Kraken Lets Hackers Change Account Email Address Even When Funds Are Present

Users of cryptocurrency exchanges often fall victim to accounts getting hacked, stolen, or abused. We have seen dozens of such stories ever since the creation of Bitcoin. In most cases, such issues have arisen due to people failing to take the necessary account security precautions. One user recently lost US$43,000 worth of Litecoin on Kraken and is not too pleased with the way the exchange has handled things.

Exchanges Have to Protect Customer Funds Better

Every time a story such as this one comes to light, there are two sides to be taken into account. This particular Kraken user usually holds his coins off exchanges unless absolutely necessary, but admitted he did not take enough precautions in this case. Indeed, the one time he slipped up, things went sour very quickly. He ended up losing US$43,000 worth of Litecoin, which is a significant amount.

According to the user, he moved his LTC funds to Kraken last Friday. The goal was to have the funds available on an exchange pending the Bitcoin Cash fork playing out. If a massive demand were to arise for LTC, there would be good profit to be made. Unfortunately for him, Litecoin’s price was not at all affected by the BCH launch and its value has remained virtually the same for several days now.

Transferring these coins to Kraken may have been the user’s worst decision in recent memory as well, as his funds had been stolen by Sunday afternoon. Not setting up two-factor authentication was a very bad idea, as everyone should enable 2FA on exchange accounts regardless of how often they use them. It is an extra layer of defense against unauthorized account access. It is not a foolproof solution by any means, but there is no reason whatsoever not to use it.

Interestingly enough, the user received an “invalid account” error when logging into Kraken on Sunday. It appears someone had successfully compromised his email address, reset his Kraken password, and even changed the email address altogether. It is incredibly strange to learn that exchanges allow users to change their email address while there is an active balance in an account. Doing so without requiring additional identity verification is pretty unusual, yet Kraken seemingly has no problem with this.

The user in question managed to track down the address to which the funds were sent, and by that time most of his Litecoins had already been sold. Hackers always aim to get their currency and cash it out as quickly as possible. Considering that Litecoin, like Bitcoin, has no privacy or anonymity traits nor any coin mixers, it should not be too hard for law enforcement officials to track the hacker down — that is, assuming they will be inclined to do so.

While it is true that the Kraken user should be blamed for lackluster account security, the exchange should be scrutinized as well. Changing an email address on any account without verification is bad enough. Allowing someone with a foreign IP to do so when there is money in the wallet at the time is absolutely unacceptable. It is hard to fault the company for letting this user allow his account to become compromised, yet its role in the transfer of funds raised a lot of questions as things unfolded. In the end, users are always responsible for securing their exchange accounts.