Crypto’s security problem isn’t just on-chain anymore. It’s at the front door.

Blockchain security firm CertiK published a report documenting 34 verified wrench attacks between January and April 2026, a 41% increase from the 24 incidents recorded during the same period in 2025. Total losses from these attacks exceeded $101 million in just four months.

Among the cases flagged in the report: the suspected abduction of Nancy Guthrie, the 84-year-old mother of NBC anchor Savannah Guthrie, which CertiK categorized as a potential “wrench attack by proxy.” Ransom notes demanding $6 million in Bitcoin were sent to multiple media outlets, including KGUN9 and TMZ.

What wrench attacks actually are, and why they’re escalating

The term “wrench attack” comes from a satirical XKCD comic first published in 2009. The joke is simple: why bother cracking someone’s encryption when you can threaten them with a $5 wrench until they hand over the keys?

A wrench attack is physical coercion, kidnapping, home invasion, or threats of violence used to force a crypto holder to transfer their assets. No exploits needed. No smart contract vulnerabilities. Just fear and a victim who can’t call their bank to reverse the transaction.

CertiK’s data shows the problem isn’t slowing down. The firm recorded 81 attacks with approximately $52 million in losses across all of 2025, which itself represented a 75% increase from prior years. If the current pace holds through 2026, CertiK projects roughly 130 incidents for the full year, with losses potentially reaching several hundred million dollars.

The Guthrie case, which allegedly began around February 1, stands out for a specific reason. The target wasn’t a crypto holder herself. She was the family member of a public figure. CertiK’s classification of this as a “wrench attack by proxy” signals a troubling expansion of who criminals consider fair game.

How criminals find their targets

Lisa J. Miller, a retired detective and former law enforcement executive at the Colorado Attorney General’s Office, explained the mechanics bluntly.

“The bad guys in these cases and in many types of criminal cases utilize open source information and social media information to find their targets and the targets’ vulnerabilities, the pressure point. News releases from companies describing wealth, social media posts showing off big expenditures, big toys, big homes. Many of us put at least some of our lives out there for everyone to see, and it’s usually the happiest part.”

CertiK’s report highlights that these operations have evolved beyond opportunistic street crime. The firm identified a pattern of organized, transnational operations where overseas masterminds recruit local operatives to carry out the physical attacks.

What this means for crypto holders and the broader market

On the personal side, the calculus around operational security has changed permanently. Hardware wallets, multisig setups, and time-locked transactions were designed to protect against digital threats. They do very little when someone threatens your family. The Guthrie case illustrates that wealth proximity, not just wealth ownership, creates risk. You don’t need to hold Bitcoin to become a target. You just need to be connected to someone who does, or who is perceived to.

The privacy-versus-transparency debate in crypto has always been framed in abstract terms: financial freedom, surveillance resistance, regulatory compliance. CertiK’s data reframes it in concrete terms. For a growing number of people, privacy isn’t a philosophical preference. It’s a physical safety requirement. The 41% increase in wrench attacks between 2025 and 2026 suggests the market hasn’t caught up to that reality yet.