How Fast Are Crypto Wrench Attacks Rising?
Crypto-related wrench attacks are rising sharply in 2026, with victims losing about $101 million in the first 4 months of the year, according to CertiK. The firm said it has verified 34 incidents globally so far this year, a 41% increase from the same period in 2025.
Wrench attacks refer to physical assaults, kidnappings, and extortion attempts designed to force victims to transfer crypto assets. The threat has become harder to contain because physical coercion can bypass even strong software security, including hardware wallets, multi-factor authentication, and custody controls.
CertiK said 2025 was the most active year on record for crypto-related physical attacks, with about 70 reported cases. The real number is likely higher because many victims may avoid reporting incidents due to fear, privacy concerns, or exposure of their holdings.
Why Is Europe Seeing the Highest Concentration?
Europe accounts for the bulk of verified attacks in 2026. CertiK said 28 of the 34 incidents this year, or 82%, occurred in Europe, while reported cases in the US and Asia fell from prior-year levels.
France remains the main hotspot. CertiK recorded 24 assaults in the country so far this year, already above the 20 incidents reported throughout 2025. The country has drawn attention following the kidnapping and torture of Ledger co-founder David Balland and his wife, which prompted the French Ministry of the Interior to meet with crypto industry leaders over safety concerns.
CertiK pointed to several factors behind the concentration in France, including the presence of major crypto firms, repeated data leaks, and public displays of wealth or identity within parts of the crypto community.
Investor Takeaway
How Are Attackers Choosing Their Targets?
CertiK said attackers are moving toward a data-driven targeting model. Instead of relying only on physical surveillance, criminals are buying victim information such as names, home addresses, and financial profiles from online brokers.
The firm said attackers often work through small local teams of 3 to 5 people, recruited through platforms such as Telegram or Snapchat, while organizers may operate from abroad. CertiK identified Morocco, Dubai, and Eastern Europe as common locations for coordinators.
“They purchase data lists, commission coordinators, and receive funds before laundering them,” CertiK said.
The methods used on the ground remain familiar. CertiK said attackers continue to rely on fake delivery personnel, fake police officers, fictitious business meetings, and fake OTC deals to gain access to victims.
Investor Takeaway
Why Are Families Becoming Part of the Risk?
CertiK said attackers are increasingly targeting proxies, including spouses, children, and elderly parents, to pressure primary targets into transferring funds. More than half of this year’s incidents involved a family member either as a direct victim or as leverage.
This expands the threat beyond traders and founders to their households. It also makes the risk more difficult to manage, because attackers may target people with less knowledge of crypto security or fewer personal protections.
The trend shows that crypto crime is no longer limited to smart contract exploits, phishing, or exchange hacks. As onchain wealth becomes easier to identify and personal data becomes easier to buy, physical extortion is becoming a parallel threat for the sector.
For investors and operators, the lesson is blunt: custody design, wallet security, and onchain privacy matter, but they are incomplete without physical security planning.
