Wrench attacks have exposed the false boundary between digital and physical worlds, but that reality is not yet fully reflected in how many wealthy families think about risk. This article explores emerging threats, and ways that wealthy individuals and their advisors can combat them.

The following article comes from Matthew Newton (main picture), who is director of investigations and crisis response at Valkyrie, a UK-based firm that concentrates on digital and physical security. Given current geopolitical tensions and challenges, the issues addressed here are critical for private bankers, wealth managers and other advisors for HNW and ultra-HNW clients. The editors are pleased to share this content. The usual editorial disclaimers apply. To comment, email tom.burroughes@wealthbriefing.com and amanda.cheesley@clearviewpublishing.com

A growing threat
For a long time, the security conversation around digital assets has mainly been about what happens online: passwords, encryption, cold storage, multi-factor authentication and the technical controls designed to protect wallets, accounts and platforms.

That remains important, but it is no longer sufficient. As significant wealth has accumulated in digital assets and crypto ownership has become more mainstream, a more direct form of criminality has followed, one that bypasses technical defences entirely and targets the one vulnerability no software can patch: the individual.

For those involved in digital assets, the term “wrench attack” is becoming a serious concern. It describes the use of physical coercion – intimidation, violence or threat – to compel an individual to surrender access to their digital assets. Where cyber attacks target systems, wrench attacks target people. The growing number of recorded incidents suggests that this is no longer a fringe concern, but an established risk category for those holding, managing or perceived to have access to meaningful digital asset wealth.

According to blockchain security firm CertiK’s 2025 Skynet Wrench Attacks Report, there were 72 verified physical coercion incidents worldwide in 2025, a 75 per cent increase on the previous year. Confirmed financial losses exceeded $40.9 million, a 44 per cent year-on-year rise. Even that figure is likely to understate the true scale of the problem, given the prevalence of under-reporting, silent settlements, untraceable ransom payments and reputational concerns that discourage disclosure.

The trajectory into 2026 has continued. CertiK’s 2026 overview recorded 34 verified incidents in the first four months of the year, 41 per cent ahead of the same period in 2025, with estimated losses of approximately $101 million. Physical violence is therefore no longer a niche consideration in digital asset security. It is becoming part of the risk landscape.

Why now? The conditions that created this threat
Several factors have converged to make wealthy crypto holders, and those perceived to have access to digital assets, increasingly attractive targets for physical crime.

The first is the irreversibility of cryptocurrency transfers. A conventional bank payment can often be delayed, queried, frozen or reversed. A cryptocurrency transaction, once confirmed, is typically final. There is no central authority to call, no fraud team to halt the payment and limited practical recourse. Criminals understand this. The knowledge that a coerced transfer may be permanent creates a powerful incentive to use physical pressure rather than more complex technical methods.

The second factor is the growth in self-custody. As digital assets have matured, a growing number of sophisticated investors now hold substantial wealth in hardware wallets or cold storage arrangements, where access may ultimately depend on a device, a seed phrase and one or two trusted individuals. There is no intermediary to target. In some cases, the person holding the keys is the gatekeeper to the wealth.

The third factor is the mainstreaming of crypto wealth. Five years ago, significant digital asset holdings were concentrated among a relatively small technical community. Today, they are distributed across a broader population: entrepreneurs, family offices, early adopters now sitting on substantial gains, trust structures, professional investors and institutions with private clients who have allocated to digital assets. As the pool of potential targets has grown, so has the criminal attention directed at it.

Europe: closer to home than many assume
For private clients and their advisors in the UK and Europe, the geography of this threat matters. This is not a distant problem confined to jurisdictions traditionally associated with higher levels of violent crime. Europe has become increasingly prominent in the recorded data.

CertiK’s 2025 report found that Europe accounted for over 40 per cent of recorded wrench attacks globally, with France the most affected jurisdiction that year. Its 2026 overview reported an even sharper concentration in the first four months of the year, with Europe accounting for 28 of 34 verified incidents. Recorded data is not the same as the full threat picture, but the direction of travel is clear: this is now a relevant issue for European private clients, not simply a problem observed elsewhere.

France has emerged as the clearest warning. In January 2025, David Balland, co-founder of hardware wallet company Ledger, and his wife were abducted from their home, with a ransom demanded in cryptocurrency. The case attracted international attention because of its brutality and because it involved a figure associated with one of the best-known companies in the digital asset sector.

Other cases in France and elsewhere in Europe have involved attacks or attempted abductions targeting relatives of cryptocurrency entrepreneurs. That detail is significant. The asset holder does not always need to be present or even be the primary target. Proximity to wealth can be enough.

The UK, Spain, Sweden and North America have also recorded incidents or patterns of concern. The lesson for advisors is not that every digital asset holder is at imminent risk, but that the physical threat to crypto wealth is no longer theoretical, remote or confined to the most visible names in the sector.

The anatomy of an attack: how targets are identified
The most important thing for high net worth individuals and family offices to understand about wrench attacks is where they begin. They do not begin at the front door. They begin with discoverability.

Cryptocurrency is often assumed to provide anonymity. In reality, blockchain transactions are public and permanently recorded. If a wallet address is ever connected to a real-world identity, whether through an exchange withdrawal, public disclosure, data breach, business activity or social media post, that individual’s transaction history may become more visible than they realise.

This is the transparency paradox at the heart of the threat. The same openness that makes blockchain technology verifiable can also make wealthy holders more discoverable. Sophisticated open-source intelligence tools allow determined actors to link wallet addresses to real identities, map transaction histories, estimate holdings and cross-reference that information with off-chain data such as company registrations, property records, conference appearances, social media activity and leaked material from exchange or platform breaches.

KYC requirements compound the exposure. Regulated exchanges and platforms require identity verification, creating centralised databases of names, addresses, identity documents and account information. When those databases are breached, the information can enter circulation in ways the individual may not discover for years. In May 2025, Coinbase disclosed a significant breach involving customer account data, after attackers bribed or recruited support personnel to obtain information used for social engineering. The incident did not expose passwords or private keys, but it illustrates the wider point: personal and account data connected to digital asset ownership has value far beyond the screen.

Not all exposure originates from voluntary digital footprints or corporate data breaches. Some reporting has pointed to cases where personal or financial information about crypto holders has allegedly been sold or misused by individuals with access to sensitive data. The implication is uncomfortable but important: even a careful individual may find that information has reached the wrong hands through systems they were compelled to use.

Attackers do not rely on a single source. They build a picture. Corporate records, property registers, social media, event biographies, investment announcements, breach data, on-chain analytics and human sources can all be combined. A person who never discusses their holdings publicly may still be identifiable through a conference listing, an advisory board role, a property registered to a connected entity, or a wallet that once interacted with a regulated exchange.

Organised crime, not simple opportunism
The criminal architecture behind the most serious incidents increasingly suggests organised networks rather than isolated opportunism. Some cases involve intelligence-gathering, target selection, surveillance, physical crews and separate individuals involved in negotiation or disposal of funds. In certain investigations, recruitment has reportedly taken place through encrypted messaging platforms and social media channels, with local actors used to carry out the physical elements of an attack.

This model reduces exposure for organisers while pushing the most visible risk onto locally recruited participants. It also means that the person conducting the attack may not be the person who identified the target. For clients and advisors, that matters. The risk may be generated by information exposure long before any individual appears outside a home, office or event.

The targeting is also not limited to those with vast holdings. Intelligence suggesting access to more modest but still meaningful wealth can be enough. So too can perceived access. A visible role in a crypto business, a public association with digital asset investment, or proximity to a wealth holder may create risk even where the individual is not personally holding the assets criminals assume they can reach.

The family dimension
Perhaps the most significant development for family offices and private client advisors is the deliberate targeting of family members and associates.

The logic is straightforward. If the wallet holder is difficult to reach, well protected or unlikely to cooperate directly, attacking or threatening someone they care about may be more effective. Partners, parents, children, domestic staff, drivers and personal assistants can all become pressure points in the eyes of a criminal who has already conducted detailed research into a household.

Recent European cases have included relatives of crypto entrepreneurs being targeted in connection with ransom demands or attempts to force cooperation from the principal. The asset holder may not be the person confronted at the door, intercepted in the street or approached after an event. The broader household can become the attack surface.

This has direct implications for how family offices and advisors frame the conversation with clients. Crypto security is not only a device problem, password problem or custody problem. For significant holders, it is a household security question – one that encompasses the physical environment, the routines and vulnerabilities of every person connected to the principal, and the protocols those people have or have not been given.

What thoughtful families should be doing
The response is not to avoid digital assets, nor to live in a state of heightened alarm. It is to apply the same disciplined, joined-up thinking that well-advised families already bring to physical security, privacy management and crisis planning.

Reduce discoverability. Individuals should understand what an informed and motivated researcher could find about them: corporate registrations, property records, social media, conference biographies, investment announcements, breach exposure and visible connections to digital asset wealth. The goal is not invisibility, which is rarely realistic, but the removal of unnecessary links between personal identity, location and significant holdings.

Reduce predictability. Surveillance-led attacks depend on routine. Repeated departure times, regular routes, familiar venues and visible household patterns all reduce the effort required by a potential attacker. Varying routes, avoiding unnecessary public disclosure of travel, and being alert to repeated vehicles or individuals near home or work can all make targeting more difficult.

Extend the security conversation to the household. Family members and trusted staff do not need to be alarmed with excessive detail, but they should understand what suspicious contact or surveillance looks like, who to notify, and what not to discuss casually. Domestic staff, drivers and assistants can be protective assets or unintentional vulnerabilities, depending on whether they have been included in the security picture.

Review the physical environment. Residential access control, visitor procedures, CCTV, alarms, lighting, delivery processes and the management of contractors all matter. A well-secured digital wallet is of limited comfort if an attacker can exploit a weak route into the home or a predictable arrival pattern.

Ensure that digital asset custody is genuinely resilient. Hardware wallets, seed phrases and recovery arrangements should be held securely and separately. Sensitive materials should not be photographed, emailed or stored in cloud services. For substantial holdings, multi-signature arrangements, institutional custody and other professionally advised structures may deserve serious consideration.

Plan crisis response before it is needed. If a coercive approach, abduction or ransom demand occurs, the priority is always personal safety. Families should know in advance who to contact, how to engage specialist support, and how to avoid making rushed financial decisions under acute pressure. The decision architecture for a crisis should not be improvised in the moment.

Reconsidering security posture
Wrench attacks have exposed the false boundary between digital and physical worlds, but that reality is not yet fully reflected in how many wealthy families think about risk. Digital assets are often discussed in terms of protocols, custody and technical safeguards. Less often are they discussed in terms of household vulnerability, family exposure, routine, public records or crisis preparedness. That gap is where the threat lives.

Clients who hold meaningful digital assets need the same structured thinking applied to their security posture that they would expect around succession, governance or tax. That means understanding exposure, reducing predictability, extending the security conversation to the whole household and having a clear plan for when something unexpected happens.

Wealth management has always been about anticipating risk before it arrives. The families who are best served by their advisors in the years ahead will be those whose security thinking has kept pace with the assets it is meant to protect; and who understand that, in the digital age, the most important lock to secure is not always on a device. It is on the information that leads someone to your door.

About the author
Matthew Newton is director of investigations and crisis response at Valkyrie. He has more than 15 years’ experience in international security, investigations and crisis management, advising high net worth individuals, families and corporations on complex threats including extortion, blackmail, fixated risk, digital exposure and physical security concerns. He has managed high-stakes crisis incidents for private clients and works with individuals and families to assess, understand and reduce their exposure to hostile campaigns, online threats and targeted risk. His background spans digital exposure assessments, open-source investigations and emerging threat analysis, helping clients identify where they are visible, where they are vulnerable, and what to do about it.