Author: SlowMist Technology
Background
In the dark forest of blockchain, we often talk about on-chain attacks, contract vulnerabilities, and hacker intrusions, but an increasing number of cases remind us that risks have spread off-chain.
According to reports from Decrypt and Eesti Ekspress, during a recent court hearing, crypto billionaire and entrepreneur Tim Heath recounted a kidnapping attempt he faced last year. The attackers tracked his movements using GPS, forged passports, and disposable phones, launching an attack from behind as he went upstairs, attempting to suffocate him with a bag and forcibly control him. Heath managed to escape after biting off a portion of one attacker's finger.
As the value of crypto assets continues to rise, wrench attacks targeting crypto users are becoming more frequent. This article will delve into the methods of such attacks, review typical cases, outline the criminal chain behind them, and propose practical prevention and response suggestions.
(https://www.binance.com/en/blog/security/binance-physical-security-team-on-how-to-avoid-the-threat-of-reallife-attacks-634293446955246772)
What is a Wrench Attack?
"You can have the strongest technical protection, but the attacker only needs a wrench to knock you down, and you'll obediently give up your password." The term $5 Wrench Attack first appeared in the webcomic XKCD, where attackers do not use technical means but instead employ threats, extortion, or even kidnapping to force victims to surrender their passwords or assets.
(https://xkcd.com/538/)
Review of Typical Kidnapping Cases
Since the beginning of this year, kidnapping cases targeting crypto users have been on the rise, with victims including core members of projects, KOLs, and even ordinary users. In early May, French police successfully rescued the father of a cryptocurrency millionaire who had been kidnapped. The kidnappers demanded a ransom of several million euros and cruelly severed his finger to pressure the family.
Similar cases had already emerged earlier in the year: In January, Ledger co-founder David Balland and his wife were attacked at home by armed assailants, who also cut off his finger and filmed a video demanding a payment of 100 bitcoins. In early June, a man with dual French and Moroccan nationality, Badiss Mohamed Amide Bajjou, was arrested in Tangier. According to Barrons, he is suspected of planning multiple kidnappings of French cryptocurrency entrepreneurs. The French Minister of Justice confirmed that the suspect was wanted by Interpol for "kidnapping, illegal detention of hostages," and Bajjou is suspected to be one of the masterminds behind the kidnapping of Ledger's co-founder.
Another shocking case occurred in New York. Italian crypto investor Michael Valentino Teofrasto Carturan was lured to a villa, where he was held captive and tortured for three weeks. The criminal gang used chainsaws, electric shock devices, and drugs to threaten him, even hanging him from the top of a high building to force him to surrender his wallet's private key. The assailants were "insiders," who accurately targeted him through on-chain analysis and social media tracking.
In mid-May, the daughter and young grandson of Paymium co-founder Pierre Noizat were nearly forcibly dragged into a white van on the streets of Paris. According to Le Parisien, Noizat's daughter fought back fiercely, and a passerby used a fire extinguisher to smash the van, forcing the kidnappers to flee.
These cases indicate that compared to on-chain attacks, offline violent threats are more direct, efficient, and have a lower threshold. The attackers are often young, aged between 16 and 23, and possess basic knowledge of cryptocurrency. According to data released by the French prosecution, several minors have already been formally charged for involvement in such cases.
In addition to publicly reported cases, the SlowMist security team has also noticed that some users have encountered control or coercion during offline transactions, leading to asset losses.
Moreover, there are some "non-violent coercion" incidents that have not escalated into physical violence. For example, attackers threaten victims by leveraging their privacy, whereabouts, or other leverage to force them to transfer funds. Although such situations do not cause direct harm, they touch upon personal threat boundaries, and whether they fall under the category of "wrench attacks" is still worth further discussion.
It is important to emphasize that the disclosed cases may only be the tip of the iceberg. Many victims choose to remain silent due to fears of retaliation, law enforcement not taking action, or exposure of their identities, making it difficult to accurately assess the true scale of off-chain attacks.
Analysis of the Criminal Chain
A research team from the University of Cambridge published a paper in 2024 titled "Investigating Wrench Attacks: Physical Attacks Targeting Cryptocurrency Users," which systematically analyzes cases of violent coercion (wrench attacks) faced by global crypto users, revealing attack patterns and defense challenges. The following image is a translated version of the original figure from the paper for reference, original image can be found here.
Based on multiple typical cases, we summarize the criminal chain of wrench attacks, which generally includes the following key links:
1. Information Locking
Attackers typically start with on-chain information, combining transaction behavior, tagged data, NFT holdings, etc., to preliminarily assess the target's asset scale. At the same time, Telegram group chats, X (Twitter) posts, KOL interviews, and even some leaked data become important auxiliary intelligence sources.
2. Real-World Location and Contact
After identifying the target, attackers will attempt to obtain their real-world identity information, including residence, frequently visited places, and family structure. Common methods include:
Inducing the target to disclose information on social platforms;
Using publicly registered information (such as ENS-bound emails, domain registration information) for reverse lookup;
Conducting reverse searches using leaked data;
Tracking or using false invitations to bring the target into a controlled environment.
3. Violent Threats and Extortion
Once the target is controlled, attackers often resort to violent means to force them to surrender their wallet's private keys, recovery phrases, and two-factor authentication permissions. Common methods include:
Beating, electric shocks, limb severing, and other physical harm;
Coercing the victim to perform a transfer;
Threatening relatives and demanding family members to transfer funds on their behalf.
4. Money Laundering and Fund Transfer
After obtaining the private keys or recovery phrases, attackers typically quickly transfer assets using methods such as:
Using mixers to obscure the source of funds;
Transferring to controlled addresses or non-compliant centralized exchange accounts;
Cashing out assets through OTC channels or the black market.
Some attackers possess a background in blockchain technology and are familiar with on-chain tracking mechanisms, deliberately creating multi-hop paths or cross-chain obfuscation to evade tracking.
Countermeasures
Using multi-signature wallets or dispersing recovery phrases is often impractical in extreme scenarios involving personal threats, as attackers may view such actions as refusal to cooperate, further escalating violent behavior. A more prudent strategy against wrench attacks should be "give something, and ensure the loss is controllable":
Set up a decoy wallet: Prepare an account that appears to be the main wallet but only holds a small amount of assets, to be used for "loss-limiting feeding" in dangerous situations.
Family safety management: Family members should understand the basic knowledge of asset location and response cooperation; set up a safety word to convey danger signals in unusual situations; strengthen the security settings of home devices and the physical security of the residence.
Avoid identity exposure: Refrain from flaunting wealth or sharing transaction records on social platforms; avoid disclosing cryptocurrency holdings in real life; manage social circle information to prevent leaks from acquaintances. The most effective protection is always to make people "not know you are a target worth watching."
In Conclusion
With the rapid development of the crypto industry, Know Your Customer (KYC) and Anti-Money Laundering (AML) systems play a crucial role in enhancing financial transparency and preventing illegal fund flows. However, challenges remain in the execution process, especially regarding data security and user privacy. For instance, the large amounts of sensitive information (such as identity, biometric data, etc.) collected by platforms to meet regulatory requirements can become attack vectors if not properly protected.
Therefore, we recommend introducing a dynamic risk identification system based on traditional KYC processes to reduce unnecessary information collection and lower the risk of data breaches. At the same time, platforms can integrate one-stop anti-money laundering and tracking platforms like MistTrack to assist in identifying potential suspicious transactions, thereby enhancing risk control capabilities from the source. On the other hand, building data security capabilities is equally essential. By leveraging SlowMist's red team testing services, platforms can receive simulated attack support in real environments, comprehensively assessing the exposure paths and risk points of sensitive data.
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
