France is facing a rise in cryptocurrency-related kidnappings as so-called “spanner attacks” become more frequent, brazen and violent.
That shift was visible this week amid the organization of an annual international conference on blockchain and cryptography. A police motorcade escorted VIP guests to a dinner at the Palace of Versailles. And security was also significantly reinforced at the Louvre Carousel, where the conference was taking place.
The wrench attacks in France have put the country so notably in the international spotlight that government officials took the stage at the Paris conference to acknowledge their alarm at the magnitude of the problem. They said that this year alone, the country has suffered at least 41 kidnappings and home invasions related to cryptocurrencies. That’s one every two or three days.
Jean-Didier Berger, minister delegate of the Ministry of the Interior, said that a new set of measures is being prepared with the Minister of the Interior, Laurent Núñez, to address this growing problem. A prevention platform has already generated thousands of registrations, but authorities say more measures are needed as incidents continue to rise.
Epicenter of the wrench attack
The country has become the epicenter of a global rise in wrench attacks. Across multiple jurisdictions, attacks on cryptocurrency holders are becoming more frequent and violent, according to security researchers and law enforcement data.
Globally, the trend is also increasing. In 2025, there were 72 verified incidents of physical coercion globally, a 75% increase from the previous year, according to data from Certik and crypto researcher Jameson Lopp, which tracks 188 attacks since 2014. Many more go unreported, he said. Cases of physical assault increased even faster, up 250% year over year.
The term “spanner attack” refers to the use of physical force to gain access to digital assets. For some attackers, it is easier to coerce a person than to break the encryption.
“Every time a wrench attack is successful, it tells the world that cryptocurrency owners are juicy targets,” Lopp told CoinDesk.
Unlike traditional bank transfers, crypto transactions cannot be reversed. Once a victim authorizes a duress transfer, funds can be quickly moved across wallets and chains.
Attackers look for points of weakness
Researchers say the way attackers identify victims has also changed.
“We’re seeing a shift from ‘find a wallet’ to ‘hunt a person,'” Phil Ariss of TRM Labs told CoinDesk. Instead of looking for technical vulnerabilities, attackers create profiles, he added. They analyze social media activity, public appearances, and leaked data sets. They track routines and identify weak points.
“The biggest avoidable mistake is linking identity, location, and real-world routine too much to visible crypto wealth,” Ariss said.
The problem is compounded when attackers receive help from government officials. In one widely known case, a French tax official sold confidential data to attackers. The case raised concerns among security experts that internal leaks and compromised state data were directly fueling the wrench attacks.
The pool of potential victims has expanded, with mid-level holders increasingly being targeted, sometimes based on limited or indirect signals.
Anyone is a potential victim.
Cases now include families, with children attacked along with parents who own cryptocurrency, making the attacks more difficult to categorize by severity.
In January 2025, Ledger co-founder David Balland was kidnapped in France along with his partner. During the attack, his finger was cut off and sent to his associates as part of a ransom demand. He was rescued after a police operation.
Other cases have involved prolonged captivity and torture, such as one in New York, where a cryptocurrency investor was held for more than two weeks. In Canada, a home invasion led to waterboarding and sexual violence when attackers attempted to force access to funds.
Lopp said both opportunistic and organized groups are involved, but there are signs of growing coordination. “It seems like we’re seeing more organized groups now,” he said.
TRM Labs’ Ariss says his team has seen similar patterns, noting that some groups operate with defined roles and advance planning, including surveillance and follow-home tactics.
“These look like less one-off robberies and more small kidnapping or robbery teams specialized in cryptographic work,” Ariss said.
Once funds are obtained, attackers tend to move quickly and often the cryptoassets they obtain are converted into stablecoins and routed through multiple chains, making recovery difficult.
France’s role in this trend may reflect a combination of factors, Lopp said, including cases of personal data breaches and cross-border criminal networks.
Rising prices, bigger loot
More generally, rising asset prices have increased the potential benefits of a single attack, while improvements in digital security have reduced the effectiveness of purely technical attacks.
“It’s a lot easier than trying to rob a bank,” Lopp said.
Another issue is visibility: Wrench attacks may be largely unreported because many are reported as standard home invasions or robberies, not to mention cryptocurrencies.
“A large portion of incidents are still recorded as simple robberies,” Ariss said, adding that the cryptographic element is often omitted from reporting, which can make it difficult for authorities to connect cases or identify broader patterns.
The rise in attacks has raised questions about the risks of self-custody, a fundamental principle of cryptocurrencies.
Some security experts point to measures such as multi-signature setups, withdrawal delays and spending limits as ways to reduce risk by limiting how much can be accessed under duress.
“If coercion cannot produce immediate access to most funds, risk and return change,” Ariss said. These measures do not eliminate the threat, but they can reduce the incentive for attackers.
As cryptocurrency adoption grows, attacks are becoming more frequent and severe, turning what was once a niche concern into a broader security risk.
