Security firm CertiK warned that crypto “wrench attacks” could reach about 130 cases this year, with losses running into the hundreds of millions of dollars. The forecast follows 34 confirmed physical coercion incidents between January and April 2026, which produced an estimated $101 million in losses and marked a 41% year-over-year increase.
The trend matters because these attacks target the human layer of crypto custody, not only wallets, smart contracts or exchange infrastructure. For compliance teams, treasury managers and high-net-worth holders, the risk profile now includes assault, kidnapping, extortion and forced transfers alongside conventional cyber threats.
Europe Becomes the Center of the Threat
CertiK identified Europe as the main hotspot for early-2026 wrench attacks, accounting for 82% of recorded incidents in the January-April window. France stood out sharply, with CertiK logging 24 cases in the first four months of 2026, already exceeding its total of 20 for all of 2025.
Official figures suggest the scope may be broader depending on reporting methodology. French Ministry of Interior sources acknowledged 41 incidents linked to physical attacks since January 2026, highlighting the gap between industry-verified cases and law-enforcement tallies.
By contrast, CertiK reported declining incident counts in North America and Asia during the same period. That divergence points to a geographically concentrated escalation, rather than a uniform global surge in physical crypto crime.
CertiK attributed the rise to criminal groups shifting toward offline coercion as on-chain and protocol-level security improves. In that environment, personal data leaks and public displays of wealth can become attack vectors when criminals connect real identities to valuable crypto holdings.
Criminal Groups Target People, Not Protocols
The tactics documented by CertiK show a more organized threat model. Attackers reportedly used victim data purchased from online brokers to identify targets while avoiding surveillance-heavy methods that might expose them earlier.
Social engineering also played a major role. CertiK described techniques such as impersonation at the door, called the “Doorbell Vector,” and fictitious meetings, described as “Honeypot” setups, where offline deception becomes the entry point for forced asset transfer.
Family members were also targeted to create emotional pressure. The report said attacks were often carried out by compact ground teams of three to five people, directed by orchestrators based in jurisdictions including Morocco, Dubai and parts of Eastern Europe, showing a cross-border operating model behind local physical assaults.
French authorities have already indicted 88 suspects, including minors, in related prosecutions. That enforcement activity suggests law-enforcement attention is intensifying, particularly where organized groups combine crypto targeting with conventional violent crime.
CertiK’s conclusion was blunt: as long as crypto holdings remain tied to identifiable real-world data, organized groups will view physical coercion as an efficient route to illicit gains. That makes privacy, data minimization and identity protection central parts of custody risk management.
The findings shift risk priorities beyond technical hardening. KYC data handling, breach notification procedures and customer communications now require stronger safeguards against exposing high-value holders to targeted physical threats.
Physical security, family-member exposure and treasury continuity planning should become formal components of incident-response and governance frameworks.
The rise in European cases also points to potential supervisory follow-through. If the trend continues, regulators may apply greater scrutiny to data-protection controls and mandatory reporting obligations for crypto service providers handling sensitive client information.