Crypto security firm CertiK estimates that cryptocurrency holders lost approximately $101 million from wrench attacks during the first four months of 2026, representing a 41% increase in verified incidents compared to the same period in 2025. If the trend continues at this rate, losses could reach several hundred million dollars for the full year 2026.
Wrench attacks—a cybersecurity term for physical assaults and extortion attempts that overcome software security systems—have become an “established threat vector for cryptocurrency holders,” according to CertiK. The firm verified 34 global incidents in early 2026, compared to approximately 70 physical assaults reported throughout 2025, though many attacks likely go unreported due to their nature.
Geographic Distribution and European Concentration
Notably, 28 of the 34 incidents (82%) occurred in Europe, marking a significant geographic shift. France remains the epicenter, with 24 assaults recorded in 2025 alone, dominating “the country-by-country breakdown by a wide margin,” CertiK noted. This compares to 20 assaults throughout 2024. In contrast, reported threats in the U.S. during the first quarter fell to three from nine in 2025, and in Asia to two from 25.
CertiK identified several factors driving the concentration in France, including the presence of flagship companies like Ledger and Binance, a high number of data leaks targeting the country, and “the culture of flexing and voluntary doxxing that remains deeply embedded in the community.” The issue gained prominence following the 2024 kidnapping and torture of Ledger co-founder David Balland and his wife, prompting France’s Interior Ministry to meet with crypto industry leaders to discuss safety concerns.
Attacker Organization and Recruitment
CertiK identified an emerging pattern in attacker organization: small teams of 3 to 5 people, often young, are frequently recruited via Telegram or Snapchat to operate as ground crews. Orchestrators, meanwhile, are often based abroad in locations such as Morocco, Dubai, and Eastern Europe.
The firm noted a recent shift toward a “data-driven targeting” model that minimizes the need for physical surveillance. Attackers now purchase victim information—including full names, home addresses, and financial profiles—from online brokers. “They purchase data lists, commission coordinators, and receive funds before laundering them,” CertiK stated.
Targeting Family Members as Pressure Leverage
A significant trend involves attackers increasingly targeting “proxies” rather than primary victims. More than half of the incidents this year involved “a member of the primary target’s family (spouse, child, elderly parent), either as a direct victim or as a pressure lever,” CertiK reported.
Access Methods Remain Consistent
While attackers employ sophisticated data acquisition and coordination strategies, on-the-ground access techniques remain largely unchanged from 2025. “Access techniques remain broadly the same as in 2025, with a strong persistence of the Doorbell Vector (delivery personnel, fake police officers, etc.) and the Honeypot (fictitious business meetings, fake OTC deals, etc.),” CertiK wrote.
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
Related Articles
LayerZero issues an apology and admits a design flaw in its 1/1 DVN configuration: default to a full upgrade to 5/5
Cross-chain protocol LayerZero issued a public apology on May 9 (U.S. time), acknowledging a design flaw in the Kelp DAO hacker incident. CoinDesk, citing LayerZero’s official blog, wrote: “First things first: a belated apology. We allowed DVN to operate in 1/1 mode for high-value transactions—this is a mistake.” The position shifted from prior weeks’ accusations about “Kelp’s own configuration choices” to taking responsibility at the infrastructure layer itself. The attitude reversal occurred t
ChainNewsAbmedia3h ago
Crypto Wrench Attacks Surge 41% in 2026, With $101M Lost in First Four Months: CertiK
According to CertiK, cryptocurrency holders lost approximately $101 million from wrench attacks in the first four months of 2026, with 34 verified incidents globally—a 41% increase from the same period in 2025. If the trend continues, the firm estimates hundreds of millions in losses for the full
GateNews5h ago
LayerZero Issues Public Apology for Kelp DAO Exploit, Admits Single-Verifier Setup Fault
According to The Block, LayerZero issued a public apology Friday for its handling of the April 18 exploit that drained $292 million in rsETH from Kelp DAO's cross-chain bridge. The protocol acknowledged it made a mistake by allowing its Decentralized Verifier Network to serve as the sole verifier fo
GateNews10h ago
Linux "Copy Fail" Vulnerability Listed by CISA; 10-Line Code Enables Root Privilege Escalation
According to BlockBeats, on May 9, the Linux kernel "Copy Fail" vulnerability was added to CISA's Known Exploited Vulnerabilities (KEV) catalog. The flaw affects major Linux distributions since 2017 and allows attackers with regular user permissions to escalate to root access using
GateNews12h ago
Chrome Automatically Downloads Multi-Gigabyte Gemini Nano AI Model on May 9, Sparks Crypto Community Security Concerns
According to BlockBeats, on May 9, Chrome automatically downloaded a multi-gigabyte AI model file (Gemini Nano) to users' devices without explicit consent for local fraud detection, webpage summarization, and AI features.
While Google stated that local AI execution enhances privacy and security,
GateNews12h ago
Crypto Wrench Attacks Surge in 2026, with $101M Lost in First Four Months, CertiK Reports
According to CertiK, crypto wrench attacks—physical assaults and extortion targeting cryptocurrency holders—have resulted in approximately $101 million in losses during the first four months of 2026. The firm verified 34 incidents globally, representing a 41% increase compared to the same period in
GateNews12h ago
