Crypto Kidnappings Double in 2025

By May, a different gang had kidnapped a crypto entrepreneur’s father in Paris and done the same thing: finger, video, crypto ransom. French police found the man tied up in a house in Essonne after a nighttime raid. Police arrested five people. The kidnappers had demanded between five and seven million euros.

These incidents aren’t anomalies. According to blockchain analytics firm Chainalysis, 2025 is on track to see potentially twice as many physical attacks on cryptocurrency holders as any previous year on record. Security researcher Jameson Lopp, who maintains a running database of what the industry calls “wrench attacks,” has documented over 50 incidents in 2025 alone, more than any previous year on record. The previous high was 2021, with roughly 35 documented attacks. The term comes from an old internet meme: no matter how sophisticated your encryption, someone can simply beat you with a wrench until you surrender the password.

What is a wrench attack?

A wrench attack is a physical assault on a cryptocurrency holder designed to force them to surrender their wallet passwords or private keys. The term comes from an internet meme illustrating that no encryption can protect against someone threatening you with a $5 wrench.

The violence is escalating. But the more unsettling question isn’t that it’s happening. It’s why.

The Wrench Attack Target List

To kidnap someone for their cryptocurrency, you need to know two things: that they own crypto, and where they live. For years, the crypto industry’s answer to this problem was pseudonymity. Bitcoin wallets are just strings of numbers. Keep your holdings private, and you’re safe.

Then came regulation.

In 2020, hackers breached Ledger’s e-commerce database and leaked the personal information of 272,000 customers: names, phone numbers, email addresses, and physical mailing addresses. The breach wasn’t a failure of blockchain security. It was a failure of the company’s marketing database, the one required to ship hardware wallets to customers who’d provided their information during purchase.

In May 2025, Coinbase disclosed that rogue overseas support agents had been bribed to steal customer data. The breach affected 69,461 users. The stolen information included names, addresses, phone numbers, masked Social Security numbers, government-issued IDs, and account balance snapshots. Coinbase estimated remediation costs between $180 and $400 million.

The Database Underground

But exchange breaches aren’t the only vector. In June 2024, three men armed with machetes forced their way into a UK home posing as delivery drivers. They forced the victim to transfer $4.3 million in cryptocurrency at knifepoint.

The attackers didn’t find their target through a crypto exchange leak. According to an investigation by blockchain detective ZachXBT, they used TLOxp, a TransUnion database restricted to licensed investigators that contains addresses, phone numbers, family connections, and property records. Chat logs recovered during the investigation showed explicit references to the lookup. When one attacker asked for additional information about the victim, another replied: “No, it was not listed in the TLO.”

Sheffield Crown Court sentenced the defendants in November 2025, seventeen months after the attack. The ringleader was 16 years old. Nearly all stolen funds were seized after ZachXBT traced the transactions.

The case revealed something systemic. ZachXBT has stated that compromised access to TLOxp has enabled “eight to nine figures” in crypto thefts and may have “directly resulted in multiple deaths” through robberies or swatting incidents. Criminals can purchase lookups on nearly any US citizen for less than $50 through Telegram channels, according to reporting by 404 Media.

These breaches weren’t hacks of the blockchain. They were hacks of the identity infrastructure: Know Your Customer (KYC) databases, skip-tracing services (tools for locating people), credit bureaus. The systems designed to verify identity, whether for compliance, debt collection, or law enforcement, have become centralized repositories of exactly the information criminals need to target crypto holders physically.

The problem isn’t just that crypto exchanges collect data. It’s that the entire apparatus of identity verification has become a target list for anyone willing to pay.

The Permanent Leak

And once that data is out, it doesn’t go away. The Ledger breach data is still circulating on dark web forums five years later, enriched with information from subsequent leaks. Security researchers estimate over 2 million crypto user identities are currently exposed online, including home addresses.

In other words, the irony is brutal. The infrastructure built to verify identity and prevent fraud has become the targeting system for a new kind of crime.

Chainalysis researchers found something else in their data: wrench attacks correlate with Bitcoin’s price. Not just in the obvious sense (higher prices mean bigger payoffs) but in terms of timing. The attacks track a forward-looking moving average of Bitcoin’s value, suggesting that criminals are targeting holders based on the perception that prices will rise. When the number goes up, so does your wrench attack risk.

The Violence

Typically, the attacks follow patterns. Some target the wealthy directly. Others go after family members as leverage. Still others exploit the public nature of crypto influencer culture, where displaying your portfolio is part of the brand.

On the night of May 1, 2025, three men abducted a crypto entrepreneur’s father from a street in Paris. They held him for nearly three days, cutting off one of his fingers and sending video to his son demanding millions in ransom. Police tracked the hostage to a house in the suburbs and mounted a nighttime raid to free him. The father survived. The finger did not.

In New York City, an Italian man named Michael Carturan was held captive for nearly three weeks in a $30,000-a-month SoHo townhouse. According to police reports, his captors (including a man named John Woeltz who had connected with him in crypto circles) tortured him, beat him, and at one point dangled him off a five-story ledge. They wanted his Bitcoin password. Carturan escaped only after agreeing to give up his wallet credentials and convincing his captors to leave him behind while they retrieved his laptop. He bolted the moment they left. Police arrested two people. An active-duty NYPD officer, allegedly working off-duty, had picked Carturan up from the airport.

The Influencer

Then there was Amouranth.

Kaitlyn Siragusa built a streaming empire across Twitch, OnlyFans, and various crypto ventures. In November 2024, she posted a screenshot to her nearly 4 million followers showing a Coinbase account with $20 million in Bitcoin.

On the night of March 2, 2025, three masked men broke through a patio entrance of her Houston home, kicked in her bedroom door, and dragged her out of bed at gunpoint. They pistol-whipped her (three times) while demanding she hand over her crypto. “Where’s the crypto?” they kept asking. “Where’s the crypto?”

What they didn’t know: Siragusa’s husband, Nick Lee, was in another building on the property. They were on a call when the attack began. He listened silently as the men beat his wife.

Siragusa didn’t have instant access to $20 million in cryptocurrency. Crypto isn’t like a bank account you can drain on demand. So she did the only thing she could. She told the attackers she’d take them to her husband, who had the hardware wallet.

She led them across the property to the building where Lee was waiting. He had a gun.

When the intruders approached, Lee opened fire. One of them caught a bullet. “I got shot! I got shot!” he screamed as the three fled on foot. Police later found a trail of blood.

Police eventually arrested four teenagers, ages 16 to 19 and charged them with aggravated kidnapping and aggravated robbery with a deadly weapon. The defendants face 5 to 99 years under Texas law.

Ultimately, Siragusa survived. She’s since hired armed guards. She and her husband report being unable to sleep.

The Numbers

The victims of wrench attacks aren’t just the ultra-wealthy. Becca Rubenfeld, co-founder of Bitcoin insurance company AnchorWatch, told Fox Business that attacks are increasingly targeting people with holdings in the hundreds of thousands, not millions.

“There are plenty of attacks in the last six and 18 months of people who were either murdered or held up, kidnapped and held in their own home for several days, tortured, beaten for several hundred thousand dollars,” she said. “The perception that you’re only at risk if you have millions and millions of dollars ultimately is not appearing to be true.”

The Wrench Attack Response

The crypto industry’s answer to wrench attacks has historically been operational security advice: don’t talk about your holdings, don’t post screenshots, don’t attend conferences where you might be identified as wealthy.

Lopp, the security researcher, puts it bluntly: shut up and stop flaunting your wealth.

But that advice only goes so far when your name and address are already in a database that’s been circulating for years. You can’t un-leak your information.

The Insurance Solution

AnchorWatch launched what may be the first insurance product specifically covering wrench attacks in late 2024. For an annual cost starting at 0.55% of the Bitcoin they want to protect, customers can purchase coverage up to $100 million, backed by Lloyd’s of London. The policy works in conjunction with a multi-signature vault system that requires AnchorWatch to co-sign transactions, meaning even under duress, a victim can truthfully tell their attackers: “I can’t move the Bitcoin right now, even if I wanted to.”

“Ultimately we determined that the only true solution, the TRUE solution, to a wrench attack is insurance,” Rubenfeld said on TFTC: A Bitcoin Podcast in July 2025. “We’re an insurance company. We’re going to be here for a hundred years. So we’re going to hunt you forever.”

Admittedly, it’s a strange solution to a strange problem: buying insurance against the possibility that someone will torture you for your money. But it may be the only realistic option for holders who can’t undo the data breaches that exposed them.

The Question

Cryptocurrency was supposed to be trustless finance. “Be your own bank.” No intermediaries, no gatekeepers, no centralized points of failure.

But you can’t KYC a blockchain address. You can only KYC a person. And once you’ve collected that person’s name, address, phone number, and government ID (once you’ve created a database linking real identities to crypto holdings) you’ve built something that has value to people other than regulators.

You’ve built a target list.

The Tradeoff

The men who cut off David Balland’s finger didn’t hack the Bitcoin blockchain. They didn’t crack his hardware wallet’s encryption. They used information that existed because Ledger was required to collect it, and because someone failed to protect it adequately.

The teenagers who pistol-whipped Amouranth found her because she posted a photo of herself alongside a screenshot of her $20 million worth of BTC holdings publicly on the X platform. But the breaches at Coinbase and Ledger mean that millions of people who never posted anything (who followed all the operational security advice, who kept their holdings private) are in databases anyway.

The crypto industry spent years arguing that regulation would kill innovation. Maybe that’s true. Maybe it isn’t. The specific form that regulation took, mandatory identity collection without adequate protection, may have done something worse.

The result: wrench attacks became possible and easy. And holding cryptocurrency became physically dangerous.

The men who robbed the Sheffield victim didn’t hack the blockchain. They didn’t crack a hardware wallet. They paid less than $50 for a database lookup that was supposed to be restricted to law enforcement.

That’s not a problem you can solve with better encryption.

Written and edited by Zoran Spirkovski.

For more on protecting your crypto holdings, see our guides to Bitcoin basics, how to buy and hold Bitcoin safely, and what defines a Bitcoin whale.

Frequently Asked Questions

What is a wrench attack?

A wrench attack is a physical assault on a cryptocurrency holder designed to force them to surrender their wallet passwords or private keys. The term comes from an internet meme illustrating that no encryption can protect against someone threatening you with a $5 wrench.

How common are wrench attacks in 2025?

According to Chainalysis, 2025 is on track to see twice as many physical attacks on crypto holders as any previous year. Security researcher Jameson Lopp has documented over 50 incidents in 2025 alone, surpassing the previous record of 35 attacks in 2021.

How do attackers find their victims?

Attackers use multiple data sources: leaked exchange databases (Ledger, Coinbase), skip-tracing tools like TLOxp, and dark web data brokers selling lookups for as little as $15-50. Some target victims who publicly display their holdings on social media.

Can I protect myself from a wrench attack?

Security experts recommend never discussing holdings publicly, monitoring personal data exposure, and using multi-signature wallets that require third-party co-signing. Insurance products like AnchorWatch now offer coverage specifically for wrench attacks.

Why are wrench attacks increasing?

Wrench attacks correlate with Bitcoin’s price—when crypto values rise, so do physical attacks. Additionally, years of KYC data breaches have created permanent target lists that criminals continue to exploit.