Crypto security firm CertiK estimates that victims have lost approximately $101 million from crypto wrench attacks in the first four months of 2026. If the trend continues at this rate, that equates to hundreds of millions of dollars lost for the full year 2026.
Wrench attacks, a term used in the cybersecurity space for physical assaults and extortion attempts that can overcome even the most robust software security systems, have now become an "established threat vector for cryptocurrency holders," the firm wrote.
Experts say 2025 was the most active year for crypto-related wrench attacks on record, with approximately 70 physical assaults reported. However, because of the nature of these attacks, it is likely that many go unreported.
So far in 2026, CertiK says there have been 34 verified incidents globally, a 41% increase from the same period in 2025. Extropolated out, this equates to an estimated 130 incidents and several hundred million in losses projected for the full year.
Notably, 28 out of 34, or 82%, of these attacks have been recorded in Europe. Meanwhile, reported threats in the U.S. during the first quarter have fallen to three, from nine in 2025, and in Asia to two from 25, CertiK said.
France is once again in the spotlight, with 24 assaults so far on record in 2025. This compares to 20 throughout last year, which already "dominated the country-by-country breakdown by a wide margin."
Last year, the French Ministry of the Interior met with crypto industry leaders in the country to discuss their safety concerns following the high-profile kidnapping and torture of Ledger co-founder David Balland and his wife.
CertiK points to several factors influencing the rate of wrench attacks in France, including the presence of several flagship industry companies like Ledger and Binance, the high number of data leaks that have targeted the country, and the "culture of flexing and voluntary doxxing that remains deeply embedded in the community."
There is also an emerging understanding of the type of people who commit these crimes and their modus operandi. CertiK notes that small teams of 3 to 5 people, often young, are often recruited via Telegram or Snapchat to operate as a ground crew. Orchestraters, meanwhile, are often abroad in places like Morocco, Dubai, and Eastern Europe.
CertiK said that there has also been a recent shift to a "data-driven targeting" model, which minimizes the need for physical surveillance by buying information like a victim's full name, home address, and financial profile from online brokers.
"They purchase data lists, commission coordinators, and receive funds before laundering them," CertiK notes.
Attackers are also increasingly targeting "proxies," with more than half the incidents this year involving a "member of the primary target's family (spouse, child, elderly parent), either as a direct victim or as a pressure lever."
While attackers are turning to online tools to build victim profiles, much of the on-the-ground behavior is unchanged.
"Access techniques remain broadly the same as in 2025, with a strong persistence of the Doorbell Vector (delivery personnel, fake police officers, etc.) and the Honeypot (fictitious business meetings, fake OTC deals, etc.)," CertiK wrote.