Physical Kidnapping: Wrench Attack After Bitcoin's New High

Author: Slow Mist Technology

Background

In the dark forest of blockchain, we often talk about on-chain attacks, contract vulnerabilities, and hacker intrusions, but an increasing number of cases remind us that risks have spread off-chain.

According to reports from Decrypt and Eesti Ekspress, in a recent court hearing, crypto billionaire and entrepreneur Tim Heath recounted a failed kidnapping attempt he experienced last year. The attackers tracked his movements using GPS, forged passports, and disposable phones, and launched an attack from behind as he was going upstairs, attempting to suffocate him with a bag and force control over him. Heath managed to escape after biting off a piece of one attacker's finger.

As the value of crypto assets continues to rise, wrench attacks targeting crypto users are becoming more frequent. This article will delve into the methods of such attacks, review typical cases, outline the criminal chain behind them, and propose practical prevention and response suggestions.

(https://www.binance.com/en/blog/security/binance-physical-security-team-on-how-to-avoid-the-threat-of-reallife-attacks-634293446955246772)

What is a Wrench Attack

"You can have the strongest technical protection, but the attacker just needs a wrench to take you down, and you'll obediently give up your password." The term $5 Wrench Attack first appeared in the webcomic XKCD, where attackers do not use technical means but instead resort to threats, extortion, or even kidnapping to force victims to hand over passwords or assets.

(https://xkcd.com/538/)

Review of Typical Kidnapping Cases

Since the beginning of this year, kidnapping cases targeting crypto users have been frequent, with victims including core members of projects, KOLs, and even ordinary users. In early May, French police successfully rescued the father of a cryptocurrency millionaire who had been kidnapped. The kidnappers demanded a ransom of several million euros and brutally severed his finger to pressure the family.

Similar cases had already emerged earlier in the year: In January, Ledger co-founder David Balland and his wife were attacked at home by armed assailants, who also cut off his finger and filmed a video demanding a payment of 100 bitcoins. In early June, a man with dual French and Moroccan nationality, Badiss Mohamed Amide Bajjou, was arrested in Tangier. According to Barrons, he is suspected of planning multiple kidnappings of French cryptocurrency entrepreneurs. The French Minister of Justice confirmed that the suspect was wanted by Interpol for "kidnapping and illegal detention of hostages." Moreover, Bajjou is suspected of being one of the masterminds behind the kidnapping of Ledger's co-founder.

Another shocking case occurred in New York. Italian crypto investor Michael Valentino Teofrasto Carturan was lured to a villa, where he was held captive and tortured for three weeks. The criminal gang used chainsaws, electric shock devices, and drugs to threaten him, even hanging him from the top of a high building to force him to give up his wallet's private key. The assailants were "insiders," who accurately identified their target through on-chain analysis and social media tracking.

In mid-May, Pierre Noizat, co-founder of Paymium, narrowly escaped as his daughter and young grandson were almost forcibly dragged into a white van on the streets of Paris. According to Le Parisien, Noizat's daughter fought back fiercely, and a passerby used a fire extinguisher to smash the van, forcing the kidnappers to flee.

These cases indicate that compared to on-chain attacks, offline violent threats are more direct, efficient, and have a lower threshold. The attackers are often young, aged between 16 and 23, with a basic understanding of crypto. According to data released by the French prosecution, several minors have been formally charged for their involvement in such cases.

In addition to publicly reported cases, the Slow Mist security team has also noticed that some users have encountered control or coercion during offline transactions, resulting in asset losses.

Furthermore, there are some "non-violent coercion" incidents that did not escalate into physical violence. For example, attackers threaten victims by leveraging their privacy, whereabouts, or other leverage to force them to transfer funds. Although these situations do not cause direct harm, they touch on the boundaries of personal threats, and whether they fall under the category of "wrench attacks" is still worth further discussion.

It is important to emphasize that the disclosed cases may only be the tip of the iceberg. Many victims choose to remain silent due to fears of retaliation, non-acceptance by law enforcement, or exposure of their identities, making it difficult to accurately assess the true scale of off-chain attacks.

Analysis of the Criminal Chain

A research team from the University of Cambridge published a paper in 2024 titled "Investigating Wrench Attacks: Physical Attacks Targeting Cryptocurrency Users," which systematically analyzes cases of violence and coercion (wrench attacks) faced by crypto users worldwide, revealing the attack patterns and defense challenges in depth. The following image is a translated version of the original figure from the paper for reference; the original figure can be found at https://www.repository.cam.ac.uk/items/d988e10f-b751-408a-a79e-54f2518b3e70.

Based on multiple typical cases, we summarize the criminal chain of wrench attacks, which generally includes the following key links:

1. Information Locking

Attackers typically start with on-chain information, combining transaction behaviors, tagged data, NFT holdings, etc., to preliminarily assess the target's asset scale. At the same time, Telegram group chats, X (Twitter) posts, KOL interviews, and even some leaked data also become important auxiliary intelligence sources.

2. Real-World Location and Contact

After identifying the target's identity, attackers will attempt to obtain their real-world identity information, including residence, frequently visited places, and family structure. Common methods include:

• Inducing the target to disclose information on social platforms;
• Using publicly registered information (such as ENS-bound emails, domain registration information) for reverse lookup;
• Conducting reverse searches using leaked data;
• Tracking or using false invitations to bring the target into a controlled environment.

3. Violent Threats and Extortion

Once the target is controlled, attackers often resort to violent means to force them to hand over wallet private keys, recovery phrases, and two-factor authentication permissions. Common methods include:

• Beating, electric shocks, limb severing, and other physical harm;
• Coercing the victim to perform transfers;
• Threatening relatives and demanding that family members transfer funds on their behalf.

4. Money Laundering and Fund Transfer

After obtaining the private keys or recovery phrases, attackers typically quickly transfer assets using methods such as:

• Using mixers to obscure the source of funds;
• Transferring to controlled addresses or non-compliant centralized exchange accounts;
• Cashing out assets through OTC channels or black markets.

Some attackers have a background in blockchain technology and are familiar with on-chain tracking mechanisms, deliberately creating multi-hop paths or cross-chain obfuscation to evade tracking.

Response Measures

Using multi-signature wallets or dispersing recovery phrases is often impractical in extreme scenarios involving personal threats, as attackers may interpret refusal to cooperate as a challenge, escalating violent behavior. A more prudent strategy against wrench attacks should be "give something, but keep losses controllable":

• Set up a decoy wallet: Prepare an account that appears to be the main wallet but contains only a small amount of assets, to be used for "loss-limiting feeding" in dangerous situations.
• Family safety management: Family members should understand the basics of asset locations and response cooperation; establish a safety word to signal danger in unusual situations; strengthen the security settings of home devices and the physical security of the residence.
• Avoid identity exposure: Refrain from flaunting wealth or sharing transaction records on social platforms; avoid disclosing crypto asset holdings in real life; manage social circle information to prevent leaks from acquaintances. The most effective protection is always to make people "unaware that you are a target worth monitoring."