Background
In the blockchain dark forest, we often talk about on-chain attacks, contract vulnerabilities, and hacker intrusions, but an increasing number of cases remind us that risks have spread to off-chain.
According to reports from Decrypt and Eesti Ekspress, during a recent court hearing, crypto billionaire and entrepreneur Tim Heath recalled an attempted kidnapping incident he encountered last year. The attackers tracked him via GPS, forged a passport, and used a disposable phone to monitor his movements. They attacked him from behind while he was going upstairs, attempting to put a bag over his head and force control. Heath managed to escape after biting off part of one attacker's finger.
As the value of crypto assets continues to rise, wrench attacks targeting crypto users are becoming increasingly frequent. This article will delve into the methods of such attacks, review typical cases, outline the underlying criminal chain, and propose practical prevention and response suggestions.
(https://www.binance.com/en/blog/security/binance-physical-security-team-on-how-to-avoid-the-threat-of-reallife-attacks-634293446955246772)
What is a Wrench Attack
"You can have the strongest technical protection, but the attacker just needs a wrench to bring you down, and you will obediently tell them the password." The term $5 Wrench Attack first appeared in the webcomic XKCD, where attackers do not use technical means but rather threaten, extort, or even kidnap victims to force them to disclose passwords or assets.
(https://xkcd.com/538/)
Review of Typical Kidnapping Cases
Since the beginning of this year, kidnapping cases targeting crypto users have been frequent, with victims including core members of projects, KOLs, and even ordinary users. In early May, French police successfully rescued the father of a kidnapped cryptocurrency tycoon. The kidnappers demanded millions of euros in ransom and cruelly severed his finger to pressure the family.
Similar cases have emerged as early as the beginning of the year: In January, Ledger co-founder David Balland and his wife were armed attacked at their home, where the kidnappers also severed his finger and recorded a video, demanding 100 bitcoins as ransom. In early June, a dual-nationality man, Badiss Mohamed Amide Bajjou, was captured in Tangier, and according to Barrons, he is suspected of planning multiple kidnappings of French cryptocurrency entrepreneurs. The French Minister of Justice confirmed that the suspect is wanted by Interpol for 'kidnapping, illegal detention of hostages,' and Bajjou is suspected of being one of the masterminds behind the Ledger co-founder's kidnapping case.
Another shocking case occurred in New York. Italian crypto investor Michael Valentino Teofrasto Carturan was lured to a villa, where he was held captive and tortured for three weeks. The criminal gang used a chainsaw, electric shock devices, and drugs to threaten him, even hanging him from the top of a high building to force him to hand over his wallet private keys. The assailants were 'insiders' who precisely targeted him through on-chain analysis and social media tracking.
In mid-May, Pierre Noizat, co-founder of Paymium, narrowly escaped being forcibly dragged into a white van on the streets of Paris, along with his daughter and young grandson. According to Le Parisien, Noizat's daughter fiercely resisted, and a passerby struck the van with a fire extinguisher, forcing the kidnappers to flee.
These cases indicate that, compared to on-chain attacks, offline violent threats are more direct, efficient, and have a lower threshold. Attackers tend to be young, primarily aged between 16 and 23, with a basic understanding of cryptocurrency. According to data released by the French prosecution, several minors have already been formally charged for involvement in such cases.
In addition to publicly reported cases, the SlowMist security team also noted that some users encountered control or coercion during offline transactions, leading to asset losses.
In addition, there are some 'non-violent coercion' incidents that have not escalated to physical violence. For example, attackers threaten the victim using private information, whereabouts, or other leverage to compel them to transfer funds. Although these situations do not cause direct harm, they touch on personal threat boundaries, and whether they fall under the category of 'wrench attacks' deserves further discussion.
It should be emphasized that the disclosed cases may only be the tip of the iceberg. Many victims choose silence due to concerns about retaliation, law enforcement not taking action, or exposure of their identity, making it difficult to accurately assess the true scale of off-chain attacks.
Analysis of the Criminal Chain
A research team from the University of Cambridge published a paper in 2024 (Investigating Wrench Attacks: Physical Attacks Targeting Cryptocurrency Users) that systematically analyzes the cases of crypto users encountering violent coercion (wrench attacks) worldwide, deeply revealing the attack patterns and defense challenges. The following image is a translated version from the paper for reference; the original image can be found at https://www.repository.cam.ac.uk/items/d988e10f-b751-408a-a79e-54f2518b3e70.
Based on multiple typical cases, we summarize that the criminal chain of wrench attacks roughly includes the following key links:
1. Information Lockdown
Attackers typically start with on-chain information, combining trading behavior, tagged data, NFT holdings, etc., to make a preliminary assessment of the target asset scale. Meanwhile, Telegram group chats, X (Twitter) discussions, KOL interviews, and even some leaked data have also become important auxiliary intelligence sources.
2. Real-world Positioning and Contact
After determining the target's identity, attackers will attempt to obtain their real-world identity information, including residence, frequent locations, and family structure. Common methods include:
Inducing targets to disclose information on social platforms;
Using publicly registered information (such as ENS-bound email, domain registration details) for reverse lookup;
Using leaked data for reverse searches;
Tracking or using false invitations to lead targets into controlled environments.
3. Violent Threats and Extortion
Once the target is controlled, attackers often resort to violent means to force the victim to hand over their wallet private keys, recovery phrases, and two-factor authentication permissions. Common methods include:
Beatings, electric shocks, amputation, and other bodily harm;
Coercing victims to initiate transfers;
Intimidating relatives, demanding family members to transfer funds on their behalf.
4. Money Laundering and Fund Transfer
After obtaining the private key or recovery phrase, attackers usually rapidly transfer assets using methods such as:
Using mixers to obscure the source of funds;
Transfer to controlled addresses or non-compliant centralized exchange accounts;
Liquidate assets through OTC channels or the black market.
Some attackers have a background in blockchain technology, are familiar with on-chain tracking mechanisms, and intentionally create multi-hop paths or cross-chain obfuscation to evade tracking.
Countermeasures
Using multi-signature wallets or dispersing recovery phrases is not practical in extreme scenarios involving personal threats, as attackers often interpret these as refusal to cooperate, which may escalate violent actions. A more prudent strategy against wrench attacks should be 'give something, but keep losses controllable':
Setting up a bait wallet: Preparing an account that appears to be a main wallet but only contains a small amount of assets for use as a 'stop-loss feeding' in case of danger.
Family security management: Family members need to master basic knowledge about asset locations and how to cooperate in response; set up safe words to signal danger in abnormal situations; strengthen the security settings of home devices and the physical security of the residence.
Avoiding identity exposure: Avoid flaunting wealth or sharing transaction records on social platforms; avoid disclosing cryptocurrency holdings in real life; manage friend circle information to prevent leaks from acquaintances. The most effective protection is always to make people 'not know you are a target worth watching.'
In Conclusion
With the rapid development of the crypto industry, Know Your Customer (KYC) and Anti-Money Laundering (AML) systems play a key role in improving financial transparency and controlling illegal capital flows. However, during implementation, especially regarding data security and user privacy, there are still many challenges. For instance, the large amounts of sensitive information (such as identity, biometric data, etc.) collected by platforms to meet regulatory requirements can become attack vulnerabilities if not protected properly.
Therefore, we recommend introducing a dynamic risk identification system based on traditional KYC processes to reduce unnecessary information collection and lower the risk of data breaches. At the same time, platforms can integrate one-stop anti-money laundering and tracking platforms like MistTrack to assist in identifying potential suspicious transactions, thereby enhancing risk control capabilities from the source. On the other hand, building data security capabilities is also indispensable; with the help of SlowMist's red team testing services (https://cn.slowmist.com/service-red-teaming.html), platforms can receive support for attack simulations in real environments, comprehensively assessing the exposure paths and risk points of sensitive data.
In the future, how to enhance technical protection and optimize data governance while meeting regulatory requirements will be the focus of anti-money laundering efforts. SlowMist looks forward to collaborating with more industry partners to build a safer and more robust blockchain ecosystem.
