CertiK pointed out that wrench attacks—brutal physical assaults aimed at forcing cryptocurrency owners to surrender private keys or digital assets—have evolved into a sophisticated, transnational criminal enterprise. These incidents blend open-source intelligence gathering, social engineering, and outright violence, including kidnappings and extortion (along with other financial crime).
According to blockchain security firm CertiK, the first four months of 2026 have already seen a sharp rise in such cases, underscoring how the human element has become the primary vulnerability in an otherwise hardening blockchain ecosystem.
From January to April 2026, CertiK documented 34 verified wrench attacks worldwide, marking a 41 percent increase from the 24 incidents recorded during the same period in 2025.
The monthly figures reveal a volatile pattern: 13 cases in January, a dip to five in February (likely due to European police crackdowns in late January), a rebound to ten in March, and five in April.
Total estimated losses from ransoms, frozen funds, and other demands reached roughly $101 million. If the pace holds, the full year could surpass 130 attacks and result in losses stretching into the hundreds of millions of dollars.
These numbers, CertiK cautions, represent only the visible tip of an underreported global problem.
Geographically, the threat has shifted dramatically toward Europe, which accounted for 82 percent of incidents (28 out of 34), up from just 39.5 percent for all of 2025. France has emerged as the epicenter, logging 24 cases—more than the entire previous year’s total for the country.
Other affected regions include the United Kingdom, United States, Belgium, Hong Kong, the Philippines, Spain, and Turkey, while attacks in North America and Asia have notably declined.
High-profile cases illustrate the brutality and reach of these operations. In Istanbul, Chinese entrepreneur Yong Wang was kidnapped, robbed of crypto assets, and murdered in January—the first confirmed crypto-related homicide of the year.
In the United States, the 84-year-old mother of journalist Savannah Guthrie was held for a $6 million Bitcoin ransom, highlighting the tactic of targeting family proxies.
In the UK, prominent crypto personality and game developer Sillytuna was overpowered by armed assailants, threatened with violence, and forced to transfer approximately $24 million in assets that were quickly laundered into Monero.
CertiK identifies several emerging patterns. Criminals now rely on “data-driven targeting,” accessing victims’ names, addresses, and financial profiles without traditional surveillance.
Common entry methods include the “Doorbell Vector” (impersonating delivery workers or police) and “Honeypot” schemes (fake business meetings or OTC deals).
More than half of French incidents involved family members—spouses, children, or elderly parents—used as leverage.
Alarmingly, authorities in France indicted 88 suspects in late April, including more than ten minors, on charges ranging from kidnapping to money laundering.
The root causes, according to CertiK, lie in Europe’s concentrated crypto ecosystem.
France hosts major firms such as Ledger and Binance, alongside a culture of voluntary doxxing and high-profile data breaches.
Leaks from government databases, including tax records exposing crypto holdings, have been exploited by insiders and sold to criminal networks.
As on-chain security improves through better protocols and wallets, attackers are rationally pivoting to physical coercion—the weakest remaining link.
CertiK’s analysis paints a rather concerning picture: what began as an edge-case threat in 2025 has become a structural risk. Until the connection between identifiable personal data and crypto holdings is severed, organized groups will continue viewing wrench attacks as the most efficient path to illicit gains.