Author: SlowMist Technology
background
In the dark forest of blockchain, we often talk about on-chain attacks, contract vulnerabilities, and hacker intrusions, but more and more cases remind us that the risks have spread off-chain.
According to Decrypt and Eesti Ekspress, in a recent court hearing, crypto billionaire and entrepreneur Tim Heath reviewed an attempted kidnapping last year. The attacker tracked his whereabouts through GPS tracking, forged passports and disposable phones, and attacked him from behind when he was going upstairs, trying to put a bag over his head and forcibly control him. Heath was able to escape after biting off a finger of the attacker.
As the value of crypto assets continues to rise, wrench attacks against crypto users are becoming more frequent. This article will analyze this type of attack method in depth, review typical cases, sort out the criminal chain behind it, and put forward practical prevention and response suggestions.
(https://www.binance.com/en/blog/security/binance-physical-security-team-on-how-to-avoid-the-threat-of-reallife-attacks-634293446955246772)
What is a wrench attack?
"You can have the strongest technical protection, but an attacker only needs a wrench to knock you down and you will tell them your password." The expression $5 Wrench Attack first appeared in the online comic XKCD. The attacker does not use technical means, but forces the victim to hand over passwords or assets through threats, blackmail, or even kidnapping.
(https://xkcd.com/538/)
Review of Typical Kidnapping Cases
Since the beginning of this year, kidnapping cases against crypto users have occurred frequently, with victims including core members of the project, KOLs and even ordinary users. In early May, French police successfully rescued the father of a kidnapped cryptocurrency tycoon. The kidnappers demanded millions of euros in ransom and brutally cut off his fingers to put pressure on his family.
Similar cases have already occurred at the beginning of the year: in January, Ledger co-founder David Balland and his wife were attacked at home by armed forces. The kidnappers also cut off their fingers and filmed a video, demanding 100 bitcoins. In early June, a man with dual French and Moroccan citizenship, Badiss Mohamed Amide Bajjou, was arrested in Tangier. According to Barrons, he was suspected of planning several kidnappings of French cryptocurrency entrepreneurs. The French Minister of Justice confirmed that the suspect was wanted by Interpol for "kidnapping, illegal detention of hostages" and other crimes. Moreover, Bajjou is suspected of being one of the masterminds of the kidnapping of the Ledger co-founder.
Another case that shocked the industry took place in New York. Italian crypto investor Michael Valentino Teofrasto Carturan was lured to a villa and imprisoned and tortured for three weeks. The criminal gang used electric saws, electric shock devices and drugs to threaten him, and even hung him on the top floor of a high-rise building to force him to hand over the private key of his wallet. The perpetrators were "insiders" who targeted accurately through on-chain analysis and social media tracking.
In mid-May, the daughter and young grandson of Paymium co-founder Pierre Noizat were nearly dragged into a white van on the streets of Paris. According to Le Parisien, Noizat's daughter resisted violently, and a passerby smashed the van with a fire extinguisher, forcing the kidnappers to flee.
These cases show that compared with on-chain attacks, offline violent threats are more direct, efficient, and have a lower threshold. The attackers are mostly young people, aged between 16 and 23, with basic cryptographic knowledge. According to data released by the French prosecutors, several minors have been formally prosecuted for involvement in such cases.
In addition to publicly reported cases, when the SlowMist security team sorted out the form information submitted by the victims, they also noticed that some users were controlled or coerced by the other party during offline transactions, resulting in asset damage.
In addition, there are some "non-violent coercion" incidents that have not escalated into physical violence. For example, the attacker threatened the victim by obtaining his privacy, whereabouts or other evidence to force him to transfer money. Although such cases did not cause direct harm, they have touched the boundary of personal threat. Whether they fall into the category of "wrench attack" is still worth further discussion.
It should be emphasized that the disclosed cases may only be the tip of the iceberg. Many victims choose to remain silent due to fear of retaliation, non-acceptance by law enforcement agencies, or exposure of their identities, which makes it difficult to accurately assess the true scale of off-chain attacks.
Crime chain analysis
The paper (Investigating Wrench Attacks: Physical Attacks Targeting Cryptocurrency Users) published by the Cambridge University research team in 2024 systematically analyzed the cases of violent coercion (wrench attacks) suffered by global crypto users, and deeply revealed the attack mode and defense difficulties. The following figure is a translation of the original figure in the paper for reference. The original figure can be found at https://www.repository.cam.ac.uk/items/d988e10f-b751-408a-a79e-54f2518b3e70.
Based on a number of typical cases, we concluded that the criminal chain of wrench attacks generally covers the following key links:
1. Information Locking
Attackers usually start with on-chain information, combining transaction behavior, tag data, NFT holdings, etc. to preliminarily assess the size of the target assets. At the same time, Telegram group chats, X (Twitter) speeches, KOL interviews, and even some leaked data have become important auxiliary intelligence sources.
2. Reality positioning and contact
After determining the target's identity, the attacker will try to obtain their real-life identity information, including where they live, where they frequent, and their family structure. Common methods include:
Induce the target to disclose information on social platforms;
Use public registration information (such as ENS binding email, domain name registration information) to reverse check;
Use the leaked data to conduct reverse searches;
Leading targets into a controlled environment through stalking or false solicitations.
3. Threats of violence and blackmail
Once the target is controlled, the attacker often uses brute force to force the target to hand over the wallet private key, mnemonic phrase and secondary verification permission. Common methods include:
Physical injuries such as beatings, electric shocks, and amputation;
Coercing the victim to transfer money;
Threaten relatives and ask them to transfer money on their behalf.
4. Money Laundering and Fund Transfer
After obtaining the private key or mnemonic, the attacker usually quickly transfers the assets by:
Use mixers to obscure the source of funds;
Transfer to a controlled address or non-compliant centralized exchange account;
Liquidate assets through OTC channels or the black market.
Some attackers have a background in blockchain technology and are familiar with on-chain tracking mechanisms. They will deliberately create multi-hop paths or cross-chain confusion to avoid tracking.
Countermeasures
Using multi-signature wallets or decentralized mnemonics is not practical in extreme scenarios where personal threats are a threat. Attackers often view this as a refusal to cooperate, which intensifies violence. For wrench attacks, a more prudent strategy should be "give and take, but the loss is controllable":
Set up a decoy wallet: prepare an account that looks like the main wallet but has only a small amount of assets in it so that it can be used for "stop-loss feeding" when in danger.
Home security management: Family members need to have basic knowledge of where assets are and how to coordinate responses; set up a safety word to send a danger signal when encountering abnormal situations; and strengthen the safety settings of home devices and the physical security of the residence.
Avoid identity exposure: Avoid showing off your wealth or posting transaction records on social platforms; avoid revealing your crypto assets in real life; manage your Moments information to prevent acquaintances from leaking information. The most effective protection is to make people "unaware that you are a target worth targeting."
Last words
With the rapid development of the crypto industry, Know Your Customer (KYC) and Anti-Money Laundering (AML) systems play a key role in improving financial transparency and preventing illegal capital flows. However, there are still many challenges in the implementation process, especially in terms of data security and user privacy. For example, a large amount of sensitive information (such as identity, biometric data, etc.) collected by the platform to meet regulatory requirements may become a breakthrough for attack if it is not properly protected.
Therefore, we recommend introducing a dynamic risk identification system based on the traditional KYC process to reduce unnecessary information collection and reduce the risk of data leakage. At the same time, the platform can access one-stop anti-money laundering and tracking platforms such as MistTrack to assist in identifying potential suspicious transactions and improve risk control capabilities from the source. On the other hand, data security capability building is also indispensable. With the help of SlowMist's red team testing service (https://cn.slowmist.com/service-red-teaming.html), the platform can obtain attack simulation support in a real environment and comprehensively evaluate the exposure path and risk points of sensitive data.
