Kraken User Loses $18.2M in Crypto Social Engineering Attack as Funds Move via Thorchain: ZachXBT

Kraken Account Targeted in $18M Scam as Funds Bridge to Bitcoin

Blockchain investigator ZachXBT flagged the incident on March 31, 2026, via his Telegram channel, pointing to a coordinated theft followed by rapid asset transfers designed to obscure the trail. The attacker reportedly gained access through tactics commonly tied to phishing or impersonation schemes, rather than exploiting a technical flaw in the exchange itself.

Initial movements show funds being bridged from the Ethereum network to Bitcoin using Thorchain, a decentralized protocol that allows assets to move between blockchains without centralized intermediaries. Onchain data indicates that roughly 878 ether, valued at about $1.8 million at the time, was part of the early laundering flow tied to the incident.

The transfers are reportedly being routed through a Safepal wallet, adding another layer of separation as the attacker shifts funds between chains and addresses. Analysts have identified multiple wallet addresses linked to the theft, including a primary ether address and additional associated accounts, along with a bitcoin destination address receiving bridged funds.

These addresses are now being tracked in real time by onchain analysts as the funds continue to move, often in quick succession, a common tactic used to reduce traceability. The incident reflects a broader pattern seen throughout 2026, where social engineering remains one of the most effective methods for draining user funds in the digital asset space.

Rather than targeting smart contract vulnerabilities, attackers increasingly focus on human behavior, convincing victims to reveal seed phrases, approve malicious transactions, or interact with fraudulent support channels. In many cases, the approach involves impersonating exchange staff or wallet providers, creating a false sense of urgency that pushes users to bypass standard security precautions.

The case highlights the risks tied to account-level access and user-side security practices. Security specialists continue to recommend that users avoid sharing private keys or recovery phrases under any circumstances and verify all communications claiming to be from exchanges.

Additional safeguards such as hardware wallets, two-factor authentication, and withdrawal whitelists can help reduce exposure, particularly for large holdings.

FAQ 🔎

• What happened in the Kraken $18.2M crypto theft?
  A user lost funds after a suspected social engineering attack that allowed an attacker to access and move assets.
• How were the stolen funds moved?
  The attacker bridged assets from Ethereum to Bitcoin using Thorchain and routed them through multiple wallets.
• How can crypto users avoid similar scams?
  Users should never share private keys, verify all communications, and enable security features like 2FA and hardware wallets.