On April 1, 2026, at East Eight Time, a high-net-worth user of Kraken encountered a social engineering attack, with a large amount of funds silently transferred within a few hours. According to on-chain data and media reports, the attacker successfully gained control of the user's account, transferring out 8,662 ETH from the exchange, and completed a full set of "flight procedures" involving cross-chain, conversion, and downstream deposits within approximately 6 hours. This incident again brings an old problem to the forefront: centralized exchanges have increasingly fortified their defenses with cold wallets, multi-signature technologies, etc., but when faced with direct attacks that bypass systems and target individuals, their defenses appear weak and reactions slow.

6-Hour Escape Route from Kraken to Account Disappearance

Reconstructing the timeline, this was an almost "uninterrupted" transfer of funds. On April 1, the attacked Kraken account began withdrawing large sums of cryptocurrencies, and after 8,662 ETH was transferred out in batches, it did not remain on-chain for long but was swiftly directed to a cross-chain tool. Analysts such as EmberCN captured the relevant fund trajectory in real time, showing that these ETH were sent to THORChain, where asset repackaging and conversion took place between chains.

In THORChain, the attacker exchanged 878 ETH for 26.5 BTC, while the remaining 7,784 ETH continued to move in its original form. After the exchange, these BTC merged with most of the remaining ETH and were ultimately diverted to the downstream exchange HitBTC. According to on-chain data aggregated by data platforms like Rhythm and Planet Daily, 7,784 ETH and 26.5 BTC became the endpoint chips of this escape route, and the entire process from withdrawing from Kraken to being credited to HitBTC took merely about 6 hours.

It is worth emphasizing that currently, key information about the path and amount almost entirely comes from on-chain tracking and public analysis by third-party research institutions, rather than a complete review of the event by Kraken officials. Data including the theft of 8,662 ETH, the exchange of 878 ETH for 26.5 BTC, and the final flow of 7,784 ETH and 26.5 BTC into HitBTC is primarily supported by on-chain analysis from EmberCN and others. This also indicates that during the official's silence, the publicly transparent traceability on-chain has become the core entry point for outsiders to understand the truth of the event.

Social Engineering Attack Targets the Weakness of Rich Individuals' Centralized Defense

From currently available information, the core of this incident is not a technical breach of the Kraken system, but a typical social engineering attack, directly bypassing technological defenses and targeting high-net-worth users, who are seen as "high-value single points." Commentators from Golden Finance and others point out that high-net-worth accounts often have concentrated assets and high authorization limits, making them significantly more exposed to risks than ordinary users if there are lapses in personal security habits. Such attacks are more about "human interaction" rather than "technical manipulation," occurring on the user side but magnifying losses at the asset level of centralized exchange platforms.

Compared to technical aspects like contract matching engines and cold wallet isolation that can be reinforced with code and architecture, social engineering attacks present difficulties because they blend into the user’s daily operational context and can easily disguise themselves as "normal behavior." No matter how sophisticated the risk control systems are, they often struggle to identify whether a user acted voluntarily or was under misleading, inducement, or even threat to execute a transfer or authorization; on-chain transactions merely appear as a "compliant signature" withdrawal request. In reality, attacks can occur in various scenarios—such as around account security notifications, investment opportunities communications, device replacement, or abnormal login alerts—but the specific methods employed have not been disclosed in the available information, leaving little room for risk control and security teams to anticipate.

This trend is not an isolated event. In 2025, similar social engineering attacks globally caused over 300 million USD in cumulative losses for CEX users, indicating that this is not a one-off black swan event but a continuously validated and reused criminal pathway. Each successful case encourages new imitators to join, creating a persistent "experience accumulation effect": attackers become increasingly familiar with exchange processes and user psychology, while defenses at both the platform and user level often remain reactive.

THORChain and the Grey Channel of No KYC Exchanges

In choosing the path for fund transfers, the attacker did not simply move from point A to point B but utilized cross-chain protocols and no-KYC exchanges to create an accelerated and obfuscated channel. Choosing tools like THORChain was primarily aimed at quickly reorganizing assets across different public chains, transforming transactions from a single chain's visible track into a complex network interwoven across multiple chains; secondly, through on-chain exchanges, part of the funds was converted from ETH to BTC, further diminishing the simplicity of address tracking and asset identification.

The choice of endpoint HitBTC has been linked by several media to its no KYC feature. Planet Daily cited market voices indicating that exchanges lacking strict identity verification are naturally more likely to become the "final landing place" for sensitive funds: funds are further split, traded with each other, or transferred to other chains or CEXs until they significantly decouple from the original path. For attackers, this enhances their room for subsequent laundering and cashing out; for trackers, once funds enter such black boxes, the subsequent paths inevitably become obscured and fragmented.

Cross-chain protocols and no-KYC exchanges together constitute a typical grey area under the current regulatory framework. The former emphasizes decentralization and open liquidity, while the latter promotes low barriers to entry as a selling point, but when these two aspects overlap, they are often exploited by illegal funds to construct migration routes that are more difficult to monitor. For ordinary users, the signal transmitted by such events is not optimistic: even if one never engages with grey assets, when the platform housing the funds has a natural "interconnectability" with these grey channels, the sense of security will also be passively weakened because, once an incident occurs, if assets are funneled into these areas, the probability of recovery and damage control will significantly decrease.

On-Chain Monitoring Outpaces Time but Loses to Response Speed

Interestingly, in this event, on-chain "observers" outpaced time. Analysts like EmberCN provided real-time or near real-time updates at almost every critical point of fund movement, from the withdrawal from Kraken, to entering THORChain, to flowing into HitBTC, with information spreading extensively on social platforms. However, in stark contrast, when the incident was exposed, Kraken officials had yet to provide a formal response, leaving outsiders in the dark regarding how far internal risk control, freezing, and cooperation mechanisms had been activated.

This contrast reflects the embarrassing reality that CEXs face today: "Visible but Unstoppable." From a technical perspective, on-chain monitoring tools can describe funding trajectories at a frequency of minutes or even faster, but to translate this intelligence into executable risk control actions requires traversing multiple systems and institutions—this includes the exchange's internal audit processes, governance mechanisms of cross-chain protocols, and risk compliance modules of downstream receiving exchanges. Any hesitation or delay at any point can be swiftly exploited by attackers to complete their escape due to time differential.

If during these 6 hours, Kraken, THORChain, and HitBTC could establish a more efficient collaboration link—such as quickly freezing relevant accounts and issuing standardized red alerts to cross-chain protocols and downstream exchanges once high-risk funds are marked by on-chain monitoring—then theoretically, the success rate of intercepting and closing the loop would be significantly higher. However, in reality, such multi-party coordination is often constrained by the autonomous logic of decentralized protocols, compliance boundaries of different jurisdictions, and commercial competitive relationships, making it difficult to form a unified, efficient, and reusable crisis response mechanism in a short timeframe.

Next Time Will Happen Again: How Users and Platforms Can Self-Rescue

In summary of this event, at least three weak links were simultaneously exposed to attackers: insufficient awareness of user prevention enabled the success of social engineering attacks; limited risk control boundaries of CEX made it difficult to timely identify and intervene in malicious operations of "compliant signatures"; obvious regulatory gaps of cross-chain and no KYC channels provided real infrastructure for funds to cross borders. The combination of these factors enables an attack targeting a single high-net-worth account to evolve into a complex case involving multiple chains and platforms within hours.

For high-net-worth individuals, what can truly be controlled is the "last door" on the personal side. In the current environment, a more pragmatic security strategy includes: maintaining multiple identity verifications for any instructions involving large asset operations (e.g., cross-confirmation on different devices), keeping high-value assets in separate "cold accounts," and using low-limit "hot accounts" for daily operations and social interactions; for scenarios requiring large withdrawals or authorizations, developing a habit of delayed confirmations—even if it takes an extra 5 minutes to change the environment, reconnect the network, and re-login to verify is more reliable than hastily clicking "confirm" under pressure or inducement.

From an industry and regulatory perspective, similar events cannot be seen simply as isolated incidents. It can be expected that regulatory pressure on no KYC exchanges will continue to increase, and their role as "final destinations for funds" will become more challenging to maintain in the grey area; cross-chain protocols may also be required to find a new balance between compliance and openness, such as introducing more refined risk labeling systems to provide optional risk control interfaces for CEXs and compliance institutions. Meanwhile, the linkage monitoring network between centralized exchanges and between CEXs and cross-chain protocols is likely to become a central focus in the construction of the next-stage security infrastructure—only by bridging the gaps in information sharing and collaboration mechanisms can the industry hope to reclaim some time in the next 6-hour escape.

Join our community, let’s discuss and become stronger together!
Official Telegram community: https://t.me/aicoincn
AiCoin Chinese Twitter: https://x.com/AiCoinzh

OKX benefit group: https://aicoin.com/link/chat?cid=l61eM4owQ
Binance benefit group: https://aicoin.com/link/chat?cid=ynr7d1P6Z

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。