By Sam Schechner, Robert McMillan and Angus Berwick
Compiled by: Luffy, Foresight News
A wrench lies on overflowing code, symbolizing crypto crime
Early last Tuesday morning, cries of Help! Help! Help! rang out through the narrow streets of a fashionable Paris neighborhood.
Three masked men pounced on a 34-year-old woman whose father is the head of French cryptocurrency exchange Paymium. Brandishing pepper spray cans and what looked like a gun, the masked men tried to force the woman and her young child into a white van disguised as a delivery truck.
But the womans husband immediately stood between the family and the attacker, and a neighbor rushed to take the child away. The woman shouted, Let me go! The attacker hit her husband with a stick, and his head was seen bloodied in the video captured by a camera on a nearby building.
Other neighbors then gathered around, and a shop owner prepared to throw a fire extinguisher as the attempted kidnapper jumped into the back seat of a van and fled in panic.
The brazen attack is the latest in a wave of violent kidnappings of cryptocurrency executives and their families around the world, with victims beaten with rifle butts, kidnapped and, in two cases, having their fingers cut off.
The criminals’ goal is clear: millions of dollars in cryptocurrency ransoms.
These attacks are often called wrench attacks because criminals rely on simple tools to inflict pain on victims, rather than complex hacking techniques to carry out the theft.
From digital defense to real threats
Hacking has long been a major risk for the crypto-rich. But to protect against hackers, savvy investors are increasingly storing their cryptocurrencies in offline physical devices, which makes remote theft more difficult. However, real-life crypto crimes bypass these security measures.
“A lot of people have gotten to the point where they hide their gold under their mattress,” said Jameson Lopp, co-founder of bitcoin security firm Casa. “But if you’re high-profile … you have to be wary of physical attacks.”
Such concerns were heightened this week when cryptocurrency exchange Coinbase disclosed that the personal information of up to 97,000 customers, including addresses and snapshots of account balances, had been compromised. The company said the data may have been stolen by a customer service contractor or employee who took bribes, and rejected a $20 million ransom demand.
Another factor spurring crime: The soaring value of cryptocurrencies, with Bitcoin up 54 percent in the past year, has created a large pool of potential high-net-worth targets.
At least five cryptocurrency-related kidnappings have occurred in France in recent months, according to government officials and industry experts, and dozens of similar cases have been documented worldwide in the past year. Last July, an Australian cryptocurrency billionaire was nearly kidnapped in Estonia and fought off attackers disguised as painters, according to local media reports. In March, a cryptocurrency influencer in Houston was attacked at home and her husband engaged in a gunfight with robbers who broke in late at night to demand her laptop.
Some of the attacks were botched and the criminals were quickly arrested, but there are signs that organized crime groups have seen huge profit potential.
“Criminals are testing the waters to see what the return on investment is for a ‘wrench attack,’ ” Lopp said.
Last September, a Florida man was sentenced to 47 years in prison for leading a multistate ring of home invasions involving cryptocurrency. In one of the attacks, he held a pink revolver to the head of a 76-year-old man in Durham, North Carolina, and threatened to cut off his genitals. The victim eventually transferred $150,000 in cryptocurrency to the attacker, and the man was later ordered to pay more than $500,000 in damages to the victim.
On Friday morning, French Interior Minister Bruno Retailleau convened a meeting of cryptocurrency company executives to propose new security measures for the industry. Retailleau said Tuesdays attack was similar to other recent kidnappings in France, where officials said the masterminds recruited young criminals who had never met before through apps such as Telegram and Signal, and then carried out their plans remotely.
Its very possible that these cases are related, Retailleau said in a television interview.
The cost of showing off your wealth online
So far, most of the reported victims of wrench attacks are related to industry celebrities, either famous for their work in the cryptocurrency industry or for attracting attention by showing off their wealth online.
Killian Desnos, an online gambling influencer known as Teufeurs for his YouTube and Twitch livestreams, rang his fathers doorbell in a small town in northwestern France in August 2023, prosecutors said.
The man and an accomplice dragged Desnos father into a car and soon sent Desnos a ransom video showing his father tied up with a gun to his head. Prosecutors said Desnos, who was living in Malta at the time, called the police and paid the ransom. The next day, his father was rescued and police quickly arrested two suspects.
“Now I realize that showing off your wealth online is not a good thing,” Desnos wrote on Platform X at the time.
A key question today is how criminals target people in real life, and what to do about it.
Members of the cryptocurrency community said they had set their Instagram profiles to private and tried to remove their and their families’ addresses from public records. One executive said he was particularly worried about his young children. After Tuesday’s attack, Paymium called on authorities to ease disclosure obligations, saying the data breach could put customers at risk.
In addition to the Coinbase breach, two other breaches have concerned investigators: The first was a July 2020 hack of French cryptocurrency wallet company Ledger, which makes physical devices for offline storage of cryptocurrency keys. Hackers broke into Ledgers database, and the names, emails and mailing addresses of 272,000 customers were eventually leaked online. The second was a hack of risk consulting firm Kroll, where hackers obtained addresses and other personal information of creditors in the bankruptcy proceedings of cryptocurrency company Genesis.
Cybersecurity investigators said data from both hacks had been circulated on criminal forums.
Others point to the vast amounts of personal data that have been stolen and leaked over the past decade. In France, public company registers can include an entrepreneur’s home address.
Taylor Monahan, a security researcher at cryptocurrency wallet company MetaMask, said cyber criminals are good at targeting victims addresses by cross-checking databases or even purchasing information. This information is often used publicly to threaten and expose the victims identity, a cyber attack known as doxxing.
“The younger generation is very internet savvy and very good at human flesh searches,” she said.
Some Ledger users have complained that data leaks have exposed them to extortion and threats. In early 2021, Los Angeles-based cinematographer Naeem Seirafi began receiving phishing emails and text messages asking him to enter his Ledger account information to verify new deposits or prevent assets from being lost due to a vulnerability.
Afterwards, someone sent him a message demanding a ransom of 0.3 bitcoins (worth about $10,000 at the time), threatening to attack his family if he failed. “You hold a large amount of cryptocurrency,” the other party said in the text message, “I will share this information with the bad guys in your area.”
The threat came true: Seirafis parents were confronted with a virtual alarm at home while he was out. Local police received a 911 call saying someone had shot a friend at Seirafis home. According to police reports, nearly a dozen officers raided his home and determined it was a prank.
Seirafi later joined a class-action lawsuit filed against Ledger in a California district court, seeking damages. “For hackers, Ledger’s customer list was a gold mine,” the lawsuit said.
Lawyers representing the class action declined to comment. Ledger argued to the court that Seirafi suffered no damages from the data breach because he did not lose funds. A company spokesperson declined to comment further.
Fingers: 9/10
David Balland, a co-founder of Ledger who is no longer directly involved with the company, was kidnapped at gunpoint along with his partner from their home near Vierzon in central France in the early hours of a Tuesday in January, French officials said.
French police cordon off a street in Mereau near Vierzon, France, January 2023
A few hours later, other Ledger co-founders (including Eric Larchevêque) received extortion messages from the mastermind, demanding a ransom of 10 million euros. People familiar with the matter said they judged the messages to be authentic based on the T-shirt David was wearing, and one of the messages contained a video of the attackers chopping off one of Balland’s fingers.
Police negotiators worked with Larchevêque to try to buy time for the kidnappers and approve the payment of a ransom of more than 1 million euros while investigators searched for where Balland and his partner were being held.
“This is a race against time,” Paris prosecutor Laure Beccuau later said in a television interview. “We have to rescue these two hostages and save their lives.”
Police eventually tracked the kidnappers to a rental home next to farmland, about 40 minutes south of where the two were abducted. Police raided the house and rescued Balland, but his partner was not there.
“We thought they would be held together, and when we found out they were separated, it became very difficult,” said Nicolas Bacca, another co-founder of Ledger.
It wasn’t until the following day that Balland’s partner was found in a stolen van: the vehicle was located an hour and a half north, by which time another ransom had been paid.
Paris prosecutor Laure Beccuau holds a press conference following the kidnapping of Balland and his partner
Fortunately, the mastermind demanded a ransom in USDT, a cryptocurrency pegged to the U.S. dollar that can be frozen. The Ledger team initiated a freezing plan immediately after the hostages were released, and according to people familiar with the matter, they were able to recover about 80% of the 3 million euros paid in ransom, and more in the following days.
We have experienced unimaginable violence, Balland wrote on social media, asking for privacy for his family. According to screenshots from the time, he temporarily changed his profile description on X Platform to: Fingers: 9/10.
It is unclear how the attackers found Ballands address. People familiar with the matter said his home address was not exposed in the Ledger data breach.
In April, prosecutors filed preliminary charges against a man who, people familiar with the matter said, had been incarcerated on charges related to the 2023 kidnapping of Desnos’ father and who allegedly helped plan Balland’s kidnapping from prison. Investigators are still trying to determine whether he was hired by another mastermind.
Earlier this month, the father of another Maltese cryptocurrency entrepreneur was kidnapped while walking his dog in Paris, and a ransom video showed the old man having a finger chopped off. According to prosecutors, several people were arrested in the attack, all aged between 18 and 26.
In less than half a month, another typical case occurred.
On Tuesday, the daughter of the Paymium CEO managed to escape with the help of her husband. Police said the gun at the scene was actually a toy.
Eric Larchevêque, co-founder of Ledger, 2018. Source: Bloomberg
They are doing well, Paymium Chief Executive Officer Pierre Noizat said in a television interview on Friday about his daughter and son-in-law, whom he called a hero and said he had a few stitches.
Noizat and other victims of the attacks say the crime wave is shaking their faith in Frances ability to control criminal gangs and drug traffickers.
Ledger co-founder Larchevêque decried the “Mexicanization” of France on the X platform this week. “How many entrepreneurs, how many talented people are seriously considering leaving this country that no longer protects its people?”
