You can harden infrastructure. You can't fully harden people.According to Kraken, the extortion attempt it recently disclosed is not a one-off. The exchange says it is linked to broader criminal recruitment campaigns targeting insiders across crypto, gaming, and telecoms — and that it is working with industry partners and law enforcement to disrupt them.Singapore Summit: Meet the largest APAC brokers you know (and those you still don't!)The incident itself was contained. No systems were compromised, no client funds were at risk. Two cases of support-level access exposed data linked to around 2,000 accounts.The more relevant question is whether this reflects a pattern that extends well beyond Kraken — and how these recruitment operations actually work.The Record So FarThe cases are not isolated. Across several major platforms, the common thread is the same: attackers relied on access that already existed rather than finding a way in from outside.At Coinbase in 2022, a product manager used confidential knowledge of upcoming token listings to front-run trades on at least 14 occasions. No systems were breached. The advantage came entirely from privileged information treated as a personal trading edge.The scheme was identified not by internal controls but by an external observer who noticed a wallet buying tokens shortly before they appeared on the exchange.In 2025, Coinbase disclosed a separate incident in which attackers bribed overseas customer support contractors to extract user data from internal systems those staff were authorised to access. The stolen data — names, phone numbers, government IDs, masked Social Security numbers, account balances — was enough to run convincing impersonation attacks. In at least one case, a user lost more than $2 million. The breach ran undetected for months. Attackers demanded a $20 million ransom; Coinbase refused and offered a matching bounty for information leading to the perpetrators. The total cost is estimated at $180 million to $400 million in remediation and legal exposure.At Binance in December 2025, an employee used advance knowledge of an upcoming announcement to trade ahead of the market. The gap between the token appearing on-chain and the employee's post was sixty seconds. It was caught by on-chain analysts outside the company, not by internal monitoring. Binance suspended the employee, referred the case to law enforcement, and paid $100,000 to the whistleblowers who first reported it.Investigation of Employee Misconduct IncidentOn December 7, 2025, Binance’s internal audit department received a report alleging that a Binance employee had used insider information to post on official social media and improperly obtain personal gain. We immediately launched an…— Binance Futures (@BinanceFutures) December 8, 2025Outside crypto, the same model runs through telecoms. Carrier employees have been offered flat payments — documented cases range from around $300 to $10,000 per action — to facilitate SIM swaps that hand attackers control of a target's phone number and, by extension, any account protected by SMS authentication. In March 2025, T-Mobile was ordered to pay $33 million in arbitration after an insider-facilitated swap enabled the theft of a customer's cryptocurrency holdings.Across these cases, the pattern holds. No zero-days, no network intrusions. The access was already there.How Insider Recruitment WorksThreat intelligence reporting from ZeroFox points to a recruitment pipeline that is becoming more structured. In one documented campaign, actors explicitly targeted employees at major platforms including Coinbase, Binance and Robinhood, publishing recruitment criteria and contact instructions on underground forums.Initial outreach surfaces on dark web forums or in closed Telegram and Discord channels. Posts name specific companies and specific roles — customer support agents, compliance staff, contractors, outsourced service providers. From there, conversations move to private encrypted channels. Before any payment is discussed, a prospective insider is typically asked to provide proof of access: screenshots, short recordings, or sample data pulls.What is being purchased depends on the target. Sometimes it is raw tool access. Sometimes it is more specific — customer records, account metadata, the ability to watch internal workflows in real time. Partial visibility is often sufficient to support follow-on phishing, targeted fraud, or extortion based on threatened data exposure. According to research from Check Point, compensation for one-time access or specific data typically falls between $3,000 and $15,000, depending on privilege level.Intermediaries who recruit insiders have been paid around $5,000 per placement, plus a cut of profits — sometimes as high as 15% — generated through that access.Some of the datasets used for outreach reportedly contain hundreds of millions of contact records, according to ZeroFox.The cost of acquisition is low relative to the potential return. That is the core of why the model scales.In some cases, relatively small payments have enabled access that later resulted in multi-million dollar losses or gains, depending on how that access was used.Why Crypto is ExposedCrypto platforms combine several features that create particular vulnerability here. They run continuously, with distributed teams across time zones. Customer support is large, frequently fragmented, and often outsourced. Internal tools need to be accessible enough to resolve issues at speed — which pulls against the kind of access controls that would limit exposure.The assets are liquid. Transactions are irreversible. And even when funds are not directly reachable, the data — balances, transaction history, identity documents — has independent value in downstream fraud.The support layer is not the most privileged environment on any platform. But it is one of the hardest to lock down without degrading the service it is meant to provide.What Firms are ChangingExchanges and brokers are shifting toward limiting what insiders can do inside systems. Support roles are being scoped down to narrower data views, with explicit separation between read access and anything that could affect funds. Permissions are session-based and time-limited rather than persistent. No single role is intended to hold end-to-end control over a sensitive operation.Behavioural monitoring has moved beyond login tracking. This includes monitoring large data queries, repeated access to high-value accounts, and unusual navigation patterns — often with session recording in workflows that touch sensitive data. The incidents that prompted these changes, in several cases, ran undetected for months despite all access being technically authorised.Contractors and outsourced teams face tighter defaults and more frequent review. Some firms have begun monitoring dark web forums and encrypted channels for signs that their staff are being actively recruited.The goal is to ensure that legitimate access, in the wrong hands, can do as little as possible.Kraken's incident did not produce a breach. But it points to something more structural. For attackers, the question is now about finding someone who is already inside.This article was written by Tanya Chepkova at www.financemagnates.com.