Three violent “wrench attacks” hit crypto holders in France in the first weeks of January 2026, with victims forced to hand over device-level access to their assets. The clustering of incidents also pushed organizers to pull back from in-person gatherings, including NFT Paris and RWA Paris 2026.
The immediate takeaway is that self-custody can translate into real-world personal-security exposure when attackers target the human, not the protocol. As law enforcement opens probes and event plans shift, operational security is moving from a best practice to a baseline requirement.
Timeline of the January attacks
Between January 6 and January 10, investigators recorded a tight sequence of assaults explicitly focused on extracting crypto access rather than conventional valuables. The common pattern was coercion aimed at wallets, keys, and credential-bearing devices.
On January 6 in Manosque, three masked intruders entered a home and held a woman at gunpoint before taking a USB drive linked to a partner’s cryptocurrency access. The theft prioritized a digital-access device over traditional burglary targets like cash or jewelry.
On January 9 near Saint-Léger-sous-Cholet, a 43-year-old investor was abducted from his residence, beaten, bound, and later abandoned roughly 50 kilometers away. The incident reinforced that physical violence is being used as a direct path to digital assets.
On January 10 in Verneuil-sur-Seine, three armed attackers assaulted and restrained a cryptocurrency executive and members of their family before the victims escaped to neighbors. The event underscored how family members can become pressure points in access-extraction attacks.
A broader framing of the pattern came from cybercrime consultant David Sehyeon Baek, who described France as seeing one of the EU’s most visible waves of violent crypto-linked kidnappings and extortion attempts. His assessment casts the incidents as an emerging modus operandi rather than isolated crimes.
Why targeting has become easier
Prosecutors had previously charged a tax official for allegedly abusing access to government databases to identify crypto investors and pass details to criminal networks. That alleged leak would materially increase targeting precision by linking names to financial profiles and potential exposure.
In response, the practical security playbook emphasizes reducing single points of failure and limiting what an attacker can extract quickly under duress. Recommended steps include a physical security audit, strict OpSec and social minimalism, diversified key storage across multiple hardware wallets and geographically separated cold storage, multi-signature setups, and rehearsed emergency protocols with trusted contacts and security professionals.
Victims have reportedly been reluctant to report attacks due to fear of revealing wallet sizes, transaction histories, or tax exposure, which complicates investigations and weakens deterrence. That underreporting pressure also aligns with organizers citing personal-safety concerns as they step back from high-profile in-person events.
Looking ahead, risk teams will track prosecutions tied to the attacks and any internal accountability around the alleged data misuse, because deterrence hinges on credible consequences. If impunity persists, expectations include more hardened custody posture, greater insurance focus, and reduced attendance at in-person industry gatherings.