Whoever is doing the DDoS is probably doing it to manipulate price and of course they are going to try to cause trouble right when the market starts to move and is most ripe for manipulation.
If your website is down and API unaccessible how is price moved? Who can place market orders while all the rest can't? Why the attackers are so confident they can trade at Kraken while all the rest can't?
We are investigating to see if we can find a connection between the DDoS and trading on our site and will take appropriate action if we can identify someone, but it may be very hard to do so.
Is there a customer or group of customers that have privileged access to your trading engine? They must also have access to the order book, including hidden orders! They can profit only if they know at what price level majority of 'take profit' and 'margin liquidation' orders are grouped.
Sure,
if the attackers are trading on our exchange, then they wouldn't be relying on having access while access is limited. But that doesn't mean that there's no way for them to profit from it. They might be trying to initiate a market crash so they can pick up cheaper coins later, or they might open a short position beforehand looking to close it later after the crash. The market can still move during an attack, because DDoS doesn't usually take down servers - it constrains the access to those servers and different people may experience different levels of access. Some may have no access while others just find that the site is slow for them. It can also happen that people aren't able to login and trade on our platform, but the API is still working. So people can have different levels of access, but there's no group with privileged access.
I should emphasize that we don't know if the attackers are trading on our exchange, only that they could be. It may even be that the attacks are not intended to manipulate price. Maybe the attackers have some other motive, but this seems less likely.