CertiK: Wrench attacks surge in Europe; families targeted

CertiK verified 34 crypto “wrench” attacks worldwide in the first four months of 2026, with 28 of those incidents, or 82%, occurring in Europe. The firm estimates victims lost about $101 million during that period and projected roughly 130 incidents and several hundred million dollars in losses if the pace continues for the full year.

Wrench attacks are physical assaults and extortion aimed at cryptocurrency holders. Attackers use force, threats or coercion to gain access to private keys, devices or accounts, bypassing software protections.

The number of verified incidents for Jan–Apr 2026 rose 41% compared with the same period in 2025, CertiK reported. Reported incidents fell in the United States to three from nine and in Asia to two from 25 over the same comparison, according to the firm's data.

France accounted for 24 of the verified attacks so far in 2026, up from 20 for the full year of 2025. CertiK highlighted factors in France that may influence targeting, including a concentration of major crypto firms, repeated data leaks and a community culture that can involve public disclosure of holdings.

The firm found that more than half of this year’s incidents involved a family member of the primary target-spouses, children or elderly parents-used either as direct victims or as leverage to coerce owners to transfer funds.

CertiK described a shift toward “data-driven targeting.” Attackers increasingly buy personal information-full names, home addresses and financial profiles-from online brokers, which reduces the need for prolonged physical surveillance. Organizers then recruit local ground teams, often three to five people, through social apps and arrange payments that are later laundered through crypto channels.

Orchestrators commonly remain abroad, the firm reported, naming regions including Morocco, the United Arab Emirates and parts of Eastern Europe as bases for coordination. On-the-ground access methods described by CertiK remain similar to 2025, with attackers posing as delivery personnel or fake officers (the “Doorbell Vector”) or using fictitious business meetings or phony over-the-counter deals (the “Honeypot”).

CertiK warned that many wrench attacks likely go unreported, so actual incident counts and financial losses may be higher than verified totals. The firm also noted that cross-border coordination by criminal groups complicates tracking and reporting.

The firm called wrench attacks an established threat vector for cryptocurrency holders and said investigations of recent cases are building a clearer picture of attacker profiles and methods. Authorities and industry representatives have previously met in some countries after high-profile physical assaults and abductions linked to crypto holdings.