Tim Heath, a well-known investor in the crypto sector, reported the violent episode as the number of physical attacks against cryptocurrency holders rises.
Summary
In an Estonian court, billionaire cryptocurrency investor and entrepreneur Tim Heath shared his experience of being attacked in a failed kidnapping attempt last year.
The attackers tracked his movements using GPS, fake passports, and disposable cell phones. Heath invested around R$ 17 million in personal security after the violent incident.
Experts warn that privacy gaps in cryptocurrency regulation are fueling violent attacks against notable cryptocurrency investors and entrepreneurs.
Ambushed outside his apartment last year by individuals posing as painters, billionaire entrepreneur and cryptocurrency investor Tim Heath severed part of his attacker's finger in an attempted kidnapping.
An Estonian court heard his testimony last week, apparently confirmed through DNA evidence from a severed finger found near the scene. The case has drawn attention to the growing trend of physical attacks in the form of 'wrench attacks', a term used to describe physical assaults aimed at stealing cryptocurrencies.
In a lawsuit first reported by the local site Eesti Ekspress, Heath recounted how the attackers grabbed him from behind as he climbed the stairs, trying to put a bag over his head and ordering him to stay quiet.
Feeling the hand of an attacker near his face, Heath instinctively bit down hard, severing part of the attacker's finger. He then managed to break free and fled to his apartment.
Testimonies in court reveal that the kidnapping attempt was prepared over weeks of planning.
The attackers used GPS trackers and disposable cell phones to monitor Heath's movements, one carrying a fake Azerbaijani passport and another renting a sauna to serve as a hideout. The DNA from the severed finger found at the crime scene was later compared to the evidence presented in court.
In May, Heath filed a civil lawsuit seeking an additional €3.2 million in damages, including approximately €2.7 million (around R$ 17 million) in private security expenses, according to another report from Eesti.
Decrypt reached out to the Estonian court and Heath's representatives to confirm the status of the claims.
Are attacks far from over?
Although Heath's kidnapping attempt has drawn public attention due to his visceral account of the attack, recent reports indicate that it is far from an isolated incident.
These physical threats circumvent digital security measures, targeting individuals directly. The term “$5 wrench attack” was first used in a 2009 “XKCD” comic and later adopted to describe these attacks.
Cryptocurrency traders have been alarmed in recent months by reports of kidnappings, attempted kidnappings, and gruesome attacks. Prominent targets include Ledger co-founder David Balland, who was kidnapped in January with his wife and had his finger severed and sent to associates along with a ransom demand. They were rescued by the police after 24 hours.
Dozens of suspects have been arrested in France in connection with other recent cryptocurrency-related attacks, in addition to a kidnapping case involving a man in New York City due to his Bitcoin, which recently made headlines.
“If every wallet has to have a name behind it to combat money laundering, this will bring us problems like wrench attacks,” said Raido Saar, president of the Estonian Web3 Chamber and CEO of the digital identity platform Matter-ID, to Decrypt.
Saar points to the recent implementation of FATF Travel Rules as one of the main reasons why individuals with significant cryptocurrency assets can be identified, saying that when “combined with the public transparency of the blockchain,” the rule “introduces serious real risks to privacy and security,” especially if “the ownership of the cryptocurrency wallet becomes publicly traceable to real people.”
The FATF Travel Rule requires cryptocurrency exchanges to disclose customer identities for transactions that exceed certain limits, thereby exacerbating risks.
“Once a real identity is linked to a public wallet address, it exposes more than just the transaction,” noted Saar. He warned that this “can give rise to real-world targets,” as it allows criminals to “easily identify high-value targets.”
As regulators push for wallet attribution to combat money laundering and terrorist financing, the infrastructure “to do this without compromising privacy does not yet exist at scale,” lamented Saar.
Without privacy-preserving tools, the implementation of these rules could create a “conflict between compliance and human rights.” When rules like those from FATF are implemented loosely, “everyone can become a target,” warned Saar.