Physical and Digital Attacks on Bitcoin Holders

[Download the PDF]

Bitcoin ownership has always carried responsibility. The asset's defining characteristic is that it can be held and transferred without reliance on any financial intermediary. This sovereign control is one of bitcoin's most powerful features, but it also places the burden of security squarely on the holder. As bitcoin has appreciated and gained mainstream recognition, that burden has grown heavier. The threat landscape facing bitcoin holders in 2026 looks very different than it did even a few years ago.

The data tells a sobering story. According to a database maintained by security researcher Jameson Lopp, there were 41 documented attacks against cryptocurrency holders in 2024. In 2025, that number exceeded 70. These figures almost certainly undercount the true total. Victims of violent crime involving cryptocurrency have strong incentives to avoid publicity. Many fear that public disclosure will mark them as targets for future attacks, or they simply lack confidence that law enforcement can help recover stolen funds. The attacks we know about represent the visible portion of a much larger problem.

The nature of these attacks has also evolved. What was once referred to as the "$5 wrench attack," a somewhat abstract thought experiment about physical coercion, has become a documented pattern of kidnapping, torture, and violence. In January 2025, David Balland, a co-founder of the hardware wallet company Ledger, was kidnapped along with his wife from their home in France. His attackers severed one of his fingers and sent it to associates while demanding ransom. French special forces ultimately rescued the couple, and authorities later arrested the alleged ringleader in connection with multiple kidnapping plots targeting cryptocurrency holders across the country.

The violence is not confined to Europe. In May 2025, a 28-year-old Italian man was held captive for 17 days in a luxury New York City townhouse. His captors used electrical wires to shock him, hung him from the building's roof, threatened him with a chainsaw, and forced him to smoke crack cocaine while demanding access to cryptocurrency holdings reportedly valued at $28 million. He eventually escaped by convincing his captors he would provide a password, then fleeing when one of them left the room. In British Columbia, a family was held hostage overnight by attackers who subjected them to waterboarding, sexual assault, and death threats. The criminals had detailed knowledge of the family's names, cryptocurrency holdings, children's schedules, and property locations. They ultimately extracted $2 million in bitcoin before fleeing.

These cases illustrate a critical point about how attacks on bitcoin holders unfold. Physical violence is often the final step in a chain that begins with digital reconnaissance. Attackers are not selecting victims at random. They are using leaked customer data, blockchain analysis, and social media surveillance to identify individuals with significant holdings. Once they have assembled a target profile, they plan their approach with careful attention to the victim's patterns of life, family structure, and security vulnerabilities.

The Data Breach Pipeline

The connection between digital security failures and physical attacks has become impossible to ignore. Over the past several years, a series of high-profile data breaches at cryptocurrency companies has exposed the personal information of millions of users. This information is now circulating on dark web marketplaces and being used to identify and locate potential victims.

Ledger, the French hardware wallet manufacturer, has experienced multiple breaches affecting its customer base. In 2020, attackers accessed marketing and e-commerce data containing the personal information of approximately 270,000 customers. The leaked data included names, email addresses, phone numbers, and in many cases, home addresses.

In January 2026, Ledger disclosed another breach involving its payment processing partner Global-e, which exposed customer names and contact information for an undisclosed number of users who had purchased devices through Ledger's online store. Security researchers have warned that anyone identified as a hardware wallet owner becomes a potential target for phishing, social engineering, or physical attack, regardless of whether their specific information appears in a known leak.

The implications of these breaches extend beyond the immediate risk of phishing. When attackers know that someone purchased a hardware wallet, they can reasonably infer that person holds cryptocurrency and is likely managing their own keys. This transforms a data breach into a targeting list for physical violence.

Coinbase, the largest cryptocurrency exchange in the United States, disclosed in May 2025 that overseas customer support contractors had been bribed to steal sensitive customer data. The breach affected approximately 69,500 users and exposed names, phone numbers, email addresses, mailing addresses, partial Social Security numbers, bank account identifiers, government-issued identification images, and account balance information. The attackers used this data to conduct social engineering attacks, impersonating Coinbase employees and convincing customers to transfer funds or reveal additional credentials. Some victims lost their entire holdings. The company estimates total costs from the incident between $180 million and $400 million.

The Coinbase breach is particularly instructive because it demonstrates that even platforms with strong technical security can be compromised through their human elements. The attackers did not hack Coinbase's systems. They bribed employees with access to customer data. This pattern of insider compromise is becoming more common as criminals recognize that the path of least resistance often runs through people rather than technology.

Social Engineering and Account Takeover

Beyond physical violence, bitcoin holders face a sophisticated and growing ecosystem of social engineering attacks designed to trick them into surrendering their credentials or private keys.

SIM swap attacks, in which criminals convince mobile carriers to transfer a victim's phone number to a device they control, have increased dramatically. The UK's fraud prevention service Cifas reported a 1,055% increase in unauthorized SIM swaps between 2023 and 2024, from 289 cases to nearly 3,000. In the United States, the FBI documented $26 million in losses from SIM swapping in 2024 alone. Once attackers control a victim's phone number, they can intercept two-factor authentication codes and reset passwords for email, banking, and cryptocurrency accounts. The $400 million theft from FTX in 2022 was executed through a SIM swap targeting an employee.

The professionalization of social engineering operations has accelerated. In recorded conversations with scammers, early bitcoin investor Junseth has documented the methods used by young American attackers who cold-call cryptocurrency holders using data purchased from dark web marketplaces. One scammer described making calls for eight to ten hours per day, earning between $10,000 and $100,000 daily by impersonating customer support representatives from exchanges and hardware wallet companies. The scammers use urgency and fear to manipulate victims into entering credentials on fake websites or disabling security features. They target customers of Coinbase, Swan, Ledger, and other platforms where customer data has been compromised.

These attacks succeed because they exploit trust in familiar institutions. When someone receives a call from what appears to be their exchange's support line warning that their funds are at risk, the natural instinct is to cooperate. The scammers understand this psychology and design their scripts to maximize pressure while minimizing the victim's opportunity to verify the legitimacy of the call.

Why Traditional Custody Models Fail

The escalating threat environment exposes fundamental weaknesses in the custody models most commonly used by bitcoin holders.

Self-custody, which involves managing private keys directly through hardware wallets or other personal devices, offers sovereignty and independence from third parties. For modest holdings, this approach can be appropriate and secure. But as the value of holdings grows, self-custody transforms the holder into a target. An attacker who knows that someone manages their own keys understands that physical coercion may be the fastest path to those funds. The blockchain's public nature means that sophisticated criminals can sometimes identify wallet ownership patterns and estimate balances. Unlike a traditional brokerage account, where assets are protected by institutional controls and transactions can often be reversed or delayed, bitcoin transactions are final. If an attacker forces a victim to sign a transaction, the funds are gone.

Holding assets on an exchange solves some of these problems but introduces others. Exchange accounts remain vulnerable to SIM swaps, social engineering, and credential theft. The Coinbase breach demonstrated that insider compromise can expose customer data and enable targeted attacks. And unlike banks, cryptocurrency exchanges are not subject to the same regulatory protections or recovery mechanisms. Users whose funds are stolen through account takeover typically have no recourse.

Hardware wallet manufacturers have positioned their products as secure solutions for self-custody, but the repeated data breaches affecting companies like Ledger have undermined this premise. Purchasing a hardware wallet now carries the risk that your personal information will end up on a list used by criminals to identify potential victims.

A Market Structure Problem

The vulnerability of bitcoin holders to physical and digital attack is not a flaw in the asset itself. It is a reflection of how early we are in the development of bitcoin's custody infrastructure. Every other major asset class has evolved past this stage. Nobody attempts to rob someone for their house deed, because real estate title is recorded in county databases and transferred through escrow processes that require legal documentation and institutional coordination. Nobody kidnaps an investor to steal their equity portfolio, because brokerage accounts are protected by institutional controls, regulatory frameworks, and settlement processes that make coercion functionally useless. Even cash in a bank account is insulated from physical threats by the layers of verification and oversight that the banking system has built over centuries.

Bitcoin, as it is commonly held today, has no comparable infrastructure. A holder who manages their own keys carries the full value of their position on a device in their home or on their person. A holder who relies on a single exchange account is one SIM swap or one insider breach away from total loss. No other asset class concentrates this much risk at the individual level. This is the market structure gap that attackers are exploiting, and it is a significant reason why many prospective investors and allocators remain on the sidelines. The security challenges are real, and for large holders, the absence of institutional-grade custody infrastructure creates a catch-22: the asset's value proposition is compelling, but the practical realities of securing it at scale have not kept pace with its appreciation.

This is a solvable problem. Traditional financial markets went through analogous growing pains. The centralization of gold into bank vaults and eventually sovereign reserves occurred precisely because individuals could not safely store large quantities of a valuable bearer asset in their homes. The development of stock transfer agents, custodial banks, and clearinghouses solved similar problems for equity and bond markets. Bitcoin needs its own version of this institutional maturation, one that preserves the asset's unique properties of self-sovereignty and censorship resistance while providing the security infrastructure that serious capital requires.

Structural Protection Through Multi-Institution Custody

Multi-institution custody offers a fundamentally different approach to securing bitcoin. Rather than concentrating control in the hands of the individual holder or a single custodian, multi-institution custody distributes key management across multiple independent institutions using bitcoin's native multi-signature capability.

In a typical implementation, three separate institutions each hold one key in a two-of-three configuration. No single institution can move funds unilaterally. Withdrawals require coordination between two of the three keyholders, each of which conducts independent verification of the client's identity and intent through live video calls and document checks. The process includes protocols specifically designed to detect coercion, with trained operations teams at each institution evaluating whether the client appears to be acting under duress.

This structure changes the calculus for attackers in a fundamental way. A criminal who coerces a victim into initiating a withdrawal will discover that the victim cannot complete the transaction alone. The attacker would need to simultaneously fool multiple independent institutions, each with its own verification procedures. And even if an attacker could somehow pass these checks, time-based controls add another layer of defense.

Onramp's Guardian framework extends these protections with configurable withdrawal delays, velocity limits, and fraud detection capabilities. Clients can opt for holds of five, ten, or twenty business days before funds can move. Private clients with larger balances can implement delays of up to 365 days, liftable only through in-person verification. Velocity controls allow clients to set maximum withdrawal amounts per month, ensuring that even a successful attack could only access a fraction of holdings. A freeze function enables clients to halt all withdrawals instantly if they suspect their account has been compromised.

Guardian also addresses the growing threat of AI-enabled impersonation. Biometric and behavioral verification systems are designed to detect deepfakes and synthetic media. Pre-call liveness checks require clients to submit a live selfie with head movements that confirm the presence of a real human rather than a generated video. These measures create barriers that current deepfake technology cannot reliably overcome, and the system is designed to evolve as the threat landscape changes.

Perhaps most importantly, Guardian includes a disclosure option that allows clients to make their time-lock protections visible to potential attackers. This serves as a deterrent by making clear that assets cannot be accessed immediately, even under duress. When criminals understand that coercing a victim will not result in rapid access to funds, the incentive for physical attacks diminishes significantly.

All Guardian settings require video verification and a five-business-day delay to deactivate. Protections cannot be silently disabled in the background by an attacker who has gained access to credentials. The system assumes that perimeter defenses will eventually be breached and builds layers that cannot be bypassed even when they are.

Planning for the Future

The threat landscape facing bitcoin holders will continue to evolve. As the asset appreciates and adoption grows, the incentives for attackers will increase. Holders who secured their bitcoin years ago under different circumstances should reassess whether their current custody arrangements match the value of their holdings today, and the potential value those holdings may represent in the future.

This does not mean abandoning self-custody entirely. For many holders, maintaining some portion of their bitcoin in direct personal custody remains appropriate. But concentrating significant wealth in a custody model that makes the holder a physical target may no longer be prudent. A diversified approach, combining the sovereignty of self-custody with the institutional protections of multi-institution custody, can provide both resilience and peace of mind.

If you are evaluating your custody setup and considering how to address the risks described in this report, our team is available to discuss your options. Whether you choose self-custody, multi-institution custody, or a combination of both, we are here to help you design a custody plan that protects your bitcoin and your family.

[Download the PDF]