In January 2025, French authorities freed Ledger co-founder David Balland after kidnappers demanded a large ransom in cryptocurrency. This case starkly illustrated what crypto crime can look like when it transcends the digital realm and escalates into physical hostage situations.
Indeed, crypto-related disputes and theft are increasingly intertwined with real-world violence. This includes abduction attempts and ransom schemes designed to coerce victims into surrendering access to their digital assets.
This is the underlying logic of a wrench attack. Instead of attempting to hack a wallet through digital means, criminals resort to threats or physical force to compel the holder to unlock their wallet or authorize fund transfers themselves.
While scams and hacks continue to dominate in terms of sheer volume, some of the most violent incidents now increasingly involve direct coercion. This raises the question: why is this trend accelerating, and why now?
What is a Wrench Attack?
A wrench attack is a physical-world crime where attackers employ threats or violence to force a cryptocurrency holder into revealing credentials, unlocking a device, or authorizing a transfer. Essentially, it's an attempt to obtain cryptocurrency by targeting the individual, rather than the underlying cryptography.
The term originates from a widely recognized Xkcd comic. When encryption is exceptionally strong, the most direct path for criminals becomes coercion—metaphorically, hitting someone with a wrench. This label has persisted because it effectively captures the shift from typical crypto theft, where attackers require no exploits, only proximity and leverage over a victim's personal life.
Did you know? The term “wrench attack” is widely associated with Xkcd comic #538, titled “Security.” The strip humorously suggests that when a laptop is strongly encrypted, an attacker might bypass mathematical vulnerabilities and opt for coercion—the infamous “$5 wrench” shortcut.
Are Wrench Attacks Increasing or Just Gaining More Attention?
The reality is likely a combination of both: wrench attacks may be genuinely increasing, and they are also receiving more public attention, necessitating a careful examination of the available data.
Haseeb Qureshi of Dragonfly, after analyzing Jameson Lopp’s incident log, posits that reported wrench attacks have indeed risen over time, with the average incident becoming more severe in recent years. The analysis also highlights a discernible price effect: as the total cryptocurrency market capitalization grows, reported instances of violence tend to escalate. A simple regression suggests that market capitalization accounts for approximately 45% of the variation in attack frequency.
However, two important caveats must be considered. Firstly, Lopp’s database is explicitly not exhaustive; it is compiled from public reports and therefore cannot encompass incidents that do not reach the news. Secondly, academic research on wrench attacks points to systematic underreporting, with victims often remaining silent out of fear of further victimization.
This is why Qureshi’s point about normalization is significant. When measured per user, the reported risk might actually be lower than in previous cycles, even if the headlines seem more alarming.
Why Wrench Attacks Are Among Crypto’s Most Violent Crimes
Wrench attacks are fueled by several converging factors: the rapid and irreversible nature of payouts, the increasing concentration of accessible wealth, the ease of real-world targeting, and data leaks that transform online crypto identities into tangible offline risks.
Driver 1: The Payout is Fast, Portable, and Hard to Unwind
Unlike traditional theft, with cryptocurrency, attackers do not need to launder stolen credit cards or fence physical goods. If they can compel a transfer, value can be moved swiftly across borders, which helps explain why coercion might appear comparatively appealing to criminals.
Driver 2: More People Hold Reachable Wealth
As cryptocurrency prices rise, existing holdings become larger and more attractive targets. The frequency of incidents closely tracks the total crypto market capitalization, indicating a strong price-driven incentive for violent crime.
Driver 3: Finding Targets is Easier Than It Looks
Public-facing roles within the crypto industry, attendance at meetups, peer-to-peer (P2P) deals, and excessive online oversharing can provide attackers with real-world points of contact. Researchers at the University of Cambridge describe these incidents as attacks that circumvent digital security measures by shifting the pressure onto the individual holder.
Driver 4: Data Exposure Turns Online Identity into Offline Risk
Recent incidents have revealed how personal information such as names, addresses, and phone numbers can be leaked through third parties or insider abuse. Examples range from the Coinbase support agent bribery case to data exposures related to Ledger customers, making it easier in some instances to link individuals to their cryptocurrency activities.
How These Attacks Typically Play Out
The patterns of wrench attacks often resemble a crime script: initial targeting and approach, followed by coercion, and then the rapid movement of funds once access is secured.
The initial contact can manifest as conventional street crime, such as robbery or home invasion, or it can involve more organized forms of coercion. Victims are not always random strangers; in some cases, wrench attacks overlap with domestic and interpersonal abuse, where access to cryptocurrency becomes a means of control.
Did you know? Roman Novak and Anna Novak, a Russian couple residing in Dubai, disappeared in October 2025 after being lured to a meeting with supposed investors near Hatta, close to the Oman border. Investigators later treated the case as a kidnapping linked to attempts to gain access to money, including cryptocurrency, making it one of the most widely cited real-world examples of a wrench attack with fatal consequences.
Who’s Most at Risk?
Wrench attacks rarely target random cryptocurrency users. These attacks disproportionately affect individuals who are easily identifiable, locatable, and presumed to possess large, accessible holdings. This includes founders and executives, public-facing influencers, over-the-counter (OTC) or P2P traders, and anyone whose online footprint connects a real identity to significant crypto wealth.
Geography also plays a role. Western Europe and parts of the Asia-Pacific region have witnessed the most significant rise in reported incidents, while North America appears comparatively safer, though the absolute number of cases has still increased.
Furthermore, it is not solely the principal individual who may be targeted. Recent French cases indicate that criminals sometimes target relatives or partners, leveraging family proximity as leverage when the primary wallet owner is difficult to reach.
How to Lower Your Risk
The uncomfortable truth about wrench attacks is that even robust key management practices do not inherently eliminate all risks. While they can make funds harder to steal online, they leave the final link exposed: the individual, their daily routines, and their personal data.
For most individuals, the practical objective is to become a less appealing target and minimize what an attacker can access quickly. This generally involves focusing on three key areas:
- •
Lower your visibility: Avoid broadcasting your holdings, minimize direct links between your real identity and cryptocurrency activities, and recognize that oversharing can heighten your risk.
- •
Lower your instant-access balance: Separate funds intended for daily spending from long-term storage, and avoid single points of failure for larger amounts by utilizing multi-party approvals or time delays.
- •
Treat support impersonation as part of the same threat landscape: Criminals can exploit leaked data to pressure victims into moving funds. Coinbase’s guidance is explicit: legitimate support personnel will never ask for passwords, two-factor authentication (2FA) codes, or transfers to a so-called safe address.
If a threat ever materializes, the absolute priority must be physical safety and seeking help, not protecting the cryptocurrency wallet. This is what elevates wrench attacks to one of the most acute threats in crypto crime today. They transform digital wealth into a personal security risk, forcing the industry’s security discourse beyond the browser and into the tangible realities of the physical world.