In January 2025, French authorities freed Ledger co-founder David Balland after kidnappers demanded a large ransom in cryptocurrency. The case illustrated what crypto crime can look like when it leaves the screen and becomes a physical hostage situation.
In fact, crypto-related disputes and theft are increasingly linked to real-world violence, including abduction attempts and ransom schemes designed to force victims to hand over access.
That is the logic of a wrench attack. Instead of hacking a wallet, criminals use threats or force to make the holder unlock it or send the funds themselves.
Scams and hacks still dominate in volume, but some of the most violent incidents increasingly involve coercion. So, why is this happening now, and why is it accelerating?
What is a wrench attack?
A wrench attack is a physical-world crime in which attackers use threats or violence to force a crypto holder to hand over access by revealing credentials, unlocking a device or authorizing a transfer.
In short, it is an attempt to obtain cryptocurrency by attacking the person, not the cryptography.
The label comes from a well-known Xkcd comic. When encryption is strong, the shortcut becomes coercion, such as hitting someone with a wrench. The term stuck because it captures what makes these incidents feel like a step change from most crypto theft. The attacker does not need an exploit, only proximity and leverage over someone’s daily life.
Did you know? The term “wrench attack” is widely linked to Xkcd comic #538, titled “Security.” The strip jokes that when a laptop is strongly encrypted, an attacker may skip breaking the math and instead rely on coercion — the infamous “$5 wrench” shortcut.
Are wrench attacks really increasing or just getting more attention?
The short answer is that both can be true at once, and the data requires careful reading.
Haseeb Qureshi of Dragonfly, having analyzed Jameson Lopp’s incident log, argues that reported wrench attacks have risen over time and that the average incident has become more severe in recent years.
The analysis also identifies a clear price effect. When total crypto market capitalization rises, reported violence tends to increase as well, with a simple regression attributing roughly 45% of the variation in attack frequency to market capitalization.
But two caveats matter. First, Lopp’s database is explicitly not comprehensive. It is built from public reports, which means it cannot capture cases that never make the news.
Second, academic work on wrench attacks points to systematic underreporting, including victims staying quiet out of fear of revictimization.
That is why Qureshi’s normalization point matters. Measured per user, reported risk may be lower than in earlier cycles, even if the headlines feel more alarming.
Why wrench attacks are among crypto’s most violent crimes
Wrench attacks are driven by fast and irreversible payouts, rising concentrations of reachable wealth, easier real-world targeting and data leaks that turn online crypto identities into offline risk.
Driver 1: The payout is fast, portable and hard to unwind
With crypto, attackers do not need to launder stolen cards or fence physical goods. If they can compel a transfer, value can move quickly and across borders, which helps explain why coercion may appear comparatively appealing to criminals.
Driver 2: More people hold reachable wealth
As prices rise, the same holdings become larger targets. Incident frequency also tracks total crypto market capitalization, suggesting a strong price pull on violent crime.
Driver 3: Finding targets is easier than it looks
Public-facing crypto roles, meetups, peer-to-peer (P2P) deals and everyday oversharing can give attackers real-world hooks. Researchers at the University of Cambridge describe these incidents as attacks that bypass digital security norms by shifting pressure onto the holder.
Driver 4: Data exposure turns online identity into offline risk
Recent incidents highlight how names, addresses and phone numbers can leak through third parties or insider abuse. Examples range from Coinbase’s support-agent bribery case to Ledger-related customer data exposures, making it easier, in some cases, to link individuals to crypto activity.
How these attacks typically play out
Patterns often resemble a crime script: targeting and approach, coercion, then rapid movement of funds once access is obtained.
The initial contact can resemble conventional street crime, such as robbery or home invasion, or more organized forms of coercion. Victims are not always random strangers.
In some cases, wrench attacks overlap with domestic and interpersonal abuse, where access to crypto becomes a tool of control.
Did you know? Roman Novak and Anna Novak were a Russian couple living in Dubai who disappeared in October 2025 after being lured to a meeting with supposed investors near Hatta, close to the Oman border. Investigators later treated the case as a kidnapping linked to attempts to force access to money, including cryptocurrency, making it one of the most widely cited real-world examples of a wrench attack with fatal consequences.
Who’s most at risk?
Wrench attacks rarely target random crypto users.
These attacks disproportionately affect people who are easy to identify, easy to locate and assumed to have large, accessible holdings, including founders and executives, public-facing influencers, over-the-counter (OTC) or P2P traders and anyone whose online footprint links a real identity to significant crypto wealth.
Geography also matters. Western Europe and parts of the Asia-Pacific region have seen the sharpest rise in reported incidents, while North America appears comparatively safer, although the absolute number of cases has still increased.
It is also not only the principal who may be targeted. Recent French cases show that criminals sometimes go after relatives or partners, using family proximity as leverage when the wallet owner is difficult to reach.
How to lower your risk
The uncomfortable lesson of wrench attacks is that even strong key management does not automatically eliminate all risk. It can make funds harder to steal online while leaving the last mile exposed: you, your routines and your personal data.
For most readers, the practical goal is to make yourself a poor target and reduce what an attacker can access quickly. That usually comes down to three themes:
Lower your visibility: Avoid broadcasting holdings, tighten links between your real identity and crypto activity, and assume oversharing heightens risk.
Lower your instant-access balance: Keep day-to-day spending separate from long-term storage, and avoid single points of failure for larger amounts, such as using multi-party approvals or time delays.
Treat support impersonation as part of the same threat landscape: Criminals can use leaked data to pressure victims into moving funds. Coinbase’s guidance is explicit that legitimate support will not ask for passwords, two-factor authentication (2FA) codes or transfers to a so-called safe address.
If a threat ever becomes real, the priority is physical safety and getting help, not protecting the wallet. That is what makes wrench attacks one of the sharpest edges of crypto crime today. They turn digital wealth into a personal security risk and force the industry’s security conversation out of the browser and into the real world.
