No Pay, No Deal: Is Kraken Right to Refuse Extortion?

Nick Percoco, Kraken's Chief Security Officer, shared on X that the exchange recently faced an extortion attempt. A criminal group threatened to release videos allegedly showing access to Kraken's internal systems and customer data.

Kraken chose not to pay. This isn't the first time they've dealt with something like this. In a previous incident, they identified the employee responsible for the breach, revoked their access, and notified affected users. This time, they're following the same playbook: the culprit has been found and neutralized, and users have been informed.

But is that the right approach? If it's possible to fix the consequences of your own mistake by paying, should a company do that instead of simply notifying customers who are now dealing with the fallout? After all, any company is responsible for the actions of its employees carried out in the course of their work.

Imagine you're a Kraken customer. What would you prefer: that the company takes steps to contain the damage - even if it means paying criminals - or that it refuses to reward extortionists?

Of course, the safest option is not to hand over your personal data in the first place. That's exactly why rabbit.io doesn't ask for any personal information when you make an exchange. But if something like this did happen, would you support a platform choosing not to pay?