On the night of Nov. 26, Danylo K., a 21-year-old Ukrainian student and the son of Kharkiv’s deputy mayor, was lured to the underground garage of Vienna’s Sofitel hotel by a fellow student.
As local outlets reported, what followed was a torture session designed to extract cryptocurrency wallet passwords: attackers beat him until his teeth were knocked out, forced him to reveal credentials to two wallets that were then drained, and finally doused him with gasoline and set him on fire in the back seat of his own Mercedes.
Vienna police recovered a melted gas canister from the wreckage. The two suspects, a 19-year-old and a 45-year-old, fled to Ukraine hours after the murder and will face trial there rather than be extradited.
The Vienna case is particularly brutal. Still, it sits within a pattern that has become unmistakable across 2025: crypto holders are now primary targets for coordinated physical violence, and the attacks are accelerating.
Risk consultancies counted 21 incidents of violent crypto-linked extortion and kidnapping in just the first five months of this year, versus 31 in all of 2024.
Jameson Lopp, who maintains an open database of physical attacks on crypto holders at Casa, told reporters his tally shows more than 50 documented wrench attacks globally in 2025. That is roughly double 2024’s count.
Recent cases have ranged from tens of thousands of dollars to eight-figure sums.
Hyperion Services, which tracks crypto kidnappings, wrote in a September assessment that such attacks are now happening “weekly,” and that in both France and Brazil, criminals have threatened to mutilate or kill children unless private keys were handed over.
The operational security assumptions that worked when crypto was niche, anonymous handles, PO boxes, casual mentions of holdings in Discord, no longer hold when on-chain activity, social-media leaks, and property records can triangulate a target’s home address and net worth in under an hour.
The $5-wrench attack, once a meme about physical coercion trumping cryptography, has matured into a professional crime category with cross-border networks, torture protocols, and specialist money-laundering infrastructure.
The question for holders is no longer whether wrench attacks are real, but whether their current OPSEC can survive first contact with a gang that already knows where they live.
Coordinated kidnapping wave targeting crypto families in France
France has become the epicenter. In January, Ledger co-founder David Balland and his partner were abducted from their home in Cher. Kidnappers cut off one of his fingers and demanded a €10 million ransom in cryptocurrency before elite police units rescued them and arrested multiple suspects.
By May, French police were investigating a broader pattern of attacks on crypto millionaires.
In one high-profile case, the father of a wealthy crypto entrepreneur was kidnapped in Paris, had a finger severed, and was freed in a raid on a house in Essonne. Authorities linked the attack directly to his son’s crypto wealth.
The same network was tied to an attempted kidnapping of the daughter and grandson of Paymium CEO Pierre Noizat in central Paris. Armed assailants tried to force them into a van in broad daylight before being driven off by her husband and bystanders.
French and European press later reported that a gang led from abroad specialized in kidnapping relatives of crypto figures between 2023 and May 2025, using torture and mutilation while demanding ransoms in Ethereum and other assets.
The pattern reveals a strategic choice: rather than target the holder directly, gangs abduct family members who have no training in operational security and whose suffering creates immediate psychological leverage.
The attacks also suggest that attackers are working from leaked databases or from social graph analysis that maps family relationships and physical addresses to on-chain holdings.
Torture, home invasions, and a “$11 million wrench attack” in the US
The US case load spans coasts and methods. In New York, prosecutors charged crypto investor John Woeltz with kidnapping and torturing an Italian partner tied to a crypto hedge fund.
Court filings say the victim was held for nearly three weeks in a SoHo townhouse starting May 6 and subjected to electric shocks, beatings, and threats against his family as the attackers tried to force him to reveal his Bitcoin password.
In Minnesota, federal prosecutors charged two Texas brothers over an “$8 million armed crypto-kidnapping heist.”
According to a Sept. 25 Department of Justice release, they allegedly held a family at gunpoint for nine hours in their home near St. Paul, forced the father to log into his accounts and transfer millions in crypto, and then drove him three hours to a cabin to drain a hardware wallet while other relatives remained hostage.
On the West Coast, a San Francisco homeowner was robbed of about $11 million in crypto after a gunman posing as a delivery driver gained entry, tied the victim with duct tape, and forced him to hand over wallet credentials and devices.
The attack, reported in late November, was flagged by security researchers as one of the largest single-victim wrench attacks of the year.
The San Francisco case is instructive because it combined social engineering, fake delivery, with immediate physical violence, suggesting attackers had already confirmed the target’s holdings and address before knocking on the door.
United Kingdom, Canada, and the resurfacing of historic torture cases
Greater Manchester Police reported in January that a criminal gang that repeatedly kidnapped and assaulted a vulnerable man to force cryptocurrency transfers was jailed for a combined 76 years.
Investigators said the group used machetes, a pistol, and other weapons over multiple incidents as they tried to steal “hundreds of thousands of pounds” in crypto.
In November, a masked gang in Oxford ambushed a car, stole a £450,000 luxury watch, and forced the main victim to transfer about $1.5 million in cryptocurrency while holding occupants for roughly 30 minutes. Four suspects were arrested on suspicion of robbery and kidnapping.
Meanwhile, a case resurfaced in November as Canadian court documents revealed an earlier Quebec “Bitcoin wrench attack” in which a family was kidnapped, waterboarded, and sexually assaulted while attackers stole around $1.6 million in BTC.
From São Paulo ransoms to the Roman Novak murder
In Brazil, a crypto trader’s mother was kidnapped and held until her son paid a ransom of five Bitcoin, with four people arrested.
Local press framed the case as part of a growing wave of ransomware attacks in which relatives are used as leverage to obtain private keys.
Subsequent coverage of Brazilian courts noted that gangs have laundered tens of millions of dollars in kidnap ransoms and drug proceeds through Bitcoin, underscoring how physical kidnappings and crypto money laundering are intertwined.
Security briefings and regional media in 2025 described multiple cases in Asia, including a March incident in Hong Kong where a Turkish man bringing €5 million in cash for a crypto trade was attacked with a knife, and a Philippines case where businessman Anson Que was reportedly lured to a house, held hostage, and forced to send millions in crypto before being killed.
A late-November report highlighted Thai police arrests of a South Korean man and three Thai nationals accused of kidnapping and robbing a Chinese victim of more than $10,000 in cash and crypto.
In the UAE, British tabloids and follow-on coverage reported that Russian crypto figure Roman Novak and his wife were lured to a villa in Hatta by men posing as investors, tortured as the attackers tried to access what they believed was a £380 million crypto fortune, and ultimately murdered when the wallets turned out to be empty.
The Novak case exposes a grim calculus: attackers are willing to kill even when the expected payout doesn’t materialize, because the cost of leaving witnesses exceeds the risk of homicide charges in jurisdictions with weak extradition frameworks.
Why the wrench attack works, and what breaks next
Three structural forces make 2025’s wave possible, and each points to a different OPSEC failure mode.
First, on-chain transparency meets off-chain identity leaks. Blockchain explorers make wallet balances public: data breaches, social-media carelessness, and property records make names and addresses public.
The intersection of those two datasets creates a target list with estimated net worth, home address, and family structure.
A 2024 case that surfaced in November after the perpetrators were sentenced showed exactly this: attackers used a leaked database that linked a £4.3 million wallet to a specific UK address, then executed a home invasion.
The wrench attack is not a brute-force assault on cryptography, but rather a precision strike enabled by information that holders assumed was compartmentalized but wasn’t.
Second, self-custody creates a single point of failure with no institutional backstop. When assets sit in an exchange, an attacker who kidnaps you still has to bypass 2FA, withdrawal limits, KYC verification, and fraud monitoring.
When assets sit in a hardware wallet or a brain wallet, the only barrier between the attacker and the funds is your willingness to withstand torture.
Hyperion Services noted in its September assessment that Bitcoin and self-custody holders are favored targets precisely because there is no compliance team to call, no mechanism to reverse transactions, and no way for law enforcement to freeze funds once they move.
The decentralization that protects holders from state seizure also removes the institutional friction that protects them from kidnappers.
Third, cross-border coordination among attackers is faster than cross-border coordination among law enforcement.
The Vienna suspects fled to Ukraine within hours and will face trial there rather than be extradited. The French gang operated from abroad. Brazilian gangs launder ransoms through mixers and offshore exchanges faster than courts can issue freezing orders.
The result is a crime with a high expected return and low expected punishment, especially when the victim is wealthy enough to pay but not politically connected enough to mobilize Interpol.
The OPSEC shift these cases will force
The 2025 wave will break two categories of assumptions. The first is geographic: holders in Vienna, San Francisco, and Oxford assumed physical safety came with rule-of-law jurisdictions, stable institutions, and low violent-crime rates.
The case load shows that attackers don’t care about local homicide statistics. They care about wallet balances and whether the target has armed security.
The second is social: holders assumed they could talk about crypto wealth online, post lifestyle content, or attend conferences under their real names without linking that persona to their home address.
The wrench-attack playbook assumes you’ve already made that link for them.
The defensive posture that emerges will look less like traditional OPSEC and more like witness protection: anonymous LLC ownership of property, mail forwarding services, separation of on-chain and off-chain identities, geographic dispersion of family members, and, in some cases, armed security or panic rooms.
Multisig custody and timelocked vaults reduce the value of torturing any single keyholder, but they also require operational complexity that most holders haven’t adopted.
The gap between what protects you and what’s convenient will widen, and the attacks will continue to concentrate on holders who haven’t closed it.
The macro picture is simple: self-custody created an asset class that can be transferred instantly under duress with no institutional intermediary to reverse the transaction.
On-chain transparency and social-media culture created a public registry of who holds what and where they live. The $5-wrench attack was always the logical endpoint, and 2025 is just the year it scaled.