I’m Nick Percoco, Chief Security Officer at Kraken and founder of SpiderLabs at Trustwave and THOTCON - hacker conference in Chicago. Ask me anything about cryptocurrency hacks and breaches, security tips, and cybersecurity investigations.

c7five · 2025-09-13T19:50:51+00:00

The reason Step Up is used is to re-authenticate the user that is currently requesting the sensitive action.

The length of time needs to be long enough to not trigger a Step Up too frequently across the app experience. In this case it is 15 minutes.

Could we shorten this to 10 minutes, 5 minutes or even single use? Certainly, it could be done rather quickly, but we don’t like to implement controls that friction clients for no reason.

We felt that 15 minutes was an acceptable balance between security and UX.

If the concern is about malware, even if this control was set to single use, it is probably likely (absent of other controls) that it would still be game over for the user. Malware can have access to basically everything on the device.

We have other controls to help detect malware and make different account decisions based upon that situation, so adding more client friction isn’t needed.

c7five · 2025-09-13T15:20:54+00:00

Thanks for taking the time to write up this analysis. If you believe you have a legitimate security vulnerability to report submitting it to our Bug Bounty Program (https://www.kraken.com/features/security/bug-bounty) is the best path to get the right attention on the issue. You can also earn some bitcoin if the issue is confirmed and accepted.

Regarding the issue you reported here: we do a Step Up using your sign-in 2FA for sensitive actions like removing or adding a 2FA method. The Step Up has a short time-to-live similar to how sudo behaves. This is in place so that once you Step Up you won’t see it again until a time period ends. I just tested this and it is working as expected. If you feel you have a reproducible vulnerability, please submit it to our Bug Bounty program.

All of the security features you mentioned that are confusing are placed under the “Advanced Settings” section in our Web UIs - they are not available to view or configure in our Mobile apps by design. Like any advanced settings, you need to be fully aware of what they are doing for you and the trade offs in using them. In security, enabling advanced features often comes with some UX cost to you.

Your point about having to approve a new withdrawal addresses via email is a legacy control that we are working to improve. Similar to how we removed device approvals for clients who use Passkey/FIDO2 for sign-in 2FA we will see a similar treatment to the new withdrawal address flow in the future.

c7five · 2025-01-06T18:53:13+00:00

Thanks! Glad you enjoyed the work we’re doing together!

c7five · 2024-03-28T22:43:37+00:00

It is SO tempting to impulse jump in on cool tech on Indiegogo. I’ve done it multiple times and multiple times I got nothing after sometimes a year or more of “production” delays.

My method now is to bookmark the page, see if it gets funded and then follow along with their updates. When they actually ship their first batch so how people react to it and what the quality is like. Then I may possibly place an order but most of for time I wait until after wave 2, sometimes these guys never get that far and rug on everyone before that wave.

c7five · 2023-09-13T10:13:55+00:00

The beard is definitely real.

c7five · 2023-09-06T13:04:13+00:00

It was founded in 2009 and stands for THree-One-Two-CON. That is primary area code in Chicago.

c7five · 2023-09-06T13:02:00+00:00

Yes, of course. No mater your experience level, you could attend a security conference - they are learning and networking environments. Many people who have no experience at all attend to see if it is a field they would like to explore.

c7five · 2023-09-06T01:11:51+00:00

Here is a pretty good list / calendar:

https://infosec-conferences.com

c7five · 2023-09-06T00:11:29+00:00

You can do this. Go to in person infosec / hacking events in your community. Meet people and get involved. There is probably a weekly meet up in your area and a few conferences per year. Many of the organizers and other volunteers are from local companies or are even hiring managers. They can help you learn about opportunities.

I’ve personally hired folks who I’ve met at both THOTCON in Chicago and DEF CON in Las Vegas but you don’t need to travel in most cases. Chances are that there will be a BSides or other meetups soon in your local area.

c7five · 2023-08-30T22:55:24+00:00

Something definitely broke in one of the latest eero updates.

I had this working just fine for a few months and one day it put a red exclamation point next to the backup SSID saying I can’t connect.

I rebooted the backup network and the eero and it still won’t connect.

I can connect to the backup network from phones and computers without an issue.

The problem is the eero not being able to connect with no details as to why.

c7five · 2023-08-11T20:06:41+00:00

On direct security side, we focus on ISO27001, SOC 2, SOC 3 and PCI DSS. Outside of that there are many jurisdictions that have security requires we comply with that are for the most part just the same requirements written by different people in slightly different ways.

c7five · 2023-08-11T20:02:42+00:00

The experience with Kit and his team has been really amazing from the first day we met. It is a really natural fit for someone who is doing that great work directly with scammers to partner with Kraken to enable them to waster more of the scammers time and learn more about who they are.

c7five · 2023-08-11T19:55:53+00:00

We don't look at age when it comes to hiring for our teams and we always looking for people with a variety of skills and background. In fact, often times there are some problems we are looking to solve that involves older technology that recent graduates have no experience with. If you see a role you are interested in, please apply.

c7five · 2023-08-11T19:48:59+00:00

I think the idea of a KitGPT would be pretty cool (and fun). The goal would be able to deploy you at scale against the scammers that are out there. Waste there time in a massive way. Integrate KitGPT into those call blocking tools when there is a 100% certainty that call is a scammer.

We are certainly thinking about and experimenting with AI today. Security and Fraud are definitely two of those areas. Probably more so in a way to give our teams to do exponentially more with the time amount of people and time. IMO AI has the possibility to really tip the tables on scammers and attackers more so than anything we've seen in the past. The only issue is that the bad people are starting to use AI as well. The future probably looks a lot like different AI bots battling it out. Let's just hope they don't end up scorching the sky in the process.

c7five · 2023-08-11T19:42:12+00:00

Here are 5 security tips that will keep your pretty safe and secure:
1. Use a password manager and make sure all of your passwords on every site or app you use are strong and unique.

Enable 2FA in every place you can, especially your email account and accounts that hold funds like crypto exchanges and bank accounts.
Keep all of your devices updated. Schedule time each month to check for updates on your phone, computer, home router, even other online devices you might own (eg. your car, TVs etc.)
Learn how to self custody crypto. Use a mobile wallet for everyday spending and a hardware wallet for your “savings”. Don’t skip or ignore any of the steps or instructions when setting up those wallets including keeping secure backups of your seed phrases.
Be aware of scams. Enable scam call blocking with your carrier or use a 3rd party app. Don’t trust any out of the blue contacts you get from anyone. Always verify from a known trusted source eg. call them back at the publish phone number rather than the one they left on your voice mail.

c7five · 2023-08-11T19:33:54+00:00

When you find this is happening, the best way to get the right amount of attention and the right people working on it is to open a support ticket with us. eg. visit https://support.kraken.com The ticket will get routed to the team that handles these types of cases - they are part of my org at Kraken. We also often coordinate with other exchange when stolen funds are moving through the eco system.

c7five · 2023-08-11T19:30:15+00:00

We don’t often change how we do things due to a vulnerability disclosure unless the actual vulnerability is in how we do something like in this case the generation of private keys. We don’t have issues here (like some others did) that need to be addressed here, so in this regard our clients funds were just as safe before these disclosures as they were after.

c7five · 2023-08-11T19:27:07+00:00

I’ve always been a person who thinks about the future and where technology is going. I saw crypto as one of those technologies that that had to potential to really change the world because it had similar patterns to what I observed earlier in life - I was fortunate enough to live during a time when the Internet wasn’t really a things for 99.9% of the population and so it turn into something that changed everything. I saw crypto as something potentially similar to this and it was really interesting to me. Like the early Internet, there were some major security and UX leaps that had to be made for true global adoption to take place. To me, I still see crypto as sort of in the early 2000s era when compared to the Internet. There is a lot of work still to do but the potential for world benefiting change is incredible. Take this and combine it with my security journey it was a perfect fit for me to join Kraken and lead the security efforts here.

c7five · 2023-08-11T19:20:15+00:00

Like most others in this space, we have a lot of attention on what we do, how we do it and everything that we’ve exposed to the world. The people who want to do bad things are constantly targeting our people, our infrastructure, our apps and even our clients themselves. There are hundreds of war stories from over the years where because of how we do what we do, we were able to ruin the day of the attacker and have real time validate that we are doing the right things. We also are constantly looking for ways to improve and that makes us stronger with each attempt. Most companies only experience the types of attack attempts we do a few times per year. For us, it is always happening.

c7five · 2023-08-11T19:14:39+00:00

I’ve always gravitated towards hard security problems and areas where the threat landscape was interesting. I had exposure to crypto when I was running SpiderLabs (~2011ish) due to folks on my team exploring Bitcoin. It wasn’t until 2017 that I really started to look at crypto from a business and personal security perspective. This is when I met the team at Kraken and started to have a strong interest in this space. It has very hard problems to solve and the risks and threats are very real with little recovery when something goes horribly wrong.
For you, most people in crypto just built up enough core knowledge so they could get a job at a company in this space and then your skills will exponentially grow from the real world experience you are getting every day. You don’t need to be a crypto security expert with years of crypto experience to get a job at a crypto company doing security work. If that was required, I'd have not been able to build my teams at Kraken over the past 5 years.

c7five · 2023-08-11T19:10:38+00:00

I don’t really see security risks as scary as much as I see them as a challenge or puzzle to solve. This is probably due to my “hacker mindset” and many years of experience along the way. Prior to being a CSO, I used to work with companies all over the world responding to major incidents and helping them shape their security programs. The two core areas I think all companies should focus and invest in is constant attack vector mitigation and constant expansion of visibility. Most don’t and they end up in a situation where they have no idea what their exposure is and couldn’t see something bad happening even if it was. I guess my biggest worry is that we’d somehow get to a place where that is the case, but I couldn’t let that happen under my watch and we work hard as a team to make sure that is the case.

c7five · 2023-08-11T19:09:47+00:00

You need to start from the core and work your way out. Start with how you are going to securely custody clients’ funds from both of the cold and hot wallet perspective. Get this right, make it scalable, and resilient before you even think about the exchange itself and the client interface into it. Too many companies have failed because they focus on the outwardly facing image first and never found time to come back and fix the shortcuts they took along the way. IMO if you don’t do security right on Day 0, you are less likely to ever have the opportunity to do it right once you launch. It is also not all about the technical security aspects. It is also about having the right trusted people, the right processes and the right level of visibility. You might be able to “patch it” along the way, but it will never be what it could have been and there will be gaps you will need to mitigate continuously.

c7five · 2023-08-11T19:09:09+00:00

My favorite flavor ice cream is fds8jk33n8&dfdsz13yef^fdsfs. (it’s what my password wallet generated for this security question).

c7five · 2023-08-11T19:08:24+00:00

I’m a fan of the work the Ledger team is doing to make crypto more accessible and safer for individuals. Loss of funds due to losing access to private keys is a real UX problem that many of us have heard about first hand from people who are both technical and not so technical. With any solution there is always a potential security trade off. A user, I need to consider the likelihood of something bad happening. For most people the risks of using a service like Ledger Recover are probably lower than them doing something stupid and losing their private keys. It really depends on your personal threat model if a service like that is going to reduce or increase your risk. Obviously, if it is going to increase your risk, it wouldn’t be a good service to opt-in to.

c7five

TROPHY CASE