When your private key encounters real brute force, your on-chain balance becomes a hunting map.
Written by: ChandlerZ, Foresight News
"I had bruises all over my body. I tried my best to fight back, but my hands and feet were injured, and I was chopped by the axe, so there was nothing I could do."
On March 5, 2026, cryptocurrency influencer sillytuna posted a very brief tweet stating that she had just been violently attacked and lost approximately $24 million worth of AUSD stablecoins, describing the incident as involving violence, weapons, kidnapping, and threats of rape. Police have intervened.
Sillytuna was the owner of Punk #7523 (commonly known as the "Covid Alien"), an NFT that sold for $11.7 million at Sotheby's in 2021, setting a record for the highest price ever paid for a single Punk at auction.
This tweet quickly spread throughout the crypto community. Security firm PeckShield detected the relevant on-chain transactions and initially flagged it as a "poisoning attack," a technique that tricks users into transferring funds by forging similar addresses.
According to PeckShield monitoring, approximately 20 million DAI are currently located in two attacker-controlled wallets (not yet mixed): an address starting with 0xdCA9 (approximately $10 million) and an address starting with 0xd0c2 (approximately $10 million). The attackers have already begun transferring small amounts of funds across chains to Arbitrum.
There is a clear contradiction between the two accounts. If it was a poisoning attack, the victim was deceived into transferring money voluntarily, and physical violence was not a necessary prerequisite. If it was physical coercion, the attacker already knew the victim's real identity and address.
The details of the incident are still pending police investigation and confirmation, and some members of the community have raised questions about whether it was a "traffic post" (post intended to generate buzz). However, regardless of the final conclusion of this case, the panic it triggered has already illustrated one thing:
In today's highly transparent world of crypto wealth, a single erroneous on-chain exposure could result in a real axe.
Not an isolated case: Physical attacks surged by 169% in 2025.
A "wrench attack" refers to an attacker using physical means such as violence, intimidation, or kidnapping to force a victim to hand over their private key or password. This type of attack does not rely on technical vulnerabilities but directly targets the individuals behind the encrypted assets.
According to a report released by CertiK, "wrench attacks" surged by 75% in 2025, making physical violence a significant threat in the crypto space.
In terms of attack patterns, the report indicates that kidnapping remains the primary attack method, with 25 incidents throughout the year; direct physical assaults increased by 250% year-on-year, becoming one of the most alarming changes. Geographically, Europe has become the highest-risk region globally for the first time. In 2025, Europe will account for over 40% of known incidents globally, with France recording the highest number of attacks, surpassing the United States. In terms of financial impact, confirmed losses related to wrench attacks exceeded $40.9 million in 2025, a 44% year-on-year increase.
Jameson Lopp, Chief Security Officer of Bitcoin security firm Casa and a long-time tracker of physical attack incidents, maintains a database that currently covers over 225 verified cases. In 2025, this list grew at an unprecedented rate, and in 2026, the number continued to increase rapidly.
Furthermore, the true number is likely much higher, as many victims remain silent out of fear, privacy concerns, or distrust of law enforcement. The victim group extends far beyond the crypto elite, encompassing teachers, construction workers, firefighters, and their families.
Three landmark cases in 2025
Case 1: Ledger co-founder kidnapped, fingers severed (France, January 2025)
In January 2025, David Balland, co-founder of the crypto hardware wallet company Ledger, and his wife were kidnapped from their home in Vierzon, a city in central France, and held separately. The attackers then sent a video of Balland's severed finger to Eric Larchevêque, another co-founder of Ledger, demanding a ransom in cryptocurrency equivalent to 10 million euros.
After the intervention of France's elite police force, the GIGN (National Gendarmerie Intervention Group), Balland was successfully located and rescued; his wife was found several hours later in a van. Almost all of the ransom already paid was tracked down, frozen, and confiscated. Ten suspects aged between 20 and 40 were arrested, and prosecutors stated that if convicted, they could face life imprisonment.
Case 2: Paymium CEO's daughter attacked on the streets of Paris (France, May 2025)
On the morning of May 13, 2025, Pierre Noizat, CEO of the French crypto exchage Paymium, was walking with his young grandson on the streets of the 11th arrondissement of Paris when they were stopped by three masked men who attempted to forcibly put them into a van.
The attack took place in broad daylight on a busy street and was captured on CCTV. Noizat's daughter fought back, wrestling one of the guns and throwing it to the ground; passersby then joined in, one picking up a gun and pointing it at the assailants, while another used a fire extinguisher to disperse them. The three assailants eventually fled in panic.
Following the escalation of the case, French authorities launched an investigation into related cases, using this attempted kidnapping as a central focus, and prosecuted a total of 25 people, including 6 minors. This detail sparked considerable discussion in the French-language media about the "Mexicanization of France."
Case 3: Former US police officer launches encrypted wrench attack (Los Angeles, 2024-2025)
In late 2024, a former Los Angeles Police Department (LAPD) officer was convicted by a jury of physically coercing a cryptocurrency holder into transferring approximately $350,000 worth of Bitcoin. The case was unique because the perpetrator had a law enforcement background—meaning he possessed professional knowledge of how to evade surveillance and how to carry out coercion.
The verdict has been widely cited in the crypto community because it breaks the ingrained assumption that "physical attacks only come from street criminals."
Why are crypto holders particularly vulnerable, and what can users do?
The core conclusion of the CertiK report is that attackers are actively filtering targets based on risk-reward analysis, prioritizing combinations of "high potential gains and low security defenses." This logic has led to four typical target types.
The most direct targets are retail investors who publicly disclose their asset holdings on social media, with on-chain balances verifiable and virtually no security. Industry executives and protocol founders represent higher value and, while usually protected, remain exposed during travel or public events. The third category is family and friends, often overlooked. Criminals know that when spouses, children, or elderly parents are controlled, the primary target will bypass any security protocols. Furthermore, many family members typically lack basic operational security training, resulting in a level of protection far lower than the primary target. The fourth category is over-the-counter traders. Attackers disguise offline transactions as normal business meetings, and once the victim presents proof of assets, they immediately carry out the hijacking.
Meanwhile, attack surveillance methods have evolved from human tracking to OSINT-driven digital trace analysis, with attackers identifying vulnerable points in a target's defenses weeks in advance. During the intrusion phase, impersonating delivery drivers or utility workers remains the most effective infiltration method, leaving victims psychologically unprepared. Once inside, attackers deploy Faraday bags and signal jammers to cut off network connections and forcibly isolate victims from their families.
The era of relying solely on seed phrase is over. Humans remain the most vulnerable single point of failure in the entire security system.
On an individual level, the most crucial step is establishing a separate architecture for the "bait wallet" and the core wallet. The bait wallet needs to hold a small, seemingly reasonable amount of assets; too small an amount will provoke attackers and trigger further violence. In the event of coercion, it provides a compromise outlet, protecting core assets from intrusion. Meanwhile, the seed phrase and signing device must never be stored in the same location; ideally, the seed phrase should be stored in a bank safe deposit box, not left in the home.
In daily life, "don't flaunt" is the bottom line; avoid posting wallet addresses, asset screenshots, or travel plans on any public platform. When traveling, use a dedicated mobile phone with only minimal account permissions, and do not install high-value wallet applications on your everyday devices. High-value transactions should only be completed on a dedicated computer that you do not take with you.
For individuals and institutions holding large amounts of assets, the report offers two structured tools: multi-signature schemes (such as 2/3 or 3/5) fundamentally eliminate the possibility of a single person being coerced into transferring funds; and time-locked contracts impose mandatory delays on withdrawals exceeding a certain amount threshold, creating a window for external intervention.
In addition, CertiK listed three warning signs to be wary of: receiving unsolicited two-factor authentication codes (which may mean an attacker has obtained your digital credentials and is testing the response); unusual real-world events such as receiving deliveries without ordering them, repeated harassment to confirm whether someone is home; and sudden messages from long-lost acquaintances emphasizing the need for an in-person meeting. These three signs appear repeatedly in the case database, yet were rarely recognized as dangerous by the victims at the time.
This is not just a matter of personal safety.
Every time Bitcoin's price hits a new all-time high, Jameson Lopp's database receives a new batch of entries. He has been tracking this correlation between price and violence for nearly a decade.
The crypto industry has spent fifteen years solving the problem of private key security, building increasingly difficult-to-crack wallets, protocols, and multi-signature architectures. But when attackers turn to human bodies, these technical defenses become virtually useless.
The sillytuna case remains controversial, but it raises a real question: as transparency in crypto wealth becomes a selling point for the industry, is it also creating a hunting map for certain individuals?
France has begun discussing whether a dedicated legislative framework is needed to combat cryptocurrency extortion crimes, while law enforcement agencies in the UK, Singapore, and other regions are updating their personal safety guidelines for digital asset holders.
The next person to be cornered by an axe won't necessarily be a billionaire. They could just be an ordinary user whose on-chain balance is visible to others.
