We use technologies like cookies to store and/or access device information. We do this to improve browsing experience and to show (non-) personalized ads. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Техническое хранение или доступ необходимы для законной цели хранения предпочтений, которые не запрошены подписчиком или пользователем.
The technical storage or access that is used exclusively for statistical purposes.
Техническое хранилище или доступ, который используется исключительно для анонимных статистических целей. Без повестки в суд, добровольного согласия со стороны вашего интернет-провайдера или дополнительных записей от третьей стороны информация, хранящаяся или полученная только для этой цели, обычно не может быть использована для вашей идентификации.
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Physical attacks on crypto holders: how to protect yourself from a wrench attack
Wrench attack is a physical attack on a cryptocurrency holder intended to force them to hand over access to a wallet. In crypto, people usually talk about hackers, phishing, and smart-contract vulnerabilities. But there is a threat that a standard wallet setup cannot stop: a person with a wrench standing at your door. Protection is possible, but it requires a completely different approach.
2025 set a record for physical attacks on crypto holders: 72 verified incidents, a 75% year-on-year increase — kidnappings, home invasions, torture, and even murders. In 2026, the situation became even worse: France alone recorded 41 kidnappings in four months.
This is not limited to Europe or the United States. In Kyiv, a man was killed over 3 bitcoins. In Vienna, a 21-year-old Ukrainian was killed over cryptocurrency.
The victims are not only millionaires. A Bloomberg investigation found teachers, firefighters, and ordinary people with moderate wallet balances among those targeted. It is enough for someone to learn that you hold cryptocurrency.
This article explains how physical attacks work, who becomes a target, and which practical steps can reduce the risk. There are no abstract recommendations here — they are of little practical use. Instead, we will focus on measures that can actually help in such situations.
What is a wrench attack, and why is it no longer a meme?
The term became widely known through an xkcd comic published in 2009. The idea is simple: why break encryption if you can beat the key owner with a $5 wrench until they reveal the password? In academic circles, this is called rubber-hose cryptanalysis. Marcus Ranum introduced the term back in 1990, but it entered the crypto world along with large sums of money and real-world violence.
Ukraine has its own version of the phrase: the “soldering iron attack.” The principle is the same: the attacker targets the person, not the technology.
Why has cryptocurrency become an ideal target for this type of crime?
Irreversible transactions. A bank transfer can be blocked, disputed, or reversed through a chargeback. A crypto transaction is finalized within minutes. Once it is confirmed on-chain, recovering the funds is technically impossible.
Self-custody. When you store cryptocurrency in your own wallet — hardware, mobile, or desktop — you control the private keys. You are your own bank. There is no call center to freeze the account and no fraud department to intervene. The seed phrase you know or store provides full and immediate access to all funds.
Rapid laundering. After receiving cryptocurrency, criminals move it through a network of wallets, mixers, and cross-chain bridges. They convert it into stablecoins and distribute it across different networks. In some cases, stolen funds pass through dozens of addresses within hours. The trail can be traced, but recovering the money is almost impossible.
There is another factor that is rarely discussed: attacks correlate with the price of Bitcoin. Jameson Lopp, who has maintained a database of physical attacks since 2014, identified a clear pattern. Attacks increase during bull markets: wallet balances rise, interest in crypto grows, and there are more potential targets. During the 2024–2025 bull run, the number of attacks reached a peak.
Statistics: the scale of the problem in numbers
Jameson Lopp, CSO of Casa, has maintained an open GitHub database of physical attacks on crypto holders since 2014. It currently contains more than 225 confirmed cases. Lopp himself acknowledges that the real number is much higher. Many victims do not contact the police because they fear another attack or do not trust law-enforcement agencies to handle crypto-related cases. Some incidents are recorded as ordinary robberies without any mention of cryptocurrency.
Blockchain auditor CertiK compiled separate data for 2025 in its Skynet Wrench Attacks Report: 72 verified cases of physical coercion worldwide. That is 75% more than the 41 incidents recorded in 2024. According to TRM Labs, the actual total is closer to 60–70 even when counting only cases reported by the media.
By category, kidnappings increased from 15 to 25 cases (+66%), while physical assaults rose from 4 to 14 (+250%). Total losses increased from $28.3 million in 2024 to $40.9 million in 2025. CertiK notes that this figure is substantially understated because of unreported cases and private settlements.
Europe became the leading region, accounting for more than 40% of all incidents. France ranked first with 19 confirmed attacks in 2025. North America’s share fell from 36.6% to 12.5%, but that does not mean it became safer. Physical attacks are simply spreading to other regions as well. Asia remained stable at 33.3%, with a concentration of cases involving tourists and expats in Thailand and Hong Kong.
The pace accelerated in 2026. France alone recorded 41 crypto-related kidnappings in the first four months of the year — one every 2.5 days.
Cases: from $200,000 to hundreds of millions
Each of these stories illustrates a different type of threat, a different scale, and different lessons.
Kyiv, Ukraine, July 2024
A 29-year-old foreign national was kidnapped near his home in Kyiv’s Solomianskyi district. Four attackers aged 24–29 had planned the operation in advance: they tracked the victim’s address and waited for him to return home around midnight. They stole 3 BTC — approximately $207,000 at the time. The victim was strangled, and his body was taken to a forest. All four suspects were arrested and face life imprisonment.
The key point in this case is that the amount was relatively modest: three bitcoins. But that was enough to lead to murder.
Vienna, Austria, November 2025
A 21-year-old Ukrainian was attacked in the underground parking garage of the SO/Vienna hotel. Two attackers — aged 19 and 45, both Ukrainian — beat him and forced him to hand over passwords to two crypto wallets, which they then emptied. His body was found in a burned Mercedes with Ukrainian license plates in Vienna’s Donaustadt district. According to some local media reports, the victim may have been the son of Kharkiv’s deputy mayor, although this has not been officially confirmed. The suspects were arrested in Ukraine.
David Balland, Ledger, France, January 2025
The Ledger co-founder was kidnapped together with his wife. While he was being held captive, the attackers cut off part of his finger and sent a photograph to business partners as part of a ransom demand. His rescue was carried out by GIGN, the elite tactical unit of the French Gendarmerie. This case became a turning point in the discussion of crypto-industry security in France.
Paris, Paymium, May 2025
The daughter and two-year-old grandson of Pierre Noizat, CEO of the Paymium crypto exchange, were targeted in an attempted kidnapping in broad daylight on Rue Pache in Paris’s 11th arrondissement. The woman was five months pregnant. Three masked attackers jumped out of a van carrying fake Chronopost courier branding. The daughter managed to grab a gun from one of the attackers — it turned out to be an Airsoft weapon rather than a real firearm — and throw it away. Bystanders helped stop the attack.
The investigation led to the arrest of 25 people, including 6 minors. Most suspects were aged 16–23. According to CoinDesk, they were local operatives hired by a criminal network from Southeast Asia for approximately $10,000 each. A lawyer for one of the suspects described them as “very young people, lured by money and pulled into a situation that was bigger than them.”
Vancouver, Canada, April 2024
Four attackers wearing Canada Post uniforms and COVID masks broke into a family home and held the occupants captive overnight. The father and mother were subjected to waterboarding — a simulated drowning technique in which a cloth is placed over the victim’s face and water is poured over it to create a sensation of suffocation. The daughter was raped. About $1.5 million in Bitcoin was stolen. The details became public only after court documents were released in late 2025. The key fact: the father had boasted about high crypto earnings within the Chinese community.
United States: the Remy St. Felix gang
This case shows how an organized crypto robbery operation works from the inside. Remy St. Felix, a 25-year-old from Florida, led a group that started with SIM-swap attacks — stealing phone numbers to intercept SMS codes — and later moved on to home invasions. Between 2022 and 2023, the group carried out a series of attacks in Florida, Texas, and North Carolina: victims were restrained with zip ties, threatened with weapons, and forced to transfer cryptocurrency. The group stole more than $3.5 million in total.
St. Felix was sentenced to 47 years in prison. It was the longest sentence in a cryptocurrency-related criminal case in US history. A total of 12 members of the group were convicted. After sentencing, St. Felix attacked a prosecution witness in custody and received an additional sentence of 6 years and 10 months.
UAE, 2025
Crypto entrepreneur Roman Novak and his wife were lured to a fake business meeting and murdered. The criminals tried to gain access to wallets that they believed contained hundreds of millions of dollars. The wallets turned out to be empty or inaccessible, but that did not prevent the killing.
France, 2026: a systemic crisis
Forty-one kidnappings in four months. In April, GIGN stormed a house where the mother and 11-year-old son of a crypto entrepreneur were being held — the attackers demanded €400,000. In March, a couple in their fifties lost $1 million in BTC after criminals posing as police officers invaded their home. In February, a judge and her mother were kidnapped to pressure the judge’s crypto-entrepreneur partner. An entire family — grandparents, parents, and grandchildren — was taken hostage by five criminals at a holiday home in Anglet.
How criminals find their victims
Ten years ago, a wrench attack was usually a crime of opportunity: someone learned that an acquaintance held cryptocurrency and decided to take it. Today, it is a planned operation involving intelligence gathering, surveillance, and specialization.
KYC data leaks: the “Know Your Customer” paradox
Jameson Lopp uses a play on words: KYC — Know Your Customer — turns into “Kill Your Customer.” Databases created to combat money laundering become a source of targets for physical attackers.
In May 2025, Coinbase disclosed a major data breach. Criminals bribed outsourced support agents working through TaskUs and obtained data belonging to approximately 69,000 customers: names, home addresses, phone numbers, photographs of passports and driver’s licenses, account balances, and transaction histories. The attackers demanded $20 million. Coinbase instead announced a bounty for the same amount. The total cost of the incident was estimated at $400 million.
Consider what this means: someone knows your home address, has a photograph of your passport, and knows how much money is held in your exchange account. That is a ready-made package for organizing an attack.
In January 2026, Waltio, a French crypto-tax reporting platform, was hacked. The ShinyHunters group obtained data belonging to approximately 50,000 users: email addresses and summarized information from 2024 tax reports. The data appeared for sale on the dark web before Waltio even became aware of the breach. French law-enforcement agencies openly warned that the information was already being used for physical attacks. Hackers on BreachForums claimed a link between the Waltio breach and three specific kidnappings in France involving total losses of $17.1 million.
There was also a separate incident: in June 2025, French media reported that a tax-agency employee had systematically passed crypto-investor data to criminals. This is an insider threat that technical security cannot stop.
Social media and public activity
Nick Bax from the SEAL security group explains that victims often expose themselves. A balance screenshot in a crypto chat, a post about a successful trade, a photograph from a conference, or an appearance on a podcast can all reveal information. The Canadian family subjected to waterboarding came to the criminals’ attention because the father had boasted about crypto earnings within the Chinese community.
Criminals monitor these signals and build a profile: how much the person may hold, where they live, when they are at home, who lives with them, and whether they have a security system.
On-chain analytics and blockchain transparency
Blockchains are transparent by default. If criminals know even one of your addresses — for example, because you sent funds to someone who later leaked information — they can track the movement of funds, estimate the total balance, and identify the networks where assets are held. Combining on-chain data with a KYC leak provides a complete picture: name, address, and amount.
Organized groups with specialized roles
TRM Labs researchers have observed groups operating according to a corporate model. Intelligence: data collection, social-media monitoring, and follow-home tactics — tracking a target from a crypto conference or ATM to their home. Execution: the attack itself, often carried out by hired local operatives. Laundering: converting cryptocurrency through DEXs, mixers, and bridges. Each link in the chain operates autonomously.
The Paris Paymium case illustrates this model: the 25 people arrested, including 6 minors, were local operatives. According to investigators, the order came from a criminal network in Southeast Asia. The payment for the attempted kidnapping was approximately $10,000 for each operative.
Why a hardware wallet cannot protect you from a wrench
A hardware wallet, a complex password, two-factor authentication, and address verification on the device screen all work against hackers. None of them work against a person with a knife or a gun.
The seed phrase that controls your entire wallet is a single set of 12 or 24 words. Under physical pressure, you will reveal it. The same is true of the hardware-wallet PIN. In its report, CertiK explicitly calls this a “structural threat to digital ownership”: the stronger the digital security becomes, the more attractive a physical attack is as a way to bypass it.
The problem is architectural: a standard crypto-wallet setup has a single point of failure. One person knows everything needed to transfer the funds. One seed phrase, one PIN, one device. As long as that remains true, a wrench attack will be the shortest path to your money.
Protection against a physical attack is fundamentally different from protection against hackers. The goal is not to make access more difficult — an attacker can overcome any level of difficulty given enough time and motivation — but to ensure that you physically cannot transfer all of the funds, even if you want to.
How to protect yourself: practical tools
The threat cannot be eliminated completely. But you can build a system in which a wrench attack becomes pointless for the criminal: you cannot hand over assets that are not immediately accessible to you, and the criminal does not know how much you actually hold.
The “boring neighbor” strategy: the most effective protection costs nothing
Lopp summarized it this way: “The most effective thing a bitcoiner can do to reduce wrench-attack risk is very difficult: do not talk about bitcoin, at least not under your real name or with your face attached.” This is difficult not technically, but psychologically. People like to share their successes. In crypto, that increases the risk of a physical attack.
What does this mean in practice?
Never disclose the value of your portfolio. Not in chats, not in conversations with friends, and not at meetups. Even indirect signs of wealth — travel photographs, new cars, and purchases — help build a profile. Criminals do not need exact figures. It is enough for them to conclude that “this person has something worth taking.”
Do not publish photographs of hardware wallets. A Ledger or Trezor in an Instagram post, on a desk during a stream, or in an unboxing story is a direct signal: this person uses self-custody, and the key to all of the funds is somewhere nearby.
Keep crypto apps on a separate phone. Your main smartphone — the one you carry with you — should not contain MetaMask, Trust Wallet, Phantom, Rabby, or any other crypto app. If the phone is stolen or you are stopped on the street, the primary device will contain nothing that indicates you hold cryptocurrency. Keep the second phone at home in an inconspicuous location.
Use a separate email address for crypto. KYC database leaks occur regularly: Coinbase, Waltio, Ledger through the Global-e leak. If the email used for a crypto exchange is the same as the email on your LinkedIn or Facebook profile, the connection between your identity and crypto assets becomes obvious within seconds. Use an email address that is not linked to any public profile.
Be careful in crypto communities. Telegram chats, Discord servers, and Twitter threads can all be monitored. Anything you write may be captured and used against you. Screenshots spread within minutes. Even a casual message such as “I bought the dip” in a chat with 500 members can make you a target for someone in the group.
Stay discreet at conferences. Crypto events concentrate potential targets in one location. Follow-home tactics — tracking someone from a conference to their hotel or home — have been documented in several cases. Do not discuss amounts publicly, and be careful with new acquaintances.
Passphrase — the 25th word: a hidden wallet that no one knows about
If multisig is the “heavy artillery,” a passphrase is the first line of defense available to every hardware-wallet owner.
How it works. A standard 24-word seed generates one set of keys and addresses. But if you enter an additional password — a passphrase — when accessing the wallet, the wallet generates a completely different set of keys. One seed phrase gives you two separate wallets that are not linked in any visible way for an external observer.
Practical use. Keep an amount you are prepared to lose in the wallet without a passphrase — for example, $300–500. Store the main funds in the hidden wallet protected by the passphrase. If you are coerced, you reveal the seed phrase without the additional phrase. The attacker sees a $500 balance, takes it, and leaves. There is no reason to suspect that a second wallet exists because, technically, it does not exist without the correct passphrase.
All major hardware wallets support passphrases: every Ledger model, every Trezor model, Keystone 3 Pro, Blockstream Jade, BitBox02, and OneKey. Setup takes only a few minutes.
There is an important caveat. An experienced attacker may know that passphrases exist. If the visible wallet contains $500 but the attacker’s intelligence suggests that you should hold more, the pressure may continue. A passphrase should therefore be treated as one layer of security, not as a complete solution. It works best in combination with OPSEC: if the attacker does not know how much you hold, a decoy wallet with a moderate balance looks plausible.
A duress PIN is also worth mentioning. Blockstream Jade allows you to configure a PIN that opens a decoy wallet with a minimal balance. Another PIN can wipe the device completely. The idea is the same: the attacker gains access, but not to the main funds.
Multisig: ensure that you physically cannot hand over the money
This is the most reliable protection against physical coercion available today. Here is why.
Multisig — multi-signature — means that several keys are required to sign a transaction, and those keys are physically stored in different places. In a 2-of-3 setup, there are three keys and any two are required for a transfer. One key is stored at home, the second in a bank safe-deposit box in another city, and the third with a trusted person or a provider such as Casa.
Why does this work? Even if an attacker is standing next to you, you physically have access to only one key. You are not refusing to make the transfer. You are physically unable to do it. This is a technical reality that can be verified. The criminal must either hold you for longer — greatly increasing the risk — coordinate actions across several locations — which is even harder — or leave empty-handed.
It also changes the psychological dynamic. When a victim says “I cannot” rather than “I will not,” the attacker has less incentive to continue applying pressure. They came for quick money and encountered a problem instead.
Available setup options:
Several services simplify multisig setup to the point where you can install an app, connect wallets, and start using the system. They handle the technical layer and retain one key as a backup while leaving control in your hands.
Casa is a US service founded by Jameson Lopp, whom we mentioned earlier. It focuses specifically on protection against physical threats. In a 2-of-3 setup, one key is stored on your mobile device, one on a hardware wallet, and one by Casa. Two of the three are required for a transaction. If a key is lost or compromised, Casa assists with recovery. A 3-of-5 setup is available for larger amounts. Pricing starts at $21 per month or $250 per year, with no KYC required at registration. The service supports Bitcoin, Ethereum, and the USDT and USDC stablecoins.
Unchained is another US service, focused on Bitcoin. Its 2-of-3 setup gives you two keys while Unchained stores the third. Unlike Casa, it requires identity verification — KYC — and opens accounts only for US residents. A personal vault costs $250 per year.
You can also create your own setup using Sparrow Wallet, Electrum, or Unchained’s Caravan. This is more difficult and requires technical knowledge, but it provides full control without dependence on a provider or a monthly subscription.
With services such as Casa or Unchained, the app handles coordination: you connect the devices, and the service collects signatures and constructs the transaction. In a self-managed setup, Sparrow, Electrum, or Caravan performs that role on your computer.
In both cases, the keys are stored on hardware wallets. Keystone 3 Pro, Coldcard, BitBox02, Trezor Safe 3, and Trezor Safe 5 offer strong multisig compatibility because they support PSBT — Partially Signed Bitcoin Transactions — the standard used by both services and desktop coordinators. Ledger can also be connected, but the process is less convenient.
A good practice is to use devices from different manufacturers for different keys. For example, store one key on a Trezor and another on a Keystone. If a critical firmware vulnerability is discovered in one manufacturer’s devices, the second key remains protected.
Timelocks: a transaction that cannot happen immediately
Even if you have access to all of the keys, a timelock prevents you from transferring large amounts immediately.
Casa offers Emergency Lockdown, which freezes a wallet and introduces a 72-hour delay before it can be unlocked. Vault solutions from BitGo allow custom delays for transfers above a chosen threshold. Bitcoin also has native CheckLockTimeVerify and CheckSequenceVerify mechanisms that can create transactions that become valid only after a specified period.
The main benefit is that you can honestly tell the attacker that you are physically unable to transfer large amounts immediately.
A prepared scenario: what to do if an attack happens
The most important rule matters more than any technology: no amount of cryptocurrency is worth your life or health. Do not try to be a hero. Do not attempt to outsmart an armed attacker.
But if you configured your security in advance, you have a truthful explanation:
The key word is “truthful.” These statements work only when they describe a real technical configuration. Bluffing under pressure is dangerous. The attacker may check the balance, know about passphrases, or continue applying pressure. But if multisig or a timelock is actually configured, you are telling the truth, and the attacker must confront that reality.
What France is doing, and why it matters to Ukraine
France has become a kind of national-scale laboratory for wrench attacks. The government’s response shows how serious the problem has become.
At Paris Blockchain Week in April 2026, Deputy Interior Minister Jean-Didier Berger announced the launch of a preventive platform for crypto holders that had already attracted thousands of registrations. He is working with Minister Laurent Nuñez on a broader protection plan. VIP guests attending a dinner in Versailles were escorted by a police convoy. Organizers doubled security at all events.
For a country positioning Paris as a crypto hub with MiCA licensing, the kidnapping wave threatens both its reputation and its finances. As CryptoSlate noted, France is becoming a place “where crypto wealth is hardest to hold publicly.”
Why does this matter to Ukraine? Ukraine already has its own cases, described above. The attack model has no geographic limits. Data breaches affecting global platforms — Coinbase, Binance, Ledger — expose users worldwide. If you are a Ukrainian registered on an exchange affected by a leak, you are potentially vulnerable.
Government initiatives help, but the main responsibility for physical safety remains with the holder. The police may arrive after an attack. OPSEC, multisig, and a passphrase work before it happens.
Checklist: what to do right now
OPSEC
Protecting funds
Preparing for the worst
Conclusion
Seventy-two verified cases in 2025, 41 kidnappings in France alone during the first four months of 2026, murders in Kyiv and Vienna, severed fingers, waterboarding, and attacks on children and pregnant women. The threat depicted in an xkcd comic has become a reality that grows along with the price of Bitcoin.
Technical cryptocurrency security — hardware wallets and cold storage — solved the hacker problem but created another one: responsibility is concentrated in one person, and that is exactly what a wrench attack exploits. Protection against a physical attack requires a different approach: not “make access harder,” but “make an immediate transfer impossible.”
Three layers of protection work together: avoid becoming a visible target through OPSEC and the “boring neighbor” strategy; make an immediate transfer of all funds technically impossible through multisig and timelocks; and maintain a fallback scenario for physical coercion through a passphrase, a decoy wallet, and a prepared explanation.
One final point: no amount of cryptocurrency is worth your health or your life. If the situation becomes dangerous, hand over what you can. Money can be earned again.
Related Posts
Best private messengers with end-to-end encryption. Top apps in 2026
The best private messengers 2026 protect conversations with end-to-end encryption, but not every popular app is genuinely private. Many services store messages on a server in plaintext: the company that owns the service can read them, hand them over under a warrant, or lose them in a data breach. Private messengers do not. There is …
What Is Shamir Backup and SLIP39?
Welcome! In this article, we will explain how Shamir Backup works. We will look at why it is one of the best ways to protect your crypto investments, compare the SLIP39 and BIP39 standards, and answer the question: “How can you protect your cryptocurrency from theft and sleep better at night?” I will try to …
What Is a Mnemonic Phrase? BIP39 Word List
What is a mnemonic phrase? This is a question our customers often ask us. Let’s figure it out. A mnemonic phrase is a group of words that provides access to your assets and serves as a backup for your crypto wallet. It is also often called a seed phrase or BIP39 phrase. A phrase can …
How to Store a Seed Phrase: 5 Safe Methods in 2026
A seed phrase is not just a set of words. It is the single key to everything you own in crypto. To every coin protected by that phrase. If you lose it — there is almost no chance of getting access back.There are white hat hackers who recover access to lost wallets — there are …