2025 was a big year for bitcoin. Watch the year in review w/ Preston Pysh, James Lavish, and Bitcoin Policy Institute!
Much like gold, bitcoin is a bearer asset that enables individuals to hold it directly. If you decide to take true ownership of your bitcoin in this way, thinking through all of the potential attack vectors becomes an important part of prudent security.
Over the past decade, there have been several reports of cryptocurrency owners being confronted with threats of duress and extortion. Among some bitcoin holders, this has led to concerns and questions about what can be done to guard oneself against such an experience. This article seeks to shed light on this subject and address these questions. We will assess the reality of the concern, discuss preventative measures, and think through strategies that can help you feel more comfortable with holding bitcoin.
Within the world of digital security, the term “five dollar wrench attack” or just “wrench attack” became a popular phrase to describe the threat of physical extortion, due to some dark humor within a widespread February 2009 comic. It illustrated that no amount of cryptographic security protecting your digital authentication procedures can stop you from simply giving up your authentication credentials to someone else while under duress.
But how worried should someone be about this kind of threat? To answer this question, we must look at the existing data and research. The only academic investigation of this issue so far was published in 2024 by Ordekian et al., but there have also been excellent contributions on this topic from security expert Jameson Lopp, such as maintaining an up-to-date list of known physical attacks against cryptocurrency users.
In May 2025, Lopp explained that wrench attacks are relatively rare, and people are far more likely to lose their bitcoin for other reasons: “it’s important to put this all in context. Wrench attacks are probably the rarest type of attack that happens in this space. [...] There are many, many, greater, more common threats that you should be worried about long before you start worrying about the wrench attack.”
The more common threats to your bitcoin include trusting a third-party custodian with full control over your funds, taking self-custody without proper bitcoin key management or security (such as failing to implement cold storage), or getting scammed by sophisticated social engineers. Criminals are much more likely to target your bitcoin remotely through phone calls, text messages, social media, and emails. This way, thieves hope to avoid physical altercations and surveillance footage. Your first step in protecting yourself should be to review our 11 imperatives to defend your bitcoin from modern-day scammers, and implement those best practices.
Just how rare are wrench attacks? According to the list maintained by Lopp, there have been over 250 documented cases of physical attacks related to cryptocurrency since the first known case in 2014. The research by Ordekian et al. suggests that incidents are likely underreported, and the true number could be substantially higher. Still, with the cryptocurrency user population estimated to be in the hundreds of millions, wrench attacks per capita is a tiny ratio, with some variance depending on geographical region.
Therefore, wrench attacks are statistically very improbable, but not impossible. This is also the case with many other things in life—which we can look to for inspiration on how to respond appropriately. For example, the chance of getting in a severe car accident is low, but it always remains a possibility when getting into an automobile. Just because probability is low, doesn't mean you should throw caution to the wind and drive recklessly, which would increase the likelihood of an accident occurring. At the same time, the mere possibility of an accident doesn't justify living in fear and refusing to get inside a vehicle. Instead, the most reasonable response is to put some effort into safe transportation, such as by driving carefully.
Wrench attacks can be viewed in a similar light. It’s unwise to think “that’ll never happen” and be totally careless as a result. But it’s also a mistake to let one particular fear take over your life in an obsessive manner. Instead, prudence demands staying vigilant and looking for opportunities to improve your situation and minimize your susceptibility.
The future will always contain uncertainties, which means it’s impossible to bring the likelihood of a good outcome to exactly 100% or a bad outcome to exactly 0%. When thinking through wrench attack prevention, the mission is to take reasonable steps that will reduce the chance of being targeted. This can be accomplished by avoiding certain behaviors and engaging in others.
Logically, a targeted wrench attack is preceded by two events. First, a potential attacker learns that a potential victim owns a valuable asset, such as bitcoin. Second, they will conduct some sort of cost-benefit analysis, weighing the risks of attempting an attack against their potential gain (granted, they have poor judgment to even consider the action in the first place).
This knowledge presents several opportunities to build a defense. Guarding against the first event, you can take steps to limit how many potential attackers know that you own bitcoin. Guarding against the second event, you can make a criminal’s cost-benefit analysis difficult to perform or clearly unfavorable. In the following sections, we will dive into more specific ideas on how to achieve these things.
If you are interested in taking steps that could reduce the number of potential attackers who are aware of your bitcoin ownership, there are two basic approaches. You could try to limit the quantity of people in general who know you own bitcoin, or you could try to reduce the number of potential attackers your identity may come into contact with.
Furthermore, there are also two distinct contexts for social interaction to consider—the physical world and the digital world. The internet allows for interaction with a larger number of people, but the physical world is where wrench attacks actually occur, meaning that proximity is a relevant factor. Traveling a substantial distance could be an obstacle for a criminal thinking about this type of attack.
It’s common to become enthusiastic about bitcoin and want to help others learn about it. This can be a good thing, but your approach can have implications for your privacy and security. It can go a long way to simply be selective rather than careless with your bitcoin advocacy.
In the physical realm, you should be aware that wearing bitcoin-branded clothing or putting a bitcoin bumper sticker on your car publicly broadcasts your interest in bitcoin to everyone around you. Additionally, when interacting with strangers or new acquaintances, passionately explaining bitcoin or eagerly offering to tip, pay, or receive payments in bitcoin may not be the best idea from a security standpoint. In-person bitcoin transactions have been identified as a significant risk factor for wrench attacks (Ordekian et al., section 5.1.1). A more careful approach would be to limit your bitcoin-related interactions to trusted relationships and ask those people to keep your involvement private.
Online you also have obvious choices pertaining to how much you discuss bitcoin, what you say, where you say it, and how you present yourself (such as using a pseudonym). Meanwhile, other digital records connecting you to bitcoin may be a bit more challenging to control, such as data about your browsing history, your online orders for bitcoin-related products, and your accounts with bitcoin-related services. Third parties may store this data, and they could become the victim of a data breach. For this reason, you should be mindful of how many different service providers you interact with, and hesitate before signing up for new ones. At Unchained, we aim to offer a one-stop shop for consolidating all your bitcoin needs—trading, secure self-custody, lending, retirement accounts, business accounts, and ongoing support for inheritance and technical questions. We understand the gravity of your decision to trust us with protecting your data, and this responsibility will always remain a top priority for our company.
Good or bad judgment with relationships can have a meaningful impact on personal security. Online or in-person communities containing elements of legal or moral misconduct will naturally include individuals of an elevated risk profile. Keeping a safe distance from such groups can further reduce the likelihood of coming into contact with potential threat actors. Additionally, Ordekian et al. notes that revenge can be a motive for wrench attacks, suggesting that the kindness you show other people can play a role in your own protection.
If you choose to publicly advocate for bitcoin, people will assume you are a bitcoin owner. However, that knowledge alone is a much different scenario than people also knowing how much bitcoin you own, or how it might be easily accessed. Taking a defensive posture means guarding this additional sensitive information.
When learning about bitcoin, typically one of the earliest pieces of advice is to “never talk about your bitcoin balance.” People who don’t take bitcoin seriously may be tempted to share their balance, like they might do with a high score in a video game. However, the reality is that bitcoin is a seriously valuable asset. If you wouldn’t talk openly about how many dollars are in your bank account, or how much gold you own, then you should treat your bitcoin balance in a similar way. It’s wise to avoid discussing your balance unnecessarily, or viewing your balance on an electronic device in a public setting where someone could be looking over your shoulder.
Furthermore, you should be mindful of sharing information that could indirectly give clues about your bitcoin balance. Examples include the timeframe when you “first got into bitcoin,” how many dollars you’ve spent on buying bitcoin, the lower prices at which you managed to buy bitcoin, how much you continue to regularly spend on bitcoin, the price performance of your bitcoin investment, what percentage of your wealth is stored in bitcoin, your decisions to hold onto bitcoin without selling it, and so forth. Sacrificing your privacy to impress other people may turn out to be a regrettable decision.
It can also be a good idea to think ahead regarding your inheritance, to help protect the privacy of your beneficiaries. As discussed in our article on estate planning basics, if you don’t have a deliberate plan in place, your bitcoin holdings may be subject to state probate laws, and become a part of the public probate process, which typically requires a detailed list and total value of the deceased person’s assets to be filed with the court. Setting up a trust or designating transfer-on-death beneficiaries are common methods to enhance privacy, allowing assets to be passed on outside of the public probate process. Both of these strategies are supported by Unchained.
If a criminal sees a clear, easy path to accessing valuables, they might be enticed to pursue it. On the other hand, if the path is difficult or unknown, they may decide against it. This means it’s a good idea to make your bitcoin challenging and inconvenient to access, and avoid revealing any specific details about the access process.
As we covered in an earlier section, in-person bitcoin transactions are a risk factor for wrench attacks, and this is partly due to the implication that bitcoin is immediately available, ready to be transferred. There are numerous reasons to avoid keeping bitcoin keys on your phone or in a “brain wallet” (memorized bitcoin key), and the risk of a wrench attack is among them. Carrying an accessible bitcoin balance everywhere you go introduces extra vulnerability compared to locking down bitcoin as long-term savings which rarely need to be accessed.
Making bitcoin difficult to access begins with utilizing a cold wallet, so that the keys to the bitcoin aren’t stored on your phone or in your head. The keys are instead stored physically and offline, allowing them to be guarded more effectively. You should never tell anyone where you store your physical bitcoin keys, unless it’s absolutely necessary because you’re entrusting them with direct involvement in your security or inheritance procedures.
If you’re especially concerned about the possibility of a wrench attack, you might prefer to avoid keeping your bitcoin keys within reach at home, and instead turn toward institutional assistance. A bank safe deposit box is nearly impossible for a regular criminal to gain access to, because even if they took possession of your deposit box key, the bank would still require in-person identity verification during their business hours. If you have separate concerns about bank employees getting into your safe deposit box, it may be helpful to know that you can put your bitcoin key material inside an opaque, tamper-evident security bag before placing it in your safe deposit box. This way, it’s not immediately obvious what’s inside, and when you check in on it you can have reassurance that the material has not been compromised.
The best tool to safely guard bitcoin against theft is a multisig wallet. When properly set up, multiple different bitcoin keys are required to access the bitcoin. This allows you to geographically separate the keys in different secure locations. If any one location were compromised by a thief, they would be unable to steal any funds. A setup like this is capable of providing the highest degree of peace of mind—a banker that manages to get into your safe deposit box, open your security bag, and get one of your bitcoin keys, would be unable to see the balance of your multisig wallet, or access any bitcoin without other keys you’ve stored elsewhere. Unchained utilizes multisig wallets for all of our vaults.
Beyond techniques specific to bitcoin custody, general purpose security and privacy practices can also play a significant role in deterring criminals. Making a clear effort to avoid being an easy target can make a big difference compared to making no such effort.
There is plenty of education available that can help you identify and correct weak points in your security, ranging from free videos and websites to formal classes and consultants. It’s a vast subject, but here we will briefly touch on a few common starting points for home, personal, and digital security.
Home security can typically be improved with tools such as surveillance cameras, alarms, monitored systems, panic buttons, timed or motion-activated lighting, and reinforced entrypoints. Outside, physical barriers such as gates, fences and certain types of bushes or hedges can serve as useful obstacles to deter potential intruders. Having a good relationship with neighbors and even a pet dog can help draw attention to any suspicious activity.
Personal security can be bolstered by physical fitness, strength, and endurance. Self-defense classes involving martial arts or firearms training are especially effective. It’s critical to practice situational awareness, which has deteriorated in the modern age of earbuds and smartphones. Stay alert of your surroundings, and try to avoid falling into predictable, easily observable routines.
Good digital security involves locking your electronic devices and digital accounts using modern authentication standards. Solutions like passkeys, password managers, biometrics, and multi-factor authentication are good tools to become familiar with and integrate to protect your sensitive records. Avoiding suspicious emails, calls, texts, and other forms of communication can help reduce the chances of receiving malware or deceptive information, aligning with our guidance on protecting yourself from scammers as well.
Living a modern lifestyle while preserving personal privacy is increasingly challenging. Renowned cryptographers and cypherpunks have suggested that “the natural flow of technology tends to move in the direction of making surveillance easier,” and markets for selling private information are potentially unstoppable. In other words, it’s very difficult to prevent someone from finding personal information about you if they are motivated to spend enough time or money.
Attempting to “disappear” would entail substantial lifestyle changes that may not feel realistic for most people. “If you want perfect privacy, then just close all of your online accounts and move to the middle of nowhere,” aforementioned researcher Jameson Lopp jokes in his detailed investigation into reclaiming privacy. But as we’ve already covered, perfection isn’t necessary in order to succeed with implementing reasonable improvements. “Each of you will need to decide what level of tradeoff between convenience and privacy you are willing to achieve. But you don’t have to go all the way all at once, you can start [small and try more difficult things] later,” Lopp explains. Let’s discuss some basic starting points.
The default way of using the internet allows for a large amount of third-party surveillance and tracking, which gather and sell data about your activity and profiles. Building a defense begins with VPN services (e.g. ProtonVPN, Mullvad VPN) and DNS filtering (e.g. Pi-hole, NextDNS). It’s also worth exploring privacy-oriented browsers (e.g. Brave), browser extensions (e.g. uBlock Origin, Privacy Badger), search engines (e.g. DuckDuckGo), email providers (e.g. ProtonMail), and messaging apps (e.g. Signal) as alternatives to their more common counterparts. These tools can limit data collection going forward. Cleaning up data collection that occurred in the past is harder, but some services can help automate opt-out requests to data brokers (e.g. Incogni, DeleteMe).
Privacy in the physical world involves controlling personal information through the strategic use of intermediaries and alternative identities. Common methods include purchasing property or vehicles through LLCs or trusts, using PO boxes or virtual mailboxes instead of home addresses, paying with cash to avoid transaction tracking, and employing burner phones or virtual numbers for communications. Additionally, there are many day-to-day circumstances where you can avoid giving out your phone number or real name, such as when ordering food or receiving mail. Most people don’t bother with aliases and readily give out their contact information, but a privacy-conscious individual should hesitate and consider their options.
It’s always a good idea to ensure that you and your loved ones have clear emergency plans in place to prepare for natural disasters or other extreme scenarios. Establishing a communication strategy and egress routes can come in handy for a variety of situations, including a potential wrench attack.
However, wrench attacks can occur in many different forms and fashions, meaning there is no one-size-fits-all plan that can adequately deal with the full range of possible situations. The best actions to take in response to a hypothetical wrench attack will depend heavily on critical details, such as the attacker’s mental state and their precise demands or threats. These details are unknowable in advance. Therefore, if you begin considering what you might do if you were to face a wrench attack, it’s important to acknowledge the high degree of speculation involved.
Some bitcoin custody tools offer features that are intended to be useful in a wrench attack scenario, such as duress wallet or decoy wallet. These features are designed with the hope that giving a smaller balance of funds to an attacker will cause them to leave satisfied. However, this idea also relies on speculative assumptions, and it’s debatable whether or not such a strategy would actually be helpful. Outside of the bitcoin ecosystem, kidnap and ransom insurance providers capable of providing crisis response teams could be an option to consider.
The best plan is to exercise good judgment according to the circumstances. Self-defense and security systems can give you more options to work with, and learning about criminology and de-escalation techniques could also come in handy. In some cases, calm compliance might end up being the safest decision.
In summary, while wrench attacks are a rare form of threat, taking them seriously is an intelligent component of protecting valuable property such as bitcoin savings. Being careless can cause you to be identified as an easy target, while taking steps to become an increasingly difficult target is what will help keep you safe.
As discussed in our article comparing the approaches to bitcoin ownership, the best way to protect bitcoin from a physical attack is to either use an ETF or a multisig wallet with geographically-distributed keys, but only the latter can simultaneously eliminate custodial risk. Navigating multisig is easy with an Unchained vault—we invite you to schedule a free consultation with our team to ask questions and learn more.
This article is educational only, and not catered to the specific reader. Unchained does not represent that the techniques, software, and/or hardware referenced by this article are appropriate for your given use case or legal in your given jurisdiction. Please do your own research before using any specific technique, software, or hardware.
