🟡 Trust Rating: Moderate
Kraken has one of the cleaner security records in the business: no breach that lost customer funds since it was founded in 2011 (trading launched in 2013), roughly 95% of assets in cold storage, and quarterly proof-of-reserves audits that actually include liabilities. That is the good news. The bad news is structural. Kraken is a US company running full identity verification. It handed the IRS a list of users under a court order, reports to tax authorities, and holds a complete map of who you are and every trade you make. A well-run exchange is still a surveillance chokepoint. Treat this rating as "safe to pass through," not "safe to live in."
What is Kraken?
Kraken is a cryptocurrency exchange operated by Payward Inc (its subsidiaries include Payward Ventures Inc), based in the United States, founded in 2011 (public trading launched in September 2013). It is one of the oldest exchanges still standing, which in crypto counts for a lot: it outlived Mt. Gox, QuadrigaCX, FTX, and dozens of others that vaporized customer money. You can buy and sell crypto with fiat, trade spot and futures, stake, and withdraw to your own wallet.
The reason a surveillance-skeptic site reviews Kraken at all: almost everybody needs a fiat on-ramp and off-ramp at some point, and if you are going to use a Know Your Customer (KYC) exchange, you want the one least likely to lose your money or cut corners. Kraken is a reasonable pick for that narrow job. It is a terrible pick for anything resembling privacy.
Critical Privacy Concerns
⚠️ Every KYC Exchange Is a Chokepoint. Here Is What Kraken Knows
- Mandatory identity verification. There is no anonymous tier. To trade or withdraw meaningful amounts you hand over legal name, date of birth, address, and government ID. That links your real identity to every on-chain address you ever touch.
- The IRS already made them talk. On May 5, 2021, a federal court in the Northern District of California authorized the IRS to serve a John Doe summons on Payward Ventures Inc, doing business as Kraken. It covered US taxpayers who moved at least $20,000 in a year from 2016 to 2020, and demanded names, dates of birth, taxpayer IDs, addresses, IP-address history, and full transaction records. Kraken fought it, then a court ordered compliance.
- Assume everything is reported. Kraken issues tax forms and shares data with tax authorities. Your transaction graph is not private from the government, and blockchain analytics firms can extend that graph to wallets you moved funds to.
- They are the custodian. While your crypto sits on Kraken, Kraken controls the keys. You are trusting a company, however well-run, with your money and your identity in one place.
Security Track Record
The clean part
Kraken has not suffered a breach that lost customer funds in its history going back to 2011. That is a genuinely strong claim in an industry littered with corpses. The record is not spotless on data, though: in April 2026 Kraken disclosed that rogue support-staff insiders had improperly accessed support and KYC data for roughly 2,000 accounts (about 0.02% of clients), and criminals used footage of internal systems in an extortion attempt Kraken says it refused to pay. No funds were touched, but it is a live reminder that the identity file a KYC exchange holds on you is itself a target. Roughly 95% of customer crypto is held in offline, air-gapped, multi-signature cold storage, so an attacker cracking the hot infrastructure cannot drain the vault. This is the specific thing Kraken does well, and it is why the rating is Moderate rather than Low.
The June 2024 asterisk
On June 9, 2024, a researcher reported a bug through Kraken's bug bounty program that let an account credit a deposit before it fully settled, inflating the balance. Instead of proving the flaw with a token amount and returning it, the researchers (later identified as the security firm CertiK) withdrew close to $3 million over several days, then, per Kraken, refused to return it until Kraken agreed to a speculative figure for what the bug "could have" cost. Kraken's Chief Security Officer Nick Percoco called it extortion. The money came from Kraken's own treasury, not client balances, and Percoco later confirmed the roughly $3 million was returned, minus transaction fees. Read it however you like: a patched bug, or a warning that "trust us" has limits. Either way the customer funds were never at risk, which is the point that matters for your money.
Proof of Reserves and Its Limits
Kraken publishes proof-of-reserves (PoR) audits on a quarterly schedule. An independent auditor checks that Kraken's on-chain holdings meet or exceed total client balances, and Kraken builds a Merkle tree of all balances so you can verify your own account is included without exposing anyone's data. Crucially, Kraken includes total client liabilities in the audit, which is the part cheaper "proof of reserves" theater skips: showing you have coins means nothing if you hide how much you owe.
Do not oversell it to yourself. A PoR is a snapshot on one day. It does not prove Kraken stays solvent tomorrow, does not cover off-balance-sheet debt an auditor was not shown, and is not a substitute for the coins being in your own wallet. It is better than nothing and better than most competitors. It is not the same as self-custody.
Technical Specifications
Security Features
- Cold storage: around 95% of assets held offline in air-gapped, multi-signature vaults
- Hardware 2FA: supports FIDO/WebAuthn security keys such as YubiKey, plus TOTP authenticator apps
- Proof of reserves: quarterly, Merkle-tree based, liabilities included
- Products: spot trading, Kraken Pro (advanced order types), futures, staking, and a simple in-app instant buy
Pricing Structure
Two front ends, very different costs. The simple Kraken app charges a flat 1% on instant and recurring buys, which is a convenience tax. Kraken Pro uses a maker/taker schedule that is far cheaper. If you care about not bleeding fees, use Pro.
| Product | Fee | Notes |
|---|---|---|
| Kraken app (instant buy) | 1% flat | Simple, expensive; a convenience fee on every trade |
| Kraken Pro (base tier) | 0.25% maker / 0.40% taker | Applies at the entry volume level |
| Kraken Pro (top tier) | 0.00% maker / 0.05% taker | Reached only at very high 30-day volume |
Kraken vs. Alternatives
Kraken vs. Coinbase
- Kraken: Longer clean fund-security record, liabilities-inclusive proof of reserves, generally lower Pro fees. Same fundamental problem: full KYC, US reporting.
- Coinbase: Bigger, publicly listed, deeper US regulatory entanglement, and simple-app fees that can run higher. Same chokepoint math. See our Coinbase review.
Kraken vs. Bisq
- Kraken: Custodial, KYC, fast, liquid, and it reports you. Good for turning fiat into crypto quickly.
- Bisq: Decentralized, non-custodial, no KYC, peer-to-peer. Slower, thinner liquidity, steeper learning curve, but nobody holds your ID or your coins. If privacy is the actual goal, this is the different tool for a different job. See our Bisq review.
If You Use It Anyway: Safeguards
⚠️ Treat Kraken as a Turnstile, Not a Vault
- Withdraw to self-custody immediately. Buy, then move the coins to a hardware wallet you control. Do not park a balance on the exchange. See our Trezor and Ledger reviews.
- Use a hardware security key for 2FA. Kraken supports FIDO keys like YubiKey. A hardware key beats SMS and beats an app, and it stops SIM-swap account takeovers cold.
- Use a unique email. A dedicated address for this account only, so a leak or a phishing list somewhere else does not point at your exchange login.
- Assume everything is reported. Do not do anything on Kraken you would not put on a tax form, because effectively you are.
- Never mix identities. One Kraken account is tied to one legal identity and its whole transaction graph. Do not run separate personas through the same account, and do not bridge a "public" wallet and a "private" wallet through the same exchange.
- Keep your own records. Export your history and run it through tax software you control rather than trusting a single dashboard. See our Koinly review.
US Regulatory Posture
Kraken has been through the American regulatory grinder. In February 2023 it settled SEC charges over its staking-as-a-service program, paying $30 million and agreeing to shut that US service down. In November 2023 the SEC sued Kraken again, this time alleging it operated as an unregistered securities exchange, broker, dealer, and clearing agency. That second case was dismissed with prejudice on March 27, 2025, with no penalties, no admissions, and no required business changes, part of a wave of SEC crypto-case dismissals under the new administration alongside Coinbase and Binance. Dismissed does not mean vindicated on the merits: the SEC framed it as a policy reset, not a finding that Kraken was right. What it means for you is that Kraken is a heavily regulated US entity that answers to US agencies, which is exactly why it reports.
When to Use Kraken
Reasonable Use Cases
✅ Turning fiat into crypto when you need a reliable, liquid on-ramp and plan to withdraw immediately.
✅ Cashing out to a bank account through an exchange with a clean fund-security history.
✅ Active trading on Kraken Pro where the low maker/taker fees actually matter, as long as you accept full reporting.
Not Recommended For
❌ Storing crypto long term. Not your keys, not your coins. Move it off.
❌ Anyone who needs financial privacy. KYC plus reporting plus a proven willingness to comply with government demands means Kraken sees everything.
❌ Separating identities or wallets. Everything through one account collapses into one identity graph.
The Bottom Line
Consider Kraken if:- You need a fiat on-ramp or off-ramp and want the operator least likely to lose your money
- You will withdraw to self-custody the moment a trade settles
- You trade enough to benefit from Kraken Pro's fee schedule and you accept that it all gets reported
- You are trying to keep your crypto activity private from the government (use peer-to-peer and self-custody instead)
- You want to hold coins on the platform (you are one custodian failure or account takeover from a bad day)
- You need to keep separate identities or wallets from ever touching the same account
⚠️ Final Assessment
Kraken is a well-run turnstile. The security record is real, the proof-of-reserves work is more honest than most, and the fees on Pro are fair. None of that changes the core fact: it is a KYC exchange in the United States, it holds your identity next to your full transaction history, and it has already handed user records to the IRS under court order. Use it for what it is good at, moving between fiat and crypto, and get your coins into your own wallet as fast as you can. The moment you treat Kraken as a place to store value instead of a place to pass through, you have handed a stranger both your money and your map.
For the bigger picture on why exchanges are surveillance points, read our coverage of blockchain analysis surveillance, the reality of crypto privacy, and crypto tax surveillance. To actually get private, see our Monero setup guide.
Resources
- Kraken: Proof of Reserves
- Kraken: Fee Schedule
- US Department of Justice: Court Authorizes John Doe Summons on Kraken (2021)
- BakerHostetler: Kraken Settles SEC Staking Action for $30M (February 2023)
- American Banker: SEC Drops Enforcement Action Against Kraken (2025)
- CoinDesk: Kraken Says Researchers Turned to Extortion After Exploiting Bug for $3M (June 2024)
- Crypto Briefing: Kraken Recovers $3M From CertiK (June 2024)