Kraken thwarted a scammer’s attempt to hijack a Kraken account by spotting a Halloween-style mask during a video verification call. The scammer’s inability to answer key security questions raised initial red flags, prompting the additional verification step.
Scammer Attempt on Kraken Account
In order to reestablish access to your Kraken account, you may be requested to participate in a video call with a support agent to verify your identity.
The centralized exchange reported that last month, an individual was observed donning a rubber mask reminiscent of Halloween in an attempt to deceive the worker on the other end of the call. However, the ruse was unsuccessful.
During the initial round of reviews, the attacker had raised numerous red flags, including the failure to identify the assets that the account held. The agent who was working the case was compelled to request a video call in order to grant access to the account as a result of these flags. The Kraken staffer inquired further and verified the individual’s identification during the conversation.
“Our agent was like: This is absolutely ridiculous. This is a rubber mask the guy’s wearing,” Kraken Chief Security Officer Nick Percoco told Decrypt.
There are deepfakes and then there’s this guy. He’s trying to gain access to a @krakenfx client’s account. Nice try, buddy! pic.twitter.com/gFD9LUM2D4
— Nick Percoco (@c7five) October 15, 2024
Percoco stated that the mask did not even resemble the individual the attacker was professing to be. Percoco perceived that the assailant had merely acquired a mask that vaguely matched the victim’s description, as the victim was a Caucasian male in his early 50s.
Additionally, this is not the initial instance in which an individual has donned a disguise in an effort to deceive Kraken.
“[We] see things, from time to time, where people put on a fake mustache,” he told Decrypt. “They show [ID] and it looks close because they wear the same style glasses, have a mustache, and have blonde hair. We see that from time to time. They never pass.”
“But this is the first time,” he added, “that someone has gone out to the costume store to get a mask.”
To exacerbate the situation, the assailant lacked a credible identification card. Percoco clarified that the image was “clearly” Photoshopped and printed onto card stock, albeit with the appropriate information.
Even though this was not a sophisticated attack, it underscores the potential for even sloppy fraudsters to access the private information of everyday individuals. Percoco is of the opinion that attackers could achieve success despite their unpolished endeavor.
I think it must [work],” he told Decrypt. “I think people wearing disguises, people who breach another place and get a copy of your government ID, and then print it out on glossy paper, holding that up… for some exchanges, that probably works.”
He asserted that certain exchanges lack the same level of attention to detail that Kraken expects from its team. Companies that outsource their support are explicitly identified by Percoco as being more susceptible to errors.
This implies that individuals who utilize centralized exchanges should not always depend on the company to protect them from malicious actors, if his assertion is accurate. According to Percoco, in order to safeguard themselves, users should implement two-factor authentication “everywhere”—from their email to far beyond—to prevent malicious actors from obtaining any personal information at any cost.
Despite employing these safeguards, it is still possible for a user to fall victim to phishing schemes. He suggests the use of FIDO2 and passkeys, which are hardware keys that can transform your phone or laptop into your account password, for the highest level of security.
