Crypto security firm CertiK estimates that cryptocurrency holders lost approximately $101 million from wrench attacks during the first four months of 2026, representing a 41% increase in verified incidents compared to the same period in 2025. If the trend continues at this rate, losses could reach several hundred million dollars for the full year 2026.
Wrench attacks—a cybersecurity term for physical assaults and extortion attempts that overcome software security systems—have become an “established threat vector for cryptocurrency holders,” according to CertiK. The firm verified 34 global incidents in early 2026, compared to approximately 70 physical assaults reported throughout 2025, though many attacks likely go unreported due to their nature.
Geographic Distribution and European Concentration
Notably, 28 of the 34 incidents (82%) occurred in Europe, marking a significant geographic shift. France remains the epicenter, with 24 assaults recorded in 2025 alone, dominating “the country-by-country breakdown by a wide margin,” CertiK noted. This compares to 20 assaults throughout 2024. In contrast, reported threats in the U.S. during the first quarter fell to three from nine in 2025, and in Asia to two from 25.
CertiK identified several factors driving the concentration in France, including the presence of flagship companies like Ledger and Binance, a high number of data leaks targeting the country, and “the culture of flexing and voluntary doxxing that remains deeply embedded in the community.” The issue gained prominence following the 2024 kidnapping and torture of Ledger co-founder David Balland and his wife, prompting France’s Interior Ministry to meet with crypto industry leaders to discuss safety concerns.
Attacker Organization and Recruitment
CertiK identified an emerging pattern in attacker organization: small teams of 3 to 5 people, often young, are frequently recruited via Telegram or Snapchat to operate as ground crews. Orchestrators, meanwhile, are often based abroad in locations such as Morocco, Dubai, and Eastern Europe.
The firm noted a recent shift toward a “data-driven targeting” model that minimizes the need for physical surveillance. Attackers now purchase victim information—including full names, home addresses, and financial profiles—from online brokers. “They purchase data lists, commission coordinators, and receive funds before laundering them,” CertiK stated.
Targeting Family Members as Pressure Leverage
A significant trend involves attackers increasingly targeting “proxies” rather than primary victims. More than half of the incidents this year involved “a member of the primary target’s family (spouse, child, elderly parent), either as a direct victim or as a pressure lever,” CertiK reported.
Access Methods Remain Consistent
While attackers employ sophisticated data acquisition and coordination strategies, on-the-ground access techniques remain largely unchanged from 2025. “Access techniques remain broadly the same as in 2025, with a strong persistence of the Doorbell Vector (delivery personnel, fake police officers, etc.) and the Honeypot (fictitious business meetings, fake OTC deals, etc.),” CertiK wrote.
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
