Crypto wrench attacks (the term for physical coercion to extract private keys or funds from a target) rose 75% year-over-year in early 2026, with CertiK recording 34 verified incidents through April 2026 and estimated losses around $101 million. France led the country breakdown, accounting for 8 of those incidents. Three US cases broke into mainstream news in May and June: a Tennessee three-man home invasion ring indicted for over $6.5 million in robberies across California, and a Lamborghini Urus carjacking plus kidnapping in Connecticut tied to an earlier Bitcoin theft.
The three US holders most recently targeted made the same general mistake. They were identifiable, publicly, as people who held meaningful crypto. The OPSEC layer was thinner than the security layer on the device.
This piece walks through how wrench attacks work in 2026, the pattern that connects the recent US cases, and what individual self-custody holders can do to reduce their personal-safety risk independent of their wallet's technical security.
The term comes from a well-known XKCD comic: against a $5 wrench applied to the user, sophisticated cryptography is useless. The user gives up the password.
In crypto, the same pattern plays out physically. Attackers identify a target known or suspected to hold significant crypto, locate the target, and use violence or the threat of violence to compel the target to transfer funds to the attacker's wallet, or to hand over a hardware wallet plus PIN, or to reveal a seed phrase.
The attack works against any custody model. Exchange-held funds can be drained via the user's login. Hardware wallets can be drained if the user reveals the PIN. Multisig and recovery setups can be compromised if the user reveals enough of the recovery material.
What the attack relies on is identifying who has crypto in the first place.
The Tennessee indictment names Elijah Armstrong, Nino Chindavanh, and Jayden Rucker for a series of home invasions across California. The targets were people the group had identified through some combination of social media presence, online crypto activity, and possibly leaked database information. The group allegedly stole $6.5+ million across multiple incidents.
The Lamborghini Urus carjacking in Connecticut, with Saif Faiq pleading guilty on June 8, was tied to an attempted Bitcoin theft from a family connected to a separate $100M+ BTC theft that had been the subject of media coverage. The attackers identified the family through the prior coverage and tried to access funds through coercion of relatives.
The pattern: the target was identifiable as crypto-holding through public information before the attack. The attack itself was logistically simple once the target was known.
The math has shifted for any holder with a meaningful position. Three years ago, the wrench-attack risk for retail holders was theoretical. In 2026, CertiK projects 130 incidents for the full year at the current rate, with losses heading toward several hundred million dollars.
The risk reduction strategy runs through personal OPSEC rather than cryptography.
Three categories of action.
For high-net-worth holders specifically, professional advice (security consultants, private banking discretion) is worth the cost.
A hardware wallet defends against remote attacks (malware, phishing, exchange failure). It doesn't defend against an attacker physically present with the device.
Two features help in the physical-coercion case:
PIN with rate limiting. A hardware wallet that rate-limits PIN attempts (after N failed entries, the device wipes itself) raises the cost of a brute-force attempt. The attacker has to coerce the PIN; they can't dictionary-attack it.
Decoy / plausible-deniability mode. Some hardware wallets support entering a decoy PIN that opens a different wallet with different funds. Under coercion, the user provides the decoy PIN, the attacker drains the decoy wallet, and the real funds remain elsewhere.
Neither feature is universal. Whether your specific hardware wallet supports them is worth knowing before you need to know.
Ryder One uses an EAL6+ Infineon SLC38 secure element with PIN rate limiting and signed firmware that resists physical extraction.
TapSafe Recovery splits the backup across hardware and people you trust, which has a side benefit for the wrench-attack case: an attacker who steals the device and the Recovery Tag still doesn't have the phone backup or any Recovery Contact shares. The full wallet recovery requires multiple components from different physical locations.
Three high-profile US wrench-attack cases hit the news in May and June 2026, sitting within a broader 75% year-over-year rise in physical-coercion attacks against crypto holders. The targets shared one feature: they were identifiable as crypto-holding through public information before they were approached. For individual holders, the most effective defense runs through OPSEC rather than technology. Hardware wallets with strong PIN policies help once an attacker is physically present, while the higher-value intervention is making sure you weren't identifiable as a target in the first place.
Reduce the surface, then secure what's left. Ryder One keeps your keys offline on an EAL6+ secure element, with TapSafe Recovery splitting the backup across hardware and people you trust. The full wallet doesn't sit in any one place an attacker can reach. See how it works.
The only crypto wallet you can install on a crowded subway.
Set it up in less than 60 seconds and just tap your phone to send, swap, and recover.
Share: