Author: Slow Mist Technology

Background

In the dark forest of blockchain, we often talk about on-chain attacks, contract vulnerabilities, and hacker intrusions, but an increasing number of cases remind us that risks have spread off-chain.

According to reports from Decrypt and Eesti Ekspress, in a recent court hearing, crypto billionaire and entrepreneur Tim Heath recounted a kidnapping attempt he faced last year. The attackers tracked his movements using GPS, forged passports, and disposable phones, launching an attack from behind as he went upstairs, attempting to suffocate him with a bag and forcibly control him. Heath managed to escape after biting off a portion of one attacker's finger.

As the value of crypto assets continues to rise, wrench attacks targeting crypto users are becoming more frequent. This article will delve into the methods of such attacks, review typical cases, outline the criminal chain behind them, and propose practical prevention and response suggestions.

(https://www.binance.com/en/blog/security/binance-physical-security-team-on-how-to-avoid-the-threat-of-reallife-attacks-634293446955246772)

What is a Wrench Attack?

"You can have the strongest technical protection, but the attacker only needs a wrench to knock you down, and you'll obediently give up your password." The term $5 Wrench Attack first appeared in the webcomic XKCD, where attackers do not use technical means but instead employ threats, extortion, or even kidnapping to force victims to surrender their passwords or assets.

(https://xkcd.com/538/)

Review of Typical Kidnapping Cases

Since the beginning of this year, kidnapping cases targeting crypto users have been frequent, with victims including core members of projects, KOLs, and even ordinary users. In early May, French police successfully rescued the father of a cryptocurrency millionaire who had been kidnapped. The kidnappers demanded a ransom of several million euros and cruelly severed his finger to pressure the family.

Similar cases had already emerged earlier in the year: In January, Ledger co-founder David Balland and his wife were attacked at home by armed assailants, who also severed his finger and filmed a video demanding a payment of 100 bitcoins. In early June, a man with dual French and Moroccan nationality, Badiss Mohamed Amide Bajjou, was arrested in Tangier. According to Barrons, he is suspected of planning multiple kidnappings of French cryptocurrency entrepreneurs. The French Minister of Justice confirmed that this suspect is wanted by Interpol for "kidnapping, illegal detention of hostages," and he is suspected of being one of the masterminds behind the kidnapping of Ledger's co-founder.

Another shocking case occurred in New York. Italian crypto investor Michael Valentino Teofrasto Carturan was lured to a villa, where he was held captive and tortured for three weeks. The criminal gang used chainsaws, electric shock devices, and drugs to threaten him, even suspending him from the top of a high building to force him to surrender his wallet's private key. The assailants were "insiders," who accurately targeted him through on-chain analysis and social media tracking.

In mid-May, the daughter and young grandson of Paymium co-founder Pierre Noizat were nearly forcibly dragged into a white van on the streets of Paris. According to Le Parisien, Noizat's daughter fought back fiercely, and a passerby used a fire extinguisher to smash the van, forcing the kidnappers to flee.

These cases indicate that compared to on-chain attacks, offline violent threats are more direct, efficient, and have a lower threshold. The attackers are often young, aged between 16 and 23, and possess basic knowledge of cryptocurrency. According to data released by the French prosecution, several minors have been formally charged for involvement in such cases.

In addition to publicly reported cases, the Slow Mist security team has also noticed that some users have encountered control or coercion during offline transactions, leading to asset losses.

Moreover, there are some "non-violent coercion" incidents that did not escalate to physical violence. For example, attackers threaten victims by leveraging their privacy, whereabouts, or other leverage to force them to transfer funds. Although such situations do not cause direct harm, they touch upon personal threat boundaries, and whether they fall under the category of "wrench attacks" remains a topic for further discussion.

It is important to emphasize that the disclosed cases may only be the tip of the iceberg. Many victims choose to remain silent due to fears of retaliation, unresponsive law enforcement, or exposure of their identities, making it difficult to accurately assess the true scale of off-chain attacks.

Analysis of the Criminal Chain

A research team from the University of Cambridge published a paper in 2024 titled "Investigating Wrench Attacks: Physical Attacks Targeting Cryptocurrency Users," which systematically analyzed cases of violent coercion (wrench attacks) faced by crypto users worldwide, revealing attack patterns and defense challenges. The following image is a translated version of the original figure from the paper, for reference; the original figure can be found at https://www.repository.cam.ac.uk/items/d988e10f-b751-408a-a79e-54f2518b3e70.

Based on multiple typical cases, we summarize the criminal chain of wrench attacks, which generally includes the following key links:

1. Information Locking

Attackers typically start with on-chain information, combining transaction behavior, tag data, NFT holdings, etc., to preliminarily assess the target's asset scale. At the same time, Telegram group chats, X (Twitter) posts, KOL interviews, and even some leaked data become important auxiliary intelligence sources.

2. Real-World Location and Contact

Once the target's identity is confirmed, attackers will attempt to obtain their real-world identity information, including residence, frequently visited places, and family structure. Common methods include:

• Inducing the target to disclose information on social platforms;
• Using publicly registered information (such as ENS-bound emails, domain registration information) for reverse lookup;
• Conducting reverse searches using leaked data;
• Tracking or using false invitations to draw the target into a controlled environment.

3. Violent Threats and Extortion

Once the target is controlled, attackers often resort to violent means to force them to surrender their wallet's private keys, recovery phrases, and two-factor authentication permissions. Common methods include:

• Physical harm such as beating, electric shocks, or limb severing;
• Coercing the victim to perform a transfer;
• Threatening relatives and demanding family members to transfer funds on their behalf.

4. Money Laundering and Fund Transfer

After obtaining the private keys or recovery phrases, attackers typically quickly transfer the assets using methods such as:

• Using mixers to obscure the source of funds;
• Transferring to controlled addresses or non-compliant centralized exchange accounts;
• Cashing out assets through OTC channels or the black market.

Some attackers have a background in blockchain technology and are familiar with on-chain tracking mechanisms, deliberately creating multi-hop paths or cross-chain obfuscation to evade tracking.

Response Measures

Using multi-signature wallets or distributing recovery phrases is often impractical in extreme scenarios involving personal threats, as attackers may view such actions as refusal to cooperate, further escalating violent behavior. A more prudent strategy against wrench attacks should be "give something, and ensure the loss is controllable":

• Set up a decoy wallet: Prepare an account that appears to be the main wallet but only contains a small amount of assets, to be used for "loss-limiting feeding" in dangerous situations.
• Family safety management: Family members should understand the basic knowledge of asset location and response cooperation; set up a safety word to convey danger signals in unusual situations; strengthen the security settings of home devices and physical security of the residence.
• Avoid identity exposure: Refrain from flaunting wealth or sharing transaction records on social platforms; avoid disclosing crypto asset holdings in real life; manage social circle information to prevent leaks from acquaintances. The most effective protection is always to make people "not know you are a target worth watching."

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。