Estimated losses from global crypto wrench attacks reached $101 million in the first four months of 2026, with most attacks occurring in Europe, according to Web3 security company CertiK.
With just 34 documented crypto wrench attacks, the losses have nearly doubled those of 2025, which came in at $52.2 million. Europe accounted for 82% of incidents, according to CertiK.
“Our 2025 report documented a gradual tilt from Asia and North America toward Europe, and these first four months of 2026 mark a European hyper-concentration.”
The frequency of wrench attacks has increased since 2025. They involve physical force to gain access to a victim’s crypto holdings and have taken the form of home invasions, kidnappings and other extortion attempts. CertiK said there have been 34 attacks since the start of the year.
If the trend continues, CertiK predicts that by year-end the number of incidents could hit 130, and losses could reach “several hundred million dollars.”
There have been 34 verified wrench attacks worldwide since the start of the year. Source: CertiK
France is an epicenter of wrench attacks
Of the attacks, 24 crypto wrench attacks occurred in France this year, said CertiK. France’s National Prosecutor’s Office for Organized Crime has reported a higher figure of 47 incidents in 2026.
CertiK said France has likely emerged as a hot spot for these kinds of criminals because of the presence of crypto executives from major crypto companies such as Ledger, Paymium and Binance.
Crypto holders in France are being targeted more than anywhere else in the world. Source: CertiK
It also pointed to numerous data leaks, such as the January breach at crypto accounting firm Waltio and tax official Ghalia C, who is accused of selling crypto asset holder data to criminal networks, and “a culture of flexing and voluntary doxxing that remains deeply embedded in the community.”
“Early 2026 marks the shift to a data-driven targeting model in which prior physical surveillance becomes unnecessary once attackers have the victim’s full name, home address, financial profile, and so on.”
“The structural takeaway is clear: as the security of protocols and wallets tends to improve, the threat migrates toward the human link. As long as crypto-asset holdings remain associated with identifiable financial data, physical coercion will remain the economically most rational attack path,” CertiK added.
Blockchain intelligence company TRM Labs reported in May last year that wrench attacks have been on the rise because of the perceived pseudonymity of crypto transactions, the public visibility of wealth, and the ease with which bad actors can gather personal data online.
The criminal teams are often “complete amateurs”
Across recorded wrench attacks, CertiK said the orchestrators are often located outside the target country. The criminal teams on the ground usually consist of three to five people, and they frequently pose as delivery drivers or police officers, or lure victims into an ambush with a ruse such as a fictitious business meeting.
Related: Law enforcement freezes $41M connected to $150M crypto Ponzi collapse
“Most of the time, they are recruited via messaging apps such as Telegram or Snapchat for a few thousand dollars. They don’t know each other and are complete amateurs,” CertiK added.
Meanwhile, Casa chief security officer Jameson Lopp has recorded 31 crypto wrench attacks so far this year and reported in March that four cases he was tracking for his list turned out to be mistaken identity, with the thieves attacking the wrong targets.
Source: Jameson Lopp
In April, at least 88 people, including 10 minors, were indicted in connection with alleged wrench attacks on crypto owners in France.
“The growing proportion of minors signals an increasing externalization of criminal liability toward profiles less exposed to mandatory minimum sentences,” CertiK added.
Magazine: DeFi’s billion-dollar secret: The insiders responsible for hacks
