The $24 Million Heist Behind It: The Most Dangerous Vulnerability in the Crypto World is Actually Human

Original Article Title: "Violence, Kidnapping, and $24 Million: Cryptocurrency Holder Falls Victim to Wrench Attack"

Original Article Author: ChandlerZ, Foresight News

“Battered and bruised, I fought as best I could, but my limbs were injured, my ax was broken, and there was little I could do.”

On March 5, 2026, cryptocurrency influencer sillytuna posted a very brief tweet revealing a recent violent attack, resulting in the loss of around $24 million worth of AUSD stablecoin. The incident involved violence, weapons, kidnapping, and threats of assault. Law enforcement is currently involved.

Sillytuna was the previous owner of Punk #7523 (commonly known as the "Covid Alien"), an NFT that was sold at Sotheby's in 2021 for $11.7 million, once setting a record for the highest price paid for a single Punk at auction.

This tweet quickly spread within the cryptocurrency community. Security firm PeckShield observed related on-chain transactions and tentatively identified them as a "Poisoning Attack," a method that deceives users into making transfers by mimicking similar addresses.

According to PeckShield's monitoring, approximately 20 million DAI is currently held in two wallets controlled by the attackers (not yet mixed): an address starting with 0xdCA9 (around $10 million) and an address starting with 0xd0c2 (around $10 million). The attackers have begun moving a small amount of funds to Arbitrum.

There is a clear contradiction between the two possible explanations. If it is a Poisoning Attack, the victim was deceived into initiating the transfer, and physical violence was not a necessary condition. If it is physical coercion, the attackers already have the victim's real identity and address.

The details of the incident are still pending confirmation by law enforcement, and some in the community have raised questions about whether this is a "hype post." Regardless of the ultimate conclusion of this case, the panic it has caused has already highlighted one thing:

In today's highly transparent world of crypto wealth, a single mistaken on-chain revelation could result in a real-world wrench.

Not an Isolated Incident: 169% Increase in Physical Attacks in 2025

The so-called "Wrench Attack" is when an attacker uses physical force such as violence, intimidation, or kidnapping to coerce a victim into revealing their private key or password. This type of attack does not rely on technical vulnerabilities but instead directly targets the individual behind the encrypted assets.

According to a report released by CertiK, Wrench Attacks surged by 75% in 2025, with physical violence becoming a significant threat in the crypto space.

In terms of attack patterns, the report indicates that kidnapping remains the primary attack vector, with 25 incidents occurring throughout the year. Direct physical assaults saw a 250% year-on-year increase, becoming one of the most concerning changes. Geographically, Europe has for the first time become the highest-risk region globally. In 2025, Europe accounted for over 40% of all known events globally, with France recording the highest number of attacks, surpassing the United States. In terms of financial impact, confirmed losses related to Wrench Attacks in 2025 exceeded $40.9 million, a 44% increase compared to the previous year.

Jameson Lopp, Chief Security Officer of Bitcoin security company Casa and a long-time tracker of physical attack incidents, maintains a database covering over 225 verified cases to date. In 2025, this list grew at an unprecedented rate, with the data continuing to escalate rapidly into 2026.

Even more, due to a large number of victims choosing to remain silent out of fear, privacy concerns, or distrust of law enforcement, the actual numbers are likely higher. The victim group has expanded beyond the crypto elite to include teachers, construction workers, firefighters, and their families.

Three Landmark Cases in 2025

Case 1: Ledger Co-founder Kidnapped, Finger Severed (France, January 2025)

In January 2025, David Balland, co-founder of the crypto hardware wallet company Ledger, and his wife were kidnapped and held captive separately at their residence in the central French city of Vierzon. The attackers later sent a video of Balland's severed finger to Ledger's other co-founder, Eric Larchevêque, demanding the equivalent of €10 million in cryptocurrency ransom.

The elite French police force GIGN (National Gendarmerie Intervention Group) intervened, successfully locating and rescuing Balland, while his wife was found hours later in a van. The portion of the ransom that had been paid was almost entirely traced, frozen, and seized. Ten suspects aged between 20 and 40 were arrested, with the prosecutor stating that if convicted, they would face life imprisonment.

Case 2: Paymium CEO's Daughter Kidnapped on Paris Streets (France, May 2025)

On the morning of May 13, 2025, the daughter of Paymium CEO Pierre Noizat was walking with her young grandson on the streets of the 11th arrondissement of Paris when she was intercepted by three masked men who attempted to force her into a box truck.

The attack took place in broad daylight on a crowded street, captured on surveillance cameras. Noizat's daughter resisted vigorously, seized one of the guns and threw it on the ground; bystanders then joined in, with one picking up the gun to point at the assailants and another using a fire extinguisher to disperse them. The three assailants eventually fled in haste.

Following the incident, French authorities launched an investigation into the attempted kidnapping, leading to charges against 25 individuals, including 6 minors. This detail sparked a lot of discussion in French media about the "Mexicanization of France."

Case 3: Former U.S. Police Officer Conducts Crypto Wrench Attack (Los Angeles, 2024-2025)

At the end of 2024, a former Los Angeles Police Department (LAPD) officer was found guilty by a jury for physically coercing cryptocurrency holders, forcing the victims to transfer about 350,000 dollars' worth of Bitcoin. The uniqueness of the case lies in the perpetrator's law enforcement background—meaning he had professional knowledge of how to evade surveillance and carry out coercion.

The ruling was widely referenced in the crypto community as it shattered the inherent assumption that "physical attacks only come from street criminals."

Why Are Crypto Holders Particularly Vulnerable, and What Can Users Do?

The core finding of the CertiK report is that attackers are actively selecting targets based on a risk-reward analysis, prioritizing a combination of "high potential rewards, low security defenses." This logic has spawned four typical target profiles.

The most straightforward are retail investors who publicly disclose their asset holdings on social media, with on-chain balances visible and almost zero security. Industry executives and protocol founders represent higher value targets, usually with security measures in place, but still exposed during travel or public events. The third category, family members and friends, are often overlooked, as criminals are well aware that controlling a spouse, child, or elderly parent circumvents any security protocols. Many family members usually lack basic operational security training, with protection levels far below the primary target. The fourth category is over-the-counter traders, where attackers disguise offline transactions as regular business meetings, seizing assets as soon as the victim demonstrates proof of holdings.

Meanwhile, attack monitoring has evolved from manual tracking to OSINT-driven digital footprint analysis. Attackers will identify the target's defense weakest points in the weeks leading up to the operation. During the intrusion phase, impersonation as a delivery person or utility worker remains the most effective penetration method, catching the victim off guard psychologically. Once inside the premises, they will deploy Faraday bags and signal jammers to cut off device network connections, forcing the victim and their family into isolation.

The era of solely relying on mnemonic phrases is over. Humans remain the most vulnerable single point of failure in the entire security system.

On the individual level, the most crucial step is to establish a "Decoy Wallet + Core Wallet" separation architecture. The Decoy Wallet should hold small amounts of assets that appear reasonable; too little of an amount would anger the attacker, triggering further violence. In the face of coercion, it provides an exit for compromise, protecting the core assets from being touched. Meanwhile, the mnemonic phrase and the signing device must never be stored in the same location; the ideal way is to store the mnemonic phrase in a bank safe deposit box rather than in a residence.

In daily behavior, "Avoid flaunting" is the bottom line, refraining from posting wallet addresses, asset screenshots, or itinerary arrangements on any public platform. When traveling, use a dedicated phone with only the bare minimum account permissions, with high-value wallet applications not installed on the everyday carry device. High-value transactions should only be conducted on a dedicated computer that is not used for external purposes.

For individuals and institutions holding large amounts of assets, the report provides two structural tools: Multi-signature schemes (such as 2/3 or 3/5) fundamentally eliminate the possibility of a single person being coerced to authorize a transfer; time-locked contracts impose a mandatory delay on withdrawals exceeding a threshold amount, creating a window for external intervention.

In addition, CertiK also lists three categories of alert signals worth noting, including receiving unsolicited two-factor authentication codes (which may indicate that an attacker has obtained your digital credentials and is testing responses); real-life anomalies, such as receiving a delivery without ordering, repeated harassment to confirm if anyone is home, and a long-lost acquaintance suddenly reaching out, emphasizing the need for an in-person meeting. These three types of signals have been repeatedly documented in the case studies but were rarely recognized as dangers by the victims at the time.

This is Not Just an Individual Security Issue

Every time the Bitcoin price hits a new all-time high, Jameson Lopp's database receives a new set of entries. He has been tracking this price-violence correlation for almost a decade.

The crypto industry spent fifteen years addressing private key security issues, building wallets, protocols, and multi-signature architectures that are increasingly difficult for hackers to breach. However, when attackers shift their focus to the human physicality, these technological defenses become virtually ineffective.

The sillytuna incident is still controversial, but the questions it raises are real: As transparency of crypto wealth becomes an industry selling point, is it also drawing a roadmap for some to hunt?

France has already started discussing the need for a specific legislative framework to address crypto ransomware, while law enforcement agencies in the UK, Singapore, and other regions are updating personal safety guidelines for digital asset holders.

The next knock on the door with an axe may not necessarily be a billionaire. It could also be just an ordinary user whose on-chain balance has been exposed.

Original Article Link