In January 2025, French authorities released Ledger co-founder David Balland after kidnappers demanded a big cryptocurrency ransom. The case illustrated what cryptocrime can appear like when it leaves the screen and becomes a physical hostage situation.
In fact, cryptocurrency-related disputes and thefts are increasingly linked to real-world violence, including kidnapping attempts and ransom payments geared toward forcing victims handy over access.
This is the logic of a wrench attack. Instead of hacking a wallet, criminals use threats or violence to get the holder to unlock it or transfer the funds themselves.
Scams and hacking still dominate, but a few of the most violent incidents are increasingly involving coercion. Why is that this happening now and why is it accelerating?
What is a wrench attack?
A wrench attack is against the law within the physical world by which attackers use threats or violence to coerce a crypto holder into giving up access by revealing credentials, unlocking a tool, or authorizing a transfer.
In short, it’s an try to obtain cryptocurrency through an attack on the person and never on the cryptography.
The name comes from a widely known Xkcd comic. If the encryption is robust, the shortcut becomes coercion, similar to hitting someone with a wrench. The term stuck since it describes what makes these incidents appear to be a stark change from most crypto thefts. The attacker doesn't need an exploit, just proximity and influence on an individual's day by day life.
Did you already know? The term “Wrench Attack” is usually related to the Xkcd comic #538 entitled “Security”. The strip jokes that if a laptop is heavily encrypted, an attacker might skip breaking the bill and as an alternative depend on coercion – the infamous “$5 wrench” acronym.
Are wrench attacks really on the rise or are they only getting more attention?
The short answer is that each could be true at the identical time and the information have to be read fastidiously.
Dragonfly's Haseeb Qureshi, after analyzing Jameson Lopp's incident log, argues that reported wrench attacks have increased over time and that the common incident has change into more serious lately.
The evaluation also identifies a transparent price effect. As the full capitalization of the crypto market increases, reported violence also tends to extend. An easy regression suggests that about 45% of the variation in reported attack frequency is correlated with market capitalization.
But two caveats are necessary. First, Lopp's database is emphatically not comprehensive. It relies on public reports, meaning it cannot capture cases that never make the headlines.
Second, scholarly work on wrench attacks suggests systematic underreporting, including victims remaining silent for fear of revictimization.
That's why Qureshi's normalization point is significant. Measured per user, the reported risk could also be lower than in previous cycles, even when the headlines seem more alarming.
Why wrench attacks are amongst probably the most violent crimes in crypto
Key attacks are driven by rapid and irreversible payouts, increasing concentrations of attainable wealth, easier real-world attacks, and data leaks that turn online crypto identities into offline risks.
Driver 1: Payout is fast, portable and difficult to process
With crypto, attackers don't need to launder stolen cards or confiscate physical goods. If they will force a transfer, value can move quickly and across borders, which explains why coercion seems comparatively attractive to criminals.
Driver 2: More people have attainable wealth
As prices rise, the identical stocks change into greater targets. The frequency of incidents also reflects the full market capitalization of cryptocurrencies, indicating a pointy increase in the worth of violent crime.
Driver 3: Finding goals is simpler than it looks
Publicly accessible crypto roles, meetups, peer-to-peer (P2P) deals, and on a regular basis oversharing can present real hooks for attackers. Researchers on the University of Cambridge describe these incidents as attacks that circumvent digital security norms by shifting pressure onto the owner.
Driver 4: Data disclosure turns online identity into an offline risk
Recent incidents illustrate how names, addresses and telephone numbers can come to light through third parties or insider abuse. Examples range from the case of support staff bribery at Coinbase to the disclosure of customer data related to Ledger, which in some cases makes it easier to link individuals to crypto activity.
How these attacks typically work
Patterns often resemble against the law script: targeting and approaching, coercion, after which rapid movement of cash once access is gained.
Initial contact may resemble conventional street crime, similar to a robbery or burglary, or more organized types of coercion. Victims aren’t all the time random strangers.
In some cases, wrench attacks intersect with domestic and interpersonal violence, where access to crypto becomes a tool of control.
Did you already know? Roman Novak and Anna Novak were a Russian couple living in Dubai who disappeared in October 2025 after being lured to a gathering with supposed investors near Hatta, near the border with Oman. Investigators later treated the case as a kidnapping related to attempts to force access to money, including cryptocurrencies, making it probably the most cited real-life examples of a wrench attack with deadly consequences.
Who is most in danger?
Wrench attacks rarely goal random crypto users.
These attacks disproportionately affect individuals who’re easily identified, situated and believed to have large, accessible holdings, including founders and executives, public influencers, over-the-counter (OTC) or P2P traders, and anyone whose online footprint combines an actual identity with significant crypto assets.
Geography can also be necessary. Western Europe and parts of the Asia-Pacific region saw the most important increase in reported incidents, while North America appears comparatively safer, although absolutely the variety of cases remains to be rising.
It's not only the client who could be targeted. Recent French cases show that criminals sometimes goal relatives or partners, using proximity to family as leverage when the owner of the wallet is difficult to achieve.
How to scale back your risk
The unpleasant lesson from wrench attacks is that even strong key management doesn’t routinely eliminate all risks. This could make it harder to steal funds online while leaving the last mile open: you, your routines and your personal information.
For most readers, the sensible goal is to make yourself a foul goal and quickly reduce an attacker's access. This normally boils right down to three topics:
-
Reduce your visibility: Avoid disseminating holdings, tightening the ties between your true identity and crypto activity, and assuming that over-sharing increases risk.
-
Lower your Instant Access balance: Keep day by day expenses separate from long-term storage and avoid single points of failure with larger amounts, similar to: B. the usage of multi-party approvals or time delays.
-
Treat support impersonations as a part of the identical threat landscape: Criminals can use leaked data to pressure victims into transferring funds. Coinbase's guidelines specifically state that legitimate support doesn’t ask for passwords, two-factor authentication (2FA) codes, or transfers to a so-called secure address.
If a threat ever becomes real, the main focus is on physical security and assistance quite than protecting your wallet. This makes wrench attacks one among the sharpest points of crypto crime today. They turn digital wealth into a private security risk and force the industry's security conversation out of the browser and into the actual world.
