Physical extortion of crypto holders has produced more than $100 million in losses in the first four months of 2026, according to a CryptoSlate report published May 11. The figure covers kidnappings, home invasions, and coerced transfers carried out against individuals known or suspected to hold sizable crypto balances, a category researchers refer to as "wrench attacks" after the old XKCD comic about beating a password out of someone with a five dollar wrench.
The headline number runs four months. At that pace, 2026 is on track to exceed the combined reported total of the prior two years.
A losses figure that outruns most on-chain hacks
Most security coverage tracks smart-contract exploits, bridge drains, and exchange breaches. By that yardstick, the $100M tally for physical attacks already rivals several individual on-chain incidents from this year. For context, the entire month of April 2026 saw roughly $635M lost to on-chain exploits across 28 separate incidents, per prior reporting. Wrench attacks have generated roughly a sixth of that figure without a single line of vulnerable Solidity involved.
The shift matters because the attack surface is different. A cold wallet sitting in a safe is irrelevant if the holder is the one being threatened. Multi-sig setups slow attackers down but do not stop them if every co-signer is in the same room. Even hardware wallets with strong PIN protection can be bypassed when the owner is the bottleneck.
Bitcoin at $80,920 keeps balances visible
As of May 11, 2026, BTC trades at $80,920, ETH at $2,328, and SOL at $94.99, with the CMC Fear and Greed index at 50 (Neutral). Prices have stayed elevated enough through 2025 and into 2026 that on-chain balances of holders who self-identified during the prior cycle are still worth chasing. Public attribution from older NFT projects, founder profiles, and conference appearances continues to leak identity-to-wallet linkages that attackers can exploit.
This is one reason researchers flag the trend as structural rather than seasonal. The information leaked during the bull run does not get unleaked when prices flatten. Anyone whose holdings were guessable in 2024 remains a target in 2026.
Patterns inside the $100M number
The CryptoSlate report aggregates incidents that share several common threads:
- Victim selection through OSINT. Attackers identify targets via public wallet labels, conference photos, and social media posts that hint at holdings size.
- Geographic clustering. Cases concentrate in jurisdictions where attackers calculate the local response will be slow, including parts of France, parts of South America, and certain regions where weak rule of law makes recovery unlikely.
- Coerced on-chain transfers. Victims are forced to send funds, often after surveillance establishes their access patterns. Withdrawal limits from exchanges and time-locked vaults do partial work but rarely stop a determined attacker holding someone hostage.
- Family targeting. In several reported cases the victim was not the actual holder but a relative used as leverage.
The pattern argues against the idea that better personal security can fully insulate large holders. Some of the reported cases involved targets who had already adopted operational security practices and still got hit because the leak point was a public association from years earlier.
Custody design does not solve a kidnapping
Self-custody remains the right answer for protocol-level counterparty risk. It does not solve physical coercion. The custody design that actually helps under duress involves time delays, geographic separation of signers, and deniable holdings, all of which are operational rather than cryptographic answers.
For holders who interact with the off-chain economy through crypto cards, the spending side adds its own profile risk. Cards backed by visible on-chain balances, especially custodial cards tied to identified accounts, create another data point linking identity to holdings size. The trade-off is not unique to crypto cards, but it is sharper for holders large enough to be selected for an attack.
The outlook from here
Nothing in the report suggests a near-term reversal. The factors driving the trend are persistent: a multi-year price recovery that makes prior cycle holders worth targeting, a slow erosion of pseudonymity through KYC requirements at on- and off-ramps, and the global mobility of attackers.
The closest thing to a structural counter is the gradual professionalization of operational security among large holders, including better identity-wallet separation, jurisdictional diversification of family residence, and use of intermediated custody for spending balances. None of those eliminate the risk. They make a holder a less attractive target than the next person on the list.
Overview
CryptoSlate reports more than $100M lost to physical extortion of crypto holders in the first four months of 2026, a tally that already rivals the scale of several on-chain exploit categories. Drivers include OSINT-driven target selection, clustering in lower-enforcement jurisdictions, and the persistence of identity-wallet leaks from prior cycles. Self-custody and hardware wallets address protocol risk, not coercion. Operational security, not cryptography, is the working countermeasure.
