Wrench Attacks: The Physical Security Playbook Crypto People Need in 2026

The crypto security conversation has historically been dominated by software exploits, phishing campaigns, and smart contract vulnerabilities. That framing is increasingly incomplete. Between January 2024 and March 2026, publicly documented physical attacks on cryptocurrency holders -- home invasions, kidnappings, armed robberies, and extortion through threat of violence -- increased by roughly 280 percent compared to the same window from 2021 to 2023. The actual numbers are almost certainly higher, because victims frequently decline to report these incidents to law enforcement.

Physical security is now a primary concern for anyone holding meaningful amounts of crypto in self-custody. The threat model has shifted, and the playbook needs to shift with it.

The Escalation Pattern: 2024-2025​

The period from mid-2024 through late 2025 saw a distinct escalation in both the frequency and sophistication of physical attacks on crypto holders. Several factors converged to make this period particularly dangerous.

First, the bull market that began in late 2023 created a new cohort of visible wealth holders. People who had accumulated during the 2022-2023 bear market suddenly had portfolios worth multiples of their entry cost. Some of these people were not discreet about it.

Second, the mainstreaming of on-chain analytics tools meant that identifying large wallet holders became easier for sophisticated criminal groups. You no longer needed to work at Chainalysis to trace fund flows -- open-source tools and blockchain explorers made whale-watching accessible to anyone.

Third, the geographic concentration of crypto wealth in specific cities and neighbourhoods created target-rich environments. Certain areas of Miami, Dubai, Lisbon, and Singapore developed reputations as crypto hubs, effectively advertising to criminal enterprises where to find targets.

The attack patterns followed a predictable evolution. Early incidents were opportunistic -- someone flashing wealth at a conference, then getting followed back to their hotel. By late 2025, attacks had become planned operations. Criminal groups were conducting surveillance over days or weeks, identifying home addresses, mapping daily routines, and timing attacks for maximum coercive leverage.

Several particularly brutal incidents in 2025 involved home invasions where attackers held family members hostage while demanding wallet transfers. In at least three documented cases, attackers had pre-identified the approximate holdings of their targets through on-chain analysis before initiating the operation.

How Attackers Identify Targets​

Understanding the target identification process is essential to building effective countermeasures. Attackers use a combination of online and offline intelligence gathering, and the intersection of these two channels is where most vulnerability exists.

Social media exposure remains the single largest attack vector for target identification. This includes obvious signals like posting portfolio screenshots, discussing specific holdings on Twitter/X, or sharing photos of hardware wallets. It also includes subtler signals: checking in at crypto conferences, posting photos that reveal home locations, or maintaining a public profile that associates a real identity with crypto wealth.

On-chain analysis has become increasingly accessible. Blockchain explorers make it trivial to identify large holders on most chains. If an attacker can associate a real-world identity with an on-chain address -- through a doxxed ENS name, a public donation, or a social media post referencing a transaction -- they can estimate holdings and track movements of funds.

Conference and event attendance creates concentrated exposure. Crypto conferences are, from a physical security perspective, gatherings of high-net-worth individuals in a known location at a known time. Attackers have been documented conducting surveillance at conference venues, hotel lobbies, and after-parties.

Professional exposure affects founders, fund managers, and prominent community figures disproportionately. If your professional identity is tied to crypto and your role implies access to significant funds, you are a higher-value target regardless of your personal holdings.

Supply chain intelligence is an emerging concern. Deliveries of hardware wallets, shipments from known crypto companies, or even interactions with crypto-focused financial advisors can signal to motivated attackers that a household holds cryptocurrency.

Operational Security Mistakes That Create Vulnerability​

Most physical attacks on crypto holders succeed because the victim made identifiable operational security mistakes months or years before the incident. These mistakes create the information trail that attackers follow.

Linking real identity to on-chain activity is the foundational error. Every ENS name that maps to a doxxed identity, every transaction shared publicly, and every wallet address posted on social media creates a permanent, searchable record that connects physical-world identity to on-chain wealth.

Consistent address reuse makes tracking trivial. If you use the same deposit address across multiple exchanges and services, an attacker who compromises any single point of linkage can map your entire on-chain activity.

Wealth signalling -- both intentional and unintentional -- acts as a targeting beacon. This extends beyond obviously flashy behaviour. Even discussing general portfolio strategy in public, mentioning specific allocations, or debating self-custody approaches in identifiable forums contributes to target profiling.

Predictable routines give attackers the operational information they need to plan an ambush or home invasion. Regular schedules, known addresses, and habitual routes all reduce the difficulty of a physical attack.

Single-point-of-failure custody means that physical coercion can result in immediate, irreversible loss. If one person, under duress, can transfer all funds, the attacker's task is straightforward.

The Physical Security Playbook​

Effective physical security for crypto holders combines traditional personal security practices with crypto-specific technical measures. Neither alone is sufficient.

Duress Wallets​

A duress wallet -- sometimes called a decoy wallet -- is a wallet that holds a plausible but limited amount of cryptocurrency, designed to be surrendered under physical coercion. The concept is straightforward: if an attacker forces you to transfer funds, you transfer the duress wallet contents rather than your primary holdings.

For a duress wallet to be effective, it must be credible. An attacker who has done on-chain reconnaissance and believes you hold 50 BTC will not be satisfied with a wallet containing 0.1 BTC. The duress wallet needs to hold enough to be believable as a significant portion of your wealth -- while your actual holdings remain in separate, less accessible custody.

The psychological challenge is real. Under physical threat, maintaining composure while directing an attacker to the duress wallet rather than primary storage requires advance planning and mental rehearsal.

Timelocks and Delayed Withdrawals​

Timelocks create a built-in delay between initiating a transaction and the funds becoming movable. This serves two purposes: it removes the possibility of immediate transfer under coercion, and it creates a window during which the transaction can potentially be reversed or the authorities notified.

Bitcoin's CheckSequenceVerify (CSV) and CheckLockTimeVerify (CLTV) opcodes enable on-chain timelocks. Several multisig solutions now offer configurable timelock periods. For Ethereum-based assets, smart contract wallets can enforce similar delays.

The key is that the timelock must be genuinely immutable from the user's perspective. If an attacker believes you can override the delay, the protection evaporates.

Multisig with Physical Separation​

Multisig configurations that require keys stored in physically separate locations fundamentally change the attack calculus. An attacker who controls your person and your home still cannot move funds if additional keys are required from a geographically distant location -- a safe deposit box in another city, a trusted party in another jurisdiction, or a hardware signing device in a secure facility.

The specific configuration matters. A 2-of-3 multisig where two keys are in the same building provides minimal physical security benefit. A 2-of-3 where keys are distributed across three countries creates significant operational friction for attackers.

The tradeoff is accessibility. Configurations that are maximally secure against physical coercion are also the most inconvenient for legitimate use. Finding the right balance depends on the amount being secured and the individual threat model.

Plausible Deniability​

Plausible deniability means structuring your holdings so you can credibly claim not to have access to the full extent of your assets. This can involve hidden wallets derived from undocumented passphrases, custody arrangements where a third party holds keys without the holder knowing the full scope, and wallet structures where the duress wallet appears to be the complete holding. The challenge is maintaining deniability under sustained coercion, which is why technical measures must be combined with operational ones.

Self-Custody vs Exchange Custody: Different Risk Profiles​

The physical security risk profile differs substantially between self-custody and exchange custody, and neither is categorically safer.

Self-custody concentrates physical risk on the individual holder. An attacker who can coerce one person may be able to access all funds. However, self-custody also enables the technical countermeasures described above -- timelocks, multisig, duress wallets -- that exchange custody does not.

Exchange custody distributes risk across the exchange's security infrastructure, which typically includes institutional-grade physical security, multi-party authorization for large withdrawals, and compliance procedures that create delays. For the purposes of the exchange solvency assessment framework, operational security is a key evaluation criterion.

The tradeoff is counterparty risk. Exchange custody eliminates personal physical attack as a vector but introduces the risk of exchange failure, regulatory seizure, or insider theft. As our Exchange Watch coverage has documented extensively, exchange counterparty risk is not theoretical.

The optimal approach for most significant holders involves a hybrid: enough in self-custody (with appropriate physical security measures) to maintain sovereign access, with the remainder distributed across vetted custodians.

Institutional Practices Individuals Can Adapt​

Professional custody operations employ physical security measures that individuals can adapt at a smaller scale.

Compartmentalised knowledge -- no single person in an institutional custody operation knows enough to unilaterally move funds. Individuals can approximate this through multisig arrangements where key holders have limited knowledge of each other's identities or the total holdings.

Secure facilities -- institutions store signing devices in bank vaults, secure data centres, or purpose-built facilities. Individuals can use safe deposit boxes, vault services, or distributed storage across trusted locations.

Operational security protocols -- institutions enforce communication procedures, verification requirements, and dual-authorization for any custody operation. Individuals can establish personal protocols: never discuss holdings in unsecured communications, require multi-channel verification for any custody change, and maintain strict separation between public identity and custody operations.

Incident response planning -- institutions have documented procedures for responding to physical security breaches. Individuals should have a plan: what to do if physically threatened, who to contact, how to trigger delays or freezes, and what information to provide to law enforcement.

Our methodology for evaluating exchange security incorporates many of these same principles at the institutional level.

The Insurance Gap​

Traditional homeowner's or renter's insurance policies do not cover cryptocurrency losses, including losses resulting from physical coercion. Specialised crypto custody insurance exists but is primarily designed for institutional clients, with premiums that reflect the difficulty of underwriting bearer-asset risk. For individual holders, this means physical security failures result in unrecoverable losses in the vast majority of cases. There is no insurance backstop, no chargeback mechanism, and no recovery process.

Wealth Signalling and the Grey Man Principle​

The most effective physical security measure is also the simplest: do not signal wealth. The "grey man" principle from personal security doctrine applies directly -- the goal is to be unremarkable, to avoid drawing attention, and to ensure nothing about your public presence suggests you are a worthwhile target.

The data is clear: the overwhelming majority of physical attacks on crypto holders began with the attacker identifying the target through some form of wealth signalling. Practical applications include maintaining strict separation between crypto-related online identities and real-world identity, avoiding discussion of specific holdings in any context, and being cautious about attendance at events that associate you with crypto wealth.

Threat Model Assessment​

Not everyone faces the same level of physical security risk. The key variables include publicly known association with crypto, estimated visible on-chain wealth linked to your identity, geographic location, household composition (family members change an attacker's leverage), and your existing physical security baseline. A pseudonymous developer with moderate holdings and no public profile has a fundamentally different risk profile than a fund manager with a public identity and known AUM. A realistic threat assessment should inform the level of investment in countermeasures.

Frequently Asked Questions​

How common are physical attacks on crypto holders?

Publicly documented incidents have increased significantly since 2023, with the community-maintained tracker recording over 200 confirmed cases through early 2026. The actual number is substantially higher because many victims do not report incidents -- sometimes because they fear legal scrutiny of their own holdings, and sometimes because they do not believe law enforcement can help. The geographic distribution is uneven, with higher concentrations in areas known for crypto wealth.

Does keeping crypto on an exchange protect against wrench attacks?

Exchange custody removes the ability for an attacker to force an immediate, irreversible on-chain transfer, because exchange withdrawals involve compliance checks, withdrawal limits, and processing delays. However, exchange custody introduces counterparty risk and does not fully eliminate physical coercion risk -- an attacker could still force you to initiate a withdrawal, though the exchange's security processes create additional friction and potential intervention points.

What is the most effective single physical security measure for a self-custody holder?

Multisig with physically separated keys. If no single location -- including your person, your home, and your primary devices -- contains enough keys to authorise a transaction, then physical coercion at any single location cannot result in fund loss. The specific configuration (2-of-3, 3-of-5, etc.) and the geographic distribution of keys should be calibrated to the amount being secured and the holder's threat model.

Should I tell anyone about my crypto holdings?

Minimise the number of people who know you hold crypto, and tell no one the specific amounts. Even trusted friends and family members can inadvertently disclose information that reaches the wrong people. If you need to discuss custody arrangements with a spouse or estate planner, do so in a secure, private setting and emphasise the importance of confidentiality. The principle is simple: information about your holdings should be shared on a strict need-to-know basis.

How do duress wallets work in practice?

A duress wallet is a secondary wallet that holds a plausible but limited amount of crypto, designed to be surrendered under coercion. You set it up alongside your primary wallet but with easier access -- ideally a separate hardware wallet or seed phrase that you can plausibly present as your main holdings. The amount needs to be large enough that an attacker believes it represents your real wealth. Under duress, you surrender the duress wallet while your primary holdings remain in separate, less accessible storage. The critical factor is preparation: the duress wallet must exist and be funded before an incident occurs.