Published Mar 21, 2026
What is a wrench attack?
TL;DR
A wrench attack is a physical attack used to steal bitcoin or other crypto.
Instead of hacking a wallet, the attacker threatens, kidnaps, assaults, or tortures the person who controls it. In real cases, that can look like a crypto kidnapping, a home invasion aimed at a bitcoin holder, or another kind of coercive theft.
That is the basic meaning.
The reason the term matters now is simple: self-custody gives ordinary people direct control over money that can be moved quickly and, once sent, is often hard to recover.
What does wrench attack mean?
A wrench attack means the attacker goes after the human, not the cryptography.
Your wallet software can be solid. Your seed phrase can be stored correctly. Your hardware wallet can be genuine. None of that helps much if someone is standing in your home, pointing a weapon at you, and ordering you to unlock your phone or sign a transaction.
It is still theft, but the mechanism is coercion in the real world rather than a technical compromise. The funds are digital, but the pressure is physical.
Why is it called a wrench attack?
The name comes from the famous $5 wrench xkcd comic.
The joke is brutal and memorable. Why spend huge effort breaking strong encryption when you could threaten the person holding the password with a cheap wrench?
That joke stuck because it captures a real security truth: the hardest part of a system is often the human being operating it.
Why crypto holders are especially exposed
This kind of crime can happen with cash, jewelry, or bank credentials too. Crypto has a few traits that make it unusually attractive to attackers.
First, self-custody concentrates power. If one person controls the seed phrase, hardware wallet, or exchange login, one person may be all an attacker needs.
Second, transfers can happen fast. A criminal does not need to carry cash out of the building. They may only need a phone, a device unlock, and a signed transaction.
Third, public signals make target selection easier. As Chainalysis wrote in its 2025 mid-year crime update, attackers are increasingly targeting individuals, and operational security now matters as much as technical security. Social media posts, conference appearances, leaked customer data, luxury signaling, and public wallet chatter can all help criminals decide who looks worth targeting.
Fourth, these attacks are often planned. NBC News reported that crypto kidnappings and related physical attacks now span dozens of countries, and victims are often identified through prior relationships, surveillance, or online visibility rather than random chance (NBC analysis).
How fast is this problem growing?
No one has a perfect global count. Many victims never report these crimes, and some reports never become public.
Still, the public record is moving in a clear direction.
Counting the dated entries in Jameson Lopp’s public database of physical attacks involving crypto shows this recent trend:
| Year | Documented cases |
|---|---|
| 2019 | 9 |
| 2020 | 15 |
| 2021 | 36 |
| 2022 | 36 |
| 2023 | 25 |
| 2024 | 41 |
| 2025 | 74 |
That means the database’s documented count rose from 41 cases in 2024 to 74 in 2025, an increase of about 80% in one year.
There is also an early warning in 2026. By March 21, the same database had already logged 23 documented cases for the year. That is a partial-year figure, so it should not be compared directly with full years, but it shows the pace has not disappeared.
The broader industry is seeing the same direction. Chainalysis said 2025 was on track to have potentially twice as many physical attacks as the next highest year on record, while also noting that the real number is likely higher because many attacks go unreported.
France, the U.S., and the rest of the world
France
France became one of the clearest hotspots in 2025.
Using the same Lopp database, 20 of the 74 documented 2025 cases were linked to France. That is roughly 27% of the year’s public cases in that dataset.
The most widely reported case was the kidnapping of Ledger co-founder David Balland. Reuters reported that Balland and his wife were kidnapped in January 2025, that a ransom was demanded in cryptocurrency, and that Balland’s hand was mutilated during the ordeal. NPR and AP later reported another French case involving the father of a crypto entrepreneur, with French media saying one of his fingers was cut off.
That grim detail is why the threat no longer feels abstract. The violence described in these cases is real.
United States
The U.S. remains one of the biggest long-run clusters of documented cases.
In the same public database, the United States has the highest cumulative count since 2014. For 2025 alone, it logged 8 documented U.S. cases.
The American cases are not just small robberies. NBC News reported that a Minnesota family was allegedly held hostage at gunpoint in September 2025 and forced to hand over about $8 million in cryptocurrency. NBC also reported on the New York case in which two men were accused of kidnapping and torturing a victim in an attempt to steal bitcoin (NBC analysis).
So the U.S. story is not “this only happens somewhere else.” It is already part of the domestic crypto risk picture.
Rest of the world
This is a global problem, not a French problem with a few U.S. copycats.
NBC News found 67 crypto kidnapping cases in 44 countries and more than 150 alleged wrench attacks worldwide over the past decade. Lopp’s broader physical-attack database now spans incidents across dozens of countries as well, including the UK, Canada, Brazil, Thailand, Hong Kong, India, Pakistan, South Korea, and others.
The pattern is consistent across borders:
- A victim is believed to control meaningful crypto.
- Attackers think the victim can access it quickly.
- The victim is isolated, pressured, or surveilled.
- The criminals try to force an immediate transfer.
The geography changes. The logic does not.
How can you protect yourself from a wrench attack?
There is no perfect defense. The goal is to make yourself a harder target and make your funds harder to reach quickly.
These are the clearest ideas that show up across the research from Jameson Lopp’s public guidance, Casa’s physical security guide, and Chainalysis:
- Keep your crypto life private. Do not advertise holdings, gains, routines, or devices on social media. Do not make it easy for strangers, casual acquaintances, or insiders to know what you control.
- Do not keep meaningful access in one easy place. If all signing power lives on the phone in your pocket or in a hardware wallet at home, an attacker has a short path to your funds.
- Split control. Multisig, offsite key storage, and time delays make it much harder for one coerced person to move everything on demand.
- Treat physical security as part of crypto security. Better locks, cameras, lighting, safer routines, and awareness of surveillance matter. So does thinking carefully about conferences, travel, and who knows where you live.
- Have a silent alert and response plan. This is the layer many people forget. If you are being pressured, you may need a covert way to notify trusted contacts, share location, or trigger a pre-planned response. That is exactly the kind of problem Alcazar Flare is built for: silent alerts, trusted-contact notification, live location sharing, and response-plan coordination when someone is being forced to unlock a wallet or device.
- Prioritize your safety over your coins. No wallet setup is worth dying for. If you are in immediate danger, focus on surviving the incident and contacting law enforcement as soon as you safely can.
One nuance is worth saying clearly: decoy or duress wallets are sometimes discussed, but they are not a magic fix. Even Jameson Lopp’s write-up on duress wallets argues they are unreliable on their own because you cannot predict how a violent attacker will react. A better mindset is layered defense: privacy, split control, slower access, and a silent emergency plan.
The simple definition to remember
If you only remember one sentence, use this:
A wrench attack is when someone skips hacking your crypto and attacks you instead.
That is the meaning people are usually looking for.
And that is why the topic matters now. As crypto becomes more valuable and more visible, physical attacks become more tempting to criminals. The right response is not panic. It is to stop treating personal safety and wallet security as two separate things.
Leave the right message behind
Set up encrypted messages, files, and instructions for the people who would need them most if something happened to you.