Crypto investors have lost more than $100 million to physical extortion in the first four months of 2026, according to blockchain security firm CertiK, as criminal groups increasingly target the people behind digital wallets rather than the technology securing them.
The attacks, known in the industry as “wrench attacks,” use kidnapping, assault, threats, or other forms of physical coercion to force victims to transfer crypto, unlock accounts, or surrender access to private keys.
The tactic has become a growing concern for an industry that has spent years building defenses against phishing, malware, smart-contract exploits, and exchange breaches.
CertiK said verified global incidents rose 41% to 34 from the same period last year. If the current pace continues, the blockchain security firm estimates the full-year count could reach about 130 incidents, with losses running into the several hundred million dollar range.
This projection means that this year’s attacks are on track to exceed those of 2025, which researchers described as the most active year on record for crypto-related physical assaults.
However, security researchers and law enforcement universally acknowledge that these figures represent a fraction of the reality. The inherently traumatic nature of the crimes, combined with the victim’s fear of retaliation, results in chronic underreporting.
That makes wrench attacks harder to track than on-chain exploits, where stolen funds can often be traced across wallets and exchanges in real time.
France becomes the center of Europe’s crypto violence
Europe has become the main center of the threat this year, accounting for 82% of CertiK’s verified cases in the first four months of 2026.
Reported incidents in the US and Asia have declined over the same period, leaving France as the clearest concentration of crypto-related physical crime.
French authorities have acknowledged the scale of the problem. During Paris Blockchain Week this year, the Ministry of the Interior reportedly identified 41 incidents involving physical coercion tied to digital assets since January, a rate of roughly one attack every two and a half days.
France’s rising exposure could be linked to a mix of industry concentration, public visibility, and data leakage.
The country is home to major crypto companies and executives, including firms such as Ledger and Paymium, creating a visible network of founders, developers, investors, and early adopters. Public events, meetups, and social media activity can make it easier for criminal groups to identify people they believe have access to digital assets.
The risk has been compounded by breaches involving sensitive personal information. CertiK cited the case of Ghalia C., a tax official at France’s General Directorate of Public Finances, who was accused of using government tax software to search for profiles of crypto-asset holders before allegedly selling the information to criminal networks.
That case has become a reference point for a broader concern, as attackers may no longer need to rely only on social media displays of wealth. Leaked tax records, customer files, home addresses, and accounting data can help turn a blockchain user into a physical target.
Criminal groups follow the path to liquidity
The appeal of wrench attacks lies in their directness. A criminal group does not need to defeat encryption, break a hardware wallet, or exploit a smart contract if it can force a victim to approve a transfer.
That calculation has made crypto attractive to groups already willing to use violence. Digital assets can be moved quickly, split across wallets, bridged between networks, or converted into harder-to-trace instruments.
Even when investigators can follow funds on-chain, recovery is difficult once assets pass through mixers, decentralized exchanges, or privacy-focused coins.
The first months of 2026 have produced several cases that show how the tactic is evolving.
In January, Chinese entrepreneur Yong Wang was abducted after arriving in Istanbul, Turkey. Investigators later said the case was tied to a crypto-asset dispute and that funds were extracted before he was killed. Ten suspects were arrested in China after an Interpol Red Notice.
The same month, Nancy Guthrie, the 84-year-old mother of journalist Savannah Guthrie, was kidnapped in the US as part of a $6 million BTC ransom demand. The case illustrated a growing proxy-targeting strategy in which attackers go after relatives or associates rather than the primary holder.
In March, a UK-based crypto figure and indie game developer known as Sillytuna said he was forced by armed attackers to transfer about $24 million in aEthUSDC. The funds were then moved across multiple chains and converted into Monero, according to the account cited by CertiK.
Last year, Phil Ariss, director of UK public sector relations at TRM Labs, said these patterns reflect a migration of traditional criminal behavior into the crypto space.
Ariss said:
“One factor that should not be overlooked when it comes to wrench attacks is that, at its core, it’s a natural evolution of criminal behavior. Criminal groups already comfortable with using violence to achieve their goals were always likely to migrate to crypto. As long as there’s a viable route to launder or liquidate stolen assets, it makes little difference to the offender whether the target is a high-value watch or a crypto wallet.”
The shift also changes the meaning of personal security in crypto. A holder’s risk profile can now include social-media posts, conference appearances, tax records, leaked customer data, family routines, and public signs of wealth. The wallet may be secure, while the person controlling it remains exposed.
Industry tools add delay, but not a full defense
The rise in physical coercion has prompted crypto companies to build tools to slow forced withdrawals.
Binance, the world’s largest crypto exchange, recently introduced a withdrawal lockdown feature designed for situations in which a user may be pressured in person to move funds.
The feature allows users to set a delay of between 1 and 7 days for on-chain withdrawals. Once activated, the account cannot send crypto off the platform during the selected window, even if the account holder initiates the transfer.
Binance framed the tool as a response to a category of risk that digital security products do not address. The exchange said physical coercion sits outside the usual defenses built for phishing, impersonation scams, SIM swaps, and seed phrase theft.
The logic is deterrence through friction. If attackers know assets cannot be moved immediately, the target may become less attractive. A delay can also give victims, relatives, or colleagues time to alert law enforcement before funds leave the platform.
However, these time locks have limits. A criminal group willing to hold a victim for hours or days may be able to wait out the delay.
Self-custody users also face a different challenge because assets held outside centralized platforms require separate protections, such as multisignature arrangements, vaults, delayed spending policies, and geographically distributed signing controls.
Kevin Loaec, founder of Bitcoin security firm Wizardsardine, has warned that the problem cannot be solved by cryptography alone. He said holders in high-risk areas should think more seriously about physical awareness, communication with relatives, and immediate contact with authorities when threats arise.
That view is gaining ground as the crypto market grows larger and more visible. The industry’s early security culture focused heavily on keeping private keys offline and avoiding online scams.
The latest wave of attacks suggests that wealth exposure, leaked personal data, and public identity management now belong in the same conversation.