Crypto Wrench Attacks Surge 41% in 2026, Targeting Family Members

Crypto security firm CertiK estimates that cryptocurrency holders have lost approximately $101 million from wrench attacks in the first four months of 2026, according to the firm’s analysis. If the trend continues at this rate, that equates to hundreds of millions of dollars lost for the full year 2026.

Wrench attacks—a term used in cybersecurity for physical assaults and extortion attempts that overcome software security systems—have become an “established threat vector for cryptocurrency holders,” CertiK wrote. Experts identified 2025 as the most active year on record for crypto-related wrench attacks, with approximately 70 physical assaults reported, though many likely go unreported due to the nature of these crimes.

2026 Attack Surge and Geographic Concentration

CertiK reported 34 verified wrench attack incidents globally in the first months of 2026, representing a 41% increase from the same period in 2025. Extrapolated across the full year, this equates to an estimated 130 incidents and several hundred million in projected losses.

Geographically, 28 out of 34 attacks (82%) occurred in Europe. Meanwhile, reported threats in the U.S. during the first quarter fell to three, compared to nine in 2025, and in Asia declined to two from 25, according to CertiK.

France as Primary Target

France remains the focal point for wrench attacks, with 24 assaults recorded in 2025—an increase from 20 throughout the previous year, which already “dominated the country-by-country breakdown by a wide margin,” according to the source.

The French Ministry of the Interior met with crypto industry leaders in the country to discuss safety concerns following the high-profile kidnapping and torture of Ledger co-founder David Balland and his wife.

CertiK identified several factors influencing the rate of attacks in France: the presence of flagship industry companies like Ledger and Binance, a high number of data leaks targeting the country, and the “culture of flexing and voluntary doxxing that remains deeply embedded in the community.”

Attack Methodology and Perpetrator Profiles

CertiK documented an emerging pattern in wrench attack operations. Small teams of 3 to 5 people, often young, are frequently recruited via Telegram or Snapchat to operate as ground crews. Orchestrators, meanwhile, are often based abroad in locations such as Morocco, Dubai, and Eastern Europe.

A significant shift has emerged toward “data-driven targeting,” which minimizes the need for physical surveillance by purchasing victim information—including full names, home addresses, and financial profiles—from online brokers. “They purchase data lists, commission coordinators, and receive funds before laundering them,” CertiK noted.

Targeting Family Members and Access Techniques

Attackers are increasingly targeting “proxies,” with more than half of incidents this year involving a “member of the primary target’s family (spouse, child, elderly parent), either as a direct victim or as a pressure lever,” according to CertiK.

Despite the shift to online tools for victim profiling, on-the-ground access techniques remain largely unchanged from 2025. “Access techniques remain broadly the same as in 2025, with a strong persistence of the Doorbell Vector (delivery personnel, fake police officers, etc.) and the Honeypot (fictitious business meetings, fake OTC deals, etc.),” CertiK wrote.