Dark Undercurrents: Kidnappings Rise as Crypto Hits New Highs

https://www.binance.com/en/blog/security/binance-physical-security-team-on-how-to-avoid-the-threat-of-reallife-attacks-634293446955246772

What Is a Wrench Attack?

“You can have top-notch technical protection, but an attacker only needs a $5 wrench to beat you up until you hand over the password.”

This vivid concept of the “$5 wrench attack” comes from a comic by XKCD. It refers to situations where attackers bypass technical security entirely and instead use coercion, threats, or physical violence — such as kidnapping — to force victims to surrender their passwords or assets.

https://xkcd.com/538/

A Review of Notable Kidnapping Cases

So far in 2025, there’s been a spike in kidnappings targeting crypto users — including project founders, KOLs, and even ordinary holders.

In early May, French police rescued the father of a crypto millionaire. The kidnappers had demanded millions of euros in ransom and brutally cut off his finger to pressure the family.

This trend began even earlier in the year. In January, Ledger co-founder David Balland and his wife were violently assaulted in their home. The intruders severed Balland’s finger and recorded a video demanding 100 BTC as ransom.

In June, a dual French-Moroccan national, Badiss Mohamed Amide Bajjou, was arrested in Tangier. According to Barrons, he is suspected of masterminding multiple kidnapping attempts targeting French crypto entrepreneurs. The French Ministry of Justice confirmed that Bajjou is wanted by Interpol for “kidnapping and unlawful hostage detention” and is believed to be one of the main perpetrators in the Ledger case.

Another chilling case unfolded in New York, where Italian crypto investor Michael Valentino Teofrasto Carturan was lured to a villa and subjected to three weeks of captivity and torture. The attackers used chainsaws, electric shocks, and drugs to intimidate him, even suspending him from the roof of a tall building to force the disclosure of his private keys. The criminals were reportedly “insiders” who had used on-chain analysis and social media tracking to select their target with precision.

In mid-May, in Paris, Pierre Noizat, co-founder of Paymium, almost lost his daughter and young grandson when they were nearly dragged into a white van. Le Parisien reported that the daughter resisted fiercely, and a passerby smashed the vehicle with a fire extinguisher, forcing the attackers to flee.

These cases demonstrate that physical attacks are often more direct, efficient, and low-barrier than on-chain exploits. Most perpetrators are young, typically aged 16 to 23, and possess basic crypto knowledge. According to the French prosecutor’s office, several minors have already been formally charged for involvement in such crimes.

Beyond publicized incidents, the SlowMist Security Team has also identified several cases from user-submitted forms, where victims were coerced or controlled during in-person crypto transactions, resulting in significant losses.

There are also cases of “non-violent coercion” — where attackers threaten victims based on knowledge of their whereabouts, privacy, or blackmail material, compelling them to transfer funds without physical harm. While these do not involve overt violence, they still border on personal security threats, raising the question of whether they fall under the category of wrench attacks.

It’s worth emphasizing that public cases are likely just the tip of the iceberg. Many victims remain silent due to fear of retaliation, lack of law enforcement support, or concerns about privacy — making it difficult to assess the full scale of such attacks.

Anatomy of a Criminal Chain

In 2024, a research team from Cambridge University published a paper titled “Investigating Wrench Attacks: Physical Attacks Targeting Cryptocurrency Users”, which systematically analyzes global cases of violent coercion against crypto users. The study offers deep insights into attack patterns and the inherent challenges in defending against such threats.

The following diagram is taken from the paper for reference.

Key stages of the criminal chain in wrench attacks include:

1. Target Identification

Attackers usually start with on-chain data — trading history, wallet labels, NFT ownership, etc. — to estimate a potential victim’s asset size. They supplement this with intelligence from:

  • Telegram group chats
  • X (Twitter) posts and interviews
  • Leaked data

2. Real-World Location & Contact

Once a target is identified, attackers try to gather real-world identity info — residential address, frequent hangouts, family structure — through methods like:

  • Social engineering on platforms to elicit personal info
  • Reverse lookup via public registry data (e.g., ENS-linked emails, domain records)
  • Leaked databases
  • Tracking or fake event invitations to lure victims into controlled environments

3. Physical Coercion & Extortion

Upon securing physical control, attackers typically use violent threats to extract private keys, seed phrases, or 2FA permissions:

  • Physical abuse (beating, electric shocks, mutilation)
  • Forcing victims to manually process transfers
  • Threatening or harming family members to pressure cooperation

4. Laundering & Asset Transfer

Once access is gained, the attackers move fast:

  • Use of mixers to obscure origin
  • Transfer to compromised CEX accounts
  • Offloading via OTC desks or dark markets

Some attackers are technically savvy and use multi-hop or cross-chain transactions to evade traceability.

Defense Strategies

Advanced protections like multisig wallets or fragmented seed phrases are often ineffective during physical attacks — and may be perceived as resistance, potentially escalating the violence. A more pragmatic approach is “give something up, but control the damage.”

Decoy Wallets

Prepare a wallet that appears to be your main account but holds only a small, sacrificial amount. It serves as a “stop-loss offering” in dangerous scenarios.

Family Security Protocols

  • Make sure close family members know the basics of your asset storage and how to respond under pressure.
  • Use code words to signal distress.
  • Secure your home physically and digitally.

Avoiding Identity Exposure

  • Don’t show off wealth or post transaction records online.
  • Avoid revealing crypto ownership in daily life.
  • Keep your personal circles tight and cautious.

The most effective protection is simply not being perceived as a valuable target.

Final Thoughts

As the crypto industry matures, KYC (Know Your Customer) and AML (Anti-Money Laundering) systems have played a vital role in improving transparency and curbing illicit flows. However, implementation still faces hurdles — especially around data privacy and security.

Platforms often collect large volumes of sensitive information (identity docs, biometric data, etc.) to comply with regulations. If not well-protected, this trove becomes a prime target for attackers.

We recommend enhancing traditional KYC procedures with dynamic risk scoring to reduce unnecessary data collection and mitigate leakage risks. Platforms can also integrate tools like MistTrack for AML monitoring and suspicious transaction tracking to boost compliance from the ground up.

At the same time, data security infrastructure is essential. Services like SlowMist’s red team testing (see details) can help simulate real-world attacks, assess exposure points, and uncover vulnerabilities in sensitive data handling.

Looking ahead, striking the balance between regulatory compliance, technical resilience, and data governance will be the cornerstone of effective AML efforts. SlowMist looks forward to collaborating with more industry players to build a safer, more robust blockchain ecosystem.

Similar Posts