Physical attacks aimed at extorting cryptocurrency holders, known as wrench attacks, generated global losses of $101 million during the first four months of 2026. According to a report published on May 8, 2026, by the security firm CertiK, 34 verified incidents were documented worldwide during this timeframe.
Europe currently concentrates 82% of these events, marking a drastic geographic shift from the operational trends observed in Asia and North America during previous years. The current losses nearly double the $52.2 million recorded throughout the entirety of 2025.
The report underscores a structural conclusion for the ecosystem: the continuous improvement in the security of hardware wallets and centralized exchange platforms is forcing criminal networks to change their strategy. While historical digital thefts exploit code vulnerabilities in decentralized protocols through cyberattacks, the focus of wrench attacks centers exclusively on the vulnerability of the human link.
Perpetrators employ private property invasion, kidnapping, and direct coercion to force victims into transferring funds or revealing their seed phrases, eliminating the technical need to breach the networks’ cryptography.
Incident concentration in France and data leak impact
France reports the highest incidence of physical extortions in 2026. CertiK data identifies 24 attacks executed in the country since January. Meanwhile, the French National Prosecutor’s Office for Organized Crime counts 47 open judicial proceedings for similar extortion crimes within the same four-month period. This high concentration aligns with the operational and fiscal presence of key industry companies in French cities, including firms like Ledger, Paymium, and Binance, which increases the population density of executives with direct exposure to digital assets.
The execution of these crimes relies increasingly on the prior collection of exposed personal information, establishing a data-driven targeting model. In January 2026, a breach at the cryptocurrency accounting firm Waltio exposed user profiles, an event that was documented in its official security notice.
Compounding these corporate failures are severe institutional vulnerabilities, such as the ongoing legal process against French tax official Ghalia C, who is accused of selling asset ownership records and residential addresses of taxpayers to criminal groups. According to analysts, this level of data access eliminates the need for physical surveillance, as attackers already possess the target’s exact financial profile before the assault.
Operational structure of criminal networks
The planning and execution of the extortions follow a highly segmented pattern. The masterminds frequently operate from jurisdictions outside the target country and hire local teams consisting of three to five individuals to carry out the physical assault. The analysis detailing the rise in violent crime published by TRM Labs in May 2025 indicates that the perception of pseudo-anonymity in blockchain transfers and the public display of wealth on social media facilitate the identification of victims by these organizations.
Assault teams often utilize social engineering and impersonation to gain access to victims’ homes. Police reports indicate that aggressors frequently present themselves disguised as parcel delivery drivers or law enforcement officers, or orchestrate ambushes under the pretext of investment meetings.
CertiK notes that the physical perpetrators of the assaults are recruited on forums and encrypted messaging platforms. These individuals operate in exchange for fixed fees of a few thousand dollars per operation and lack prior connections to one another. During April 2026, authorities in France prosecuted 88 individuals involved in physical thefts, 10 of whom were minors, a legal tactic used to evade severe prison sentences.
Incident projections and historical tracking
A new trend we're seeing in bitcoin wrench attacks this year: 4 of them have been cases of mistaken identity / outdated intel and the victims didn't actually have any cryptocurrency. pic.twitter.com/3cJpNMVm7v
— Jameson Lopp (@lopp) March 11, 2026
Independent tracking confirms the upward trend reported by blockchain security firms. The open database documenting physical attacks on holders maintained by Casa’s chief security officer, Jameson Lopp, records 31 incidents of this nature over the course of 2026. The compilation of tactical information also reveals operational flaws in the criminals’ intelligence. In March, the specialist reported via his official X account that four of the cases tracked this year resulted in assaults on the wrong individuals due to identification errors in the stolen databases.
The security firm concludes that as long as crypto-asset holdings remain associated with identifiable financial data, physical coercion will remain the most rational attack path for criminals. If the frequency documented in the first four months sustains its growth rate, CertiK estimates project a scenario of 130 attacks by late 2026. The complete report featuring the final annual balance and the updated security metrics will be published by the auditing firm at the close of the fiscal year in December.
This article is for informational purposes and does not constitute financial advice.
