Physical Kidnapping: Wrench Attack After Bitcoin's New High

Background

In the dark forest of blockchain, we often talk about on-chain attacks, contract vulnerabilities, and hacker intrusions, but an increasing number of cases remind us that risks have spread to off-chain.

According to reports from Decrypt and Eesti Ekspress, in a recent court hearing, crypto billionaire and entrepreneur Tim Heath recounted an attempted kidnapping he experienced last year. The attackers tracked his movements using GPS, forged passports, and disposable phones, launching an attack from behind as he was going upstairs, attempting to cover his head with a bag and forcefully control him. Heath managed to escape after biting off a portion of one assailant's finger.

As the value of crypto assets continues to rise, wrench attacks targeting crypto users are becoming increasingly frequent. This article will delve into this type of attack method, review typical cases, outline the criminal chain behind it, and propose practical prevention and response suggestions.

()

What is a wrench attack?

"You can have the strongest technical protections, but an attacker only needs a wrench to bring you down, and you will obediently give up your password." The term $5 Wrench Attack first appeared in the webcomic XKCD, where the attacker does not use technical means but instead relies on threats, extortion, or even kidnapping to force the victim to hand over their password or assets.

()

Review of Typical Kidnapping Cases

Since the beginning of this year, there has been a surge in kidnapping cases targeting cryptocurrency users, with victims including core members of projects, KOLs, and even ordinary users. In early May, French police successfully rescued the father of a cryptocurrency millionaire who had been kidnapped. The kidnappers demanded a ransom of several million euros and brutally cut off his fingers to pressure the family.

Similar cases have emerged as early as the beginning of the year: In January, Ledger co-founder David Balland and his wife were attacked at home by armed assailants, who cut off his fingers and filmed the incident, demanding a ransom of 100 bitcoins. In early June, a man with dual nationality of France and Morocco, Badiss Mohamed Amide Bajjou, was arrested in Tangier. According to Barrons, he is suspected of planning multiple kidnappings of French cryptocurrency entrepreneurs. The French Minister of Justice confirmed that the suspect is wanted by Interpol for charges including "kidnapping and unlawful confinement of hostages." Furthermore, Bajjou is suspected of being one of the masterminds behind the kidnapping case of the Ledger co-founder.

Another shocking case occurred in New York. Italian crypto investor Michael Valentino Teofrasto Carturan was lured to a villa and subjected to three weeks of captivity and torture. The criminal gang used chainsaws, electric shock devices, and drugs to threaten him, even suspending him from the top of a high-rise building to force him to give up his wallet private key. The assailants were "industry insiders" who precisely targeted him through on-chain analysis and social media tracking.

In mid-May, Pierre Noizat, co-founder of Paymium, narrowly escaped having his daughter and young grandson forcibly dragged into a white van on the streets of Paris. According to Le Parisien, Noizat's daughter fought back fiercely, and a passerby struck the van with a fire extinguisher, forcing the kidnappers to flee.

These cases indicate that, compared to on-chain attacks, offline violent threats are more direct, efficient, and have a lower threshold. The attackers are mostly young people, aged between 16 and 23, with a basic understanding of cryptocurrency. According to data released by the French prosecution, several minors have already been formally charged for their involvement in such cases.

In addition to publicly reported cases, the Slow Fog security team also noticed that some users encountered control or coercion from the other party during offline transactions while organizing the information submitted by the victims.

In addition, there are some "non-violent coercion" incidents that have not escalated to physical violence. For example, attackers threaten the victims by mastering their privacy, whereabouts, or other leverage to force them to transfer money. Although such situations do not cause direct harm, they have already touched on the boundary of personal threats, and whether they fall under the category of "wrench attacks" is still worth further discussion.

It is important to emphasize that the disclosed cases may only be the tip of the iceberg. Many victims choose to remain silent due to fears of retaliation, law enforcement not taking action, or exposure of their identities, which makes it difficult to accurately assess the true scale of off-chain attacks.

Crime Chain Analysis

The research team at Cambridge University published a paper titled "Investigating Wrench Attacks: Physical Attacks Targeting Cryptocurrency Users" in 2024, which systematically analyzes cases of violent coercion (wrench attacks) faced by cryptocurrency users worldwide, revealing the patterns of attacks and challenges in defense. The image below is a translated version of the original image in the paper for reference, the original image can be seen.

Based on multiple typical cases, we summarize that the crime chain of wrench attacks generally covers the following key links:

1. Information Locking

Attackers usually start with on-chain information, combining transaction behavior, tag data, NFT holdings, etc., to initially assess the scale of the target assets. At the same time, Telegram group chats, X (Twitter) posts, KOL interviews, and even some leaked data also become important sources of auxiliary intelligence.

2. Reality Positioning and Contact

After identifying the target's identity, the attacker will attempt to obtain their real identity information, including residence, frequently visited locations, and family structure. Common methods include:

• Induce targets to leak information on social platforms;
• Use public registration information (such as ENS bound email, domain registration information) for reverse lookup;
• Use leaked data for reverse search;
• Introduce the target into a controlled environment through tracking or false invitations.

3. Violent Threats and Extortion

Once the target is under control, attackers often use violent means to force them to hand over their wallet private keys, recovery phrases, and two-factor authentication permissions. Common methods include:

• Physical harm such as beating, electrocution, and amputation;
• Coerce the victim to perform the transfer;
• Intimidate relatives and demand that family members transfer money on their behalf.

4. Money Laundering and Fund Transfers

After obtaining the private key or mnemonic phrase, attackers usually quickly transfer assets using methods such as:

• Use a mixer to conceal the source of funds;
• Transfer to a controlled address or non-compliant centralized exchange account;
• Liquidate assets through OTC channels or the black market.

Some attackers have a background in blockchain technology and are familiar with on-chain tracking mechanisms. They deliberately create multi-hop paths or cross-chain obfuscation to evade tracking.

countermeasures

Using multi-signature wallets or decentralized mnemonic phrases is not practical in extreme scenarios where personal threats are involved; attackers often perceive this as a refusal to cooperate, which in turn escalates violent behavior. In response to wrench attacks, a more prudent strategy should be "give what you can, and keep losses manageable:"

• Set up a decoy wallet: prepare an account that appears to be the main wallet but holds only a small amount of assets, to be used for "stop-loss feeding" in case of danger.
• Family Security Management: Family members need to grasp the basic knowledge of asset location and response cooperation; set up a safety word to signal danger in case of abnormal situations; strengthen the security settings of household devices and the physical security of the residence.
• Avoid identity exposure: Avoid flaunting wealth or sharing transaction records on social platforms; avoid revealing holdings of cryptocurrency in real life; manage your social circle's information to prevent acquaintances from leaking secrets. The most effective protection is always to make sure that people "don't know you are a target worth monitoring."

written at the end

With the rapid development of the cryptocurrency industry, understanding your customer ( KYC ) and anti-money laundering ( AML ) systems play a key role in enhancing financial transparency and preventing illegal fund flows. However, during the execution process, especially in terms of data security and user privacy, there are still many challenges. For example, the large amount of sensitive information (such as identity, biometric data, etc.) collected by platforms to meet regulatory requirements, if not protected properly, may become a point of attack.

Therefore, we recommend introducing a dynamic risk identification system based on the traditional KYC process to reduce unnecessary information collection and lower the risk of data breaches. At the same time, the platform can integrate one-stop anti-money laundering and tracking platforms like MistTrack to assist in identifying potential suspicious transactions, thereby enhancing risk control capabilities from the source. On the other hand, building data security capabilities is equally essential. With the red team testing services from SlowMist (, the platform can obtain attack simulation support in a real environment, comprehensively assessing the exposure paths and risk points of sensitive data.