The fastest way to get CISSP Certified. Join our bootcamp
There has been a recent spate of vicious attacks on cryptocurrency holders, so we’re gonna do a deep dive into some of the risks. In this first newsletter, we will go through the basics and cover some of the major attacks. In our next newsletter, we will dig a little deeper and analyze why they are appealing to criminals. In our final installation, we will look at some of the security mechanisms that cryptocurrency holders can put in place to protect themselves.
What are wrench attacks?
The physical attacks against cryptocurrency holders are known as rubberhose cryptanalysis, or wrench attacks, after a popular xkcd cartoon. The idea behind rubberhose cryptanalysis is that we can have elaborate cryptosystems to protect our assets, but these are secured by a key, which someone has to know or have in their possession.
If an attacker wants your assets, all they have to do to defeat your elaborate cryptosystem is whip you with a rubberhose, hit you with a wrench, torture you, or even just threaten you. Since most people don’t like torture, they tend to hand over their keys pretty quickly, and their elaborate cryptosystem is useless. There are some ways that you can possibly get around this, but they could lead to endless torture, so they aren’t particularly advisable.
Let’s get to some examples of attacks.
SWATing a crypto-pioneer
One of the first cases of a wrench attack we could find targeted the Bitcoin pioneer, Hal Finney, back in 2014. The attacker had been attempting to extort 1,000 Bitcoin from Finney for about a year. After stubbornly refusing to comply, the attacker called 911 and falsely told the operator that they had just murdered two people at Finney’s house and that they were about to commit suicide. The operator sent the SWAT team to raid Finney’s house under the assumption that a dangerous situation was taking place. A police helicopter also came to the scene, and the SWAT team had to clear the house to ensure that it was safe.
While this episode of SWATing (falsely calling a SWAT team to someone’s house) doesn’t seem like the most gruesome wrench attack, the now-deceased Finney was battling Lou Gehrig’s disease at the time of the incident. He couldn’t swallow and was confined to a wheelchair, so the SWATing could have easily harmed or killed him.
Crypto-millionaire’s father kidnapped in France
On the first of May, a man was abducted from a Parisian street. Four men with ski masks pushed him into a van. The victim was the father of a wealthy cryptocurrency entrepreneur. The kidnappers took the man to an address in the suburbs of Paris, demanding a ransom of between €5 million and €7 million according to Le Parisien. Within three days, the police raided the house and saved the victim, but he had already had a finger cut off. The police ended up making five arrests over the incident.
Attempted kidnapping on a Paris street
In the middle of May, attackers tried to kidnap a woman in broad daylight from a Paris street. The woman was the daughter of a French businessman in the crypto-industry. The video in the linked article shows two people struggling against three attackers while a van idles with its backdoor open beside them. The man is bleeding from the face as he holds onto the woman. The couple are rescued by a shopkeeper who storms in with a fire extinguisher as a weapon, and the attackers soon flee in the van.
Kidnapping and torturing an Italian crypto-investor
Toward the end of May, an Italian man broke free from an expensive New York city townhouse. He had been tortured inside for over two weeks. His assailants were his business partners, who were attempting to get the man to give up his cryptocurrency keys.
We will save you from the goriest details, but the assailants beat him, dangled him over a ledge, used weapons, electrocuted him, forced him to smoke crack, and even took Polaroids of the abuse (who says criminals are smart?).
After enduring the abuse for weeks, he finally said that he would cave and hand over his keys. When the attackers went to get his laptop, he managed to make a break for it and flee onto the street to safety.
Many more attacks
There’s a more detailed list of physical attacks on cryptocurrency holders, which tracks incidents from 2014 onward. There have been almost 30 attacks since the start of this year—the last three attacks we described above all occurred in May alone. This shows that these attacks are becoming concerningly common.
However, these are just the attacks that are publicly known—many more never make it to the authorities or the media. According to the Investigating Wrench Attacks paper, of the 11 incidents discussed in interviews with the researchers, only two were reported to the authorities. One reason was that people don't want the spotlight on them—they could be targeted again. Another reason was that the victims wanted to avoid further complications from their offenders. Victims were also worried that their case wouldn’t be taken seriously by the authorities.
The easiest and fastest way to pass the Security+ exam
Build Your Cybersecurity Foundation. Our team has helped thousands of professionals succeed with advanced certifications like CISSP and CCSP. Now we've taken that same proven and tailored it specifically for Security+!
Prepare to Pass: Get the Right CISSP
Bootcamp
Master CISSP — as Easily and Quickly as Possible. Join our CISSP 5-Day Live Bootcamp with expert instructors Rob Witcher and John Berti to fast-track your exam prep and master all 8 CISSP domains. Live on Zoom, this intensive training is packed with real-world insights and Q&A—reserve your spot now!
Prepare to Pass CCSP: Get the Right CCSP
APP
Studying for the CCSP? Big news! We’ve just added 1,000 brand-new questions to our CCSP Exam Prep App—giving you even more ways to test your knowledge and boost your confidence. Whether you're brushing up on cloud security concepts or getting serious about exam day, the updated app is packed with fresh content that reflects the latest exam trends. Study anytime, anywhere, and get one step closer to becoming CCSP certified.
Free CCSP Data Center Design Mini MasterClass
If you’re interested in cloud security, check out our new FREE Mini MasterClass. It digs into data center design.
It’s based on the CCSP certification requirements, but even if you’re not thinking of getting certified, what you learn is very useful in practice if you ever need to deal with data centers.
