sessions, the wholesale replacement of the withdrawal list, and maximum-value withdrawals sixty seconds after an address is added — are independent of the email, and are precisely what “real-time monitoring for suspicious activity” is supposed to catch.

Advertised vs. documented

What's marketed, and what the record shows.

The left column is Kraken's own wording, quoted from its public security page. The right column is what this customer's case records describe. Read both, and decide whether the marketing matched the protection.

The security that's marketed

“Industry-leading security keeps your assets safe on our platform.”

What the records describe

A device type the account had never once used logged in — and the account was emptied in roughly ten minutes.

The security that's marketed

“Constant, real-time monitoring for suspicious activity.”

What the records describe

Two separate devices on two IPs acted in the same two minutes — one adding new withdrawal addresses while the other deleted every trusted one — yet not a single withdrawal was paused for a check.

The security that's marketed

“Email confirmations for adding new withdrawal addresses.” · “Global settings time lock … for when you're away.”

What the records describe

Maximum-value withdrawals still went to addresses added about sixty seconds earlier. The reporter's view: the safeguards that fired leaned on the customer's email, while the platform's own monitoring did not stop the drain.

The security that's marketed

Tagline: “Security above everything.”

What the records describe

The account was blocked only after both withdrawals had already completed and the funds were gone. Reimbursement was then declined, citing the Terms of Service.

Quotes in the left column are Kraken's own marketing, reproduced from its security page (kraken.com/features/security, checked June 2026). Verify them yourself there.

The open question

A first-ever device, a new network, two sessions at once, every trusted address deleted, and maximum-value withdrawals to sixty-second-old addresses. Should “industry-leading” suspicious-activity detection have paused that before the money left? The user says yes. You decide.

“Saved by the terms”?

The exchange declined to reimburse, relying on Terms of Service that make the customer responsible for account security. The user's position is that, under the UK Consumer Rights Act 2015, a term cannot exclude a firm's liability for its own negligence — so whether the monitoring was adequate is still a live question, not one the small print can simply close.

This is the reporter's argument, summarised — not legal advice, and not a court's conclusion.

Did Kraken go quiet on you too? If your experience looks like this, you are not the only one — and one account is easy to dismiss while many, side by side, are not. Add your own account, compare timelines, and share the legal contacts already working on these cases. Post your report → · Register to act together → · kraken-victims@proton.me
Verify it yourself

Don't take anyone's word — including ours. Read the exchange's published security claims, ask any exchange for your full account-activity report (devices, IPs, timestamps), and trace stolen funds on public explorers (xrpscan.com, stellar.expert). See the resource library for the real complaint channels.