Kronenberger Rosenfeld, LLP has filed a lawsuit in San Francisco Superior Court against cryptocurrency exchange Kraken and related entities. The complaint, available here, alleges that Kraken disclosed a high-value crypto investor’s private data in response to spoofed law-enforcement emails, enabling an attempted extortion scheme against this individual and his family.

The Alleged Data Disclosure

The plaintiff, proceeding as John Doe under California’s anti-doxing statute, held eight-figures in cryptocurrency in a Kraken account and in associated wallets. The complaint alleges that between May and August 2025, criminals sent at least three spoofed emails purporting to come from an Italian law enforcement agency. The complaint alleges Kraken disclosed Doe’s full name, date of birth, home address, phone numbers, and account information without any valid court order or formal legal process.

Physical Threats and Forced Flight

According to the complaint, armed with Doe’s information held by Kraken, unidentified criminal actors allegedly launched a scheme to extort Doe. On July 19, 2025, a caller identifying himself as “Daniel Li” allegedly demonstrated detailed and intimate knowledge of Doe’s account and whereabouts, and made implied threats to Doe about beating a “seed phrase” out of Doe and discussing a “5-dollar wrench” attack, which refers to physical coercion through use of a simple tool (a $5 wrench) to bypass the most sophisticated encryption by targeting the person who holds the password or private key.

The complaint alleges that Doe was compelled to flee his home out of fear for his and his family’s personal safety. The complaint further alleges that in August 2025, while Doe remained in hiding, an unknown individual gained access to his building, repeatedly rang his doorbell, and pounded on the door in an apparent attempted forced entry. As the allegations describe, a friend leaving the building was then approached and interrogated about Doe’s identity and whereabouts. The complaint alleges Doe has incurred significant ongoing security costs for himself and his family.

Kraken’s Alleged Security Failures

The complaint alleges that Kraken’s public claims of “industry-leading” security and its self-description as “a security company that operates a crypto exchange” were materially inconsistent with its actual practices. As alleged, specific failures include: responding to unverified emails rather than requiring formal legal process; disregarding a 2024 FBI warning about criminals exploiting fake emergency data requests; and waiting 39 days after allegedly discovering the breach to notify Doe—by which time the threats, surveillance, and attempted forced entry had already occurred. The complaint alleges Kraken implemented stronger verification measures only after receiving a forged court order in August 2025, weeks after Doe had already been forced into hiding. Kronenberger Rosenfeld, LLP’s investigation into this matter is ongoing.

Claims and Relief Sought

The complaint asserts claims for doxing and aiding and abetting doxing, breach of fiduciary duty, misrepresentation, breach of contract, and unfair business practices under California Business & Professions Code §§17200 and 17500. Doe seeks compensatory and punitive damages, statutory damages, attorney’s fees, and injunctive relief that would require Kraken to implement verified legal-process procedures and honor in practice the security standards it markets to consumers.

The Broader Stakes

This case illustrates the growing danger of violent attacks and extortion against cryptocurrency holders, and how companies have not taken these matters seriously enough. This case shows how a data breach in the cyberworld can result in real, devastating consequences, including serious bodily harm, extortion, or worse. This case also demonstrates that securing sensitive customer information is as important as securing the cryptocurrency itself. Criminals need not defeat cryptography when they can use personal information to locate and coerce a victim using old fashioned violence and extortion. For cryptocurrency exchanges that hold troves of sensitive accountholder data, this lawsuit is a reminder that security marketing claims, law-enforcement response programs, and breach-notification timelines all carry significant legal exposure when a customer’s safety is on the line.

See JOHN DOE v. PAYWARD VENTURES, INC. d/b/a KRAKEN, PAYWARD INC., PAYWARD EUROPE SOLUTIONS LTD. d/b/a KRAKEN, and JOHN ROES 1-100, San Francisco Superior Court, CGC-26-634771