Physical Threats to Crypto Owners Hit Record Highs

These attacks are sometimes carried out over amounts as small as $6,000, and are often fueled by KYC-related data leaks from exchanges, with over 80 million crypto user identities exposed. Meanwhile, cybersecurity firm Koi Security uncovered “GreedyBear,” a group that stole over $1 million in crypto through a coordinated campaign of fake browser extensions, malware, and scam websites. Experts warn that such physical and digital threats are growing more sophisticated, and are targeting users of all sizes.

Attacks Against Crypto Holders Surge

At the Baltic Honeybadger 2025 conference in Riga, Latvia, the founder of SatoshiLabs Alena Vranova issued a scary warning about the growing threat of “wrench attacks” and other violent crimes targeting Bitcoin and cryptocurrency holders. These attacks are named after the idea of coercing someone to hand over their private keys under threat of physical harm, and they are reportedly increasing at an alarming rate, with 2025 on track to double the worst year on record. 

<iframe width=”560” height=”315” src=”https://www.youtube.com/embed/W2TJuQ1TWYs?si=KFdOJagl_6cwz5kv” title=”YouTube video player” frameborder=”0” allow=”accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share” referrerpolicy=”strict-origin-when-cross-origin” allowfullscreen></iframe>

Vranova believes that this is not an issue confined to early Bitcoin adopters or wealthy investors. Even small holders have found themselves in the crosshairs of criminals. She specifically pointed out some incidents where victims were kidnapped, tortured, or murdered for amounts as low as $6,000 in crypto, with other cases involving $50,000 leading to deadly outcomes.

Vranova said that these crimes are often facilitated by sensitive information leaks from centralized crypto exchanges and service providers that collect extensive user data under know-your-customer (KYC) regulations. According to her, over 80 million crypto user identities have been leaked online, with 2.2 million of those records including home addresses. This data provides criminals with very detailed information to locate and target victims and their families.

The situation is aggravated by a clear correlation between Bitcoin’s market performance and the frequency of attacks. Vranov shared that violent incidents tend to rise sharply during bull markets, when valuations and investor enthusiasm are high. This year’s surge in physical crimes took place in parallel with a worrying number of high-profile data breaches. 

The correlation between BTC’s price and the number of physical attacks (Source: Glok.me)

In May, Coinbase disclosed a breach that exposed the home addresses and other identifying details of some of its customers. In June, a report from Cybernews revealed that databases containing over 16 billion leaked login credentials from major platforms like Apple, Facebook, and Google surfaced online.

These leaks open the door to a number of secondary threats beyond physical violence, including phishing, social engineering, hacking, and identity theft. Overall, the sophistication and brazenness of those willing to use violence to seize digital assets is growing, and it is pushing many investors, developers, and executives to adopt stricter personal safety measures.

GreedyBear Targets Crypto Users

Crypto users have more than one target on their backs. Cybersecurity firm Koi Security uncovered a large-scale malicious campaign that stole more than $1 million in cryptocurrency by combining three different attack types—malicious browser extensions, malware, and scam websites. The group is called “GreedyBear,” and has been described by Koi Security researcher Tuval Admoni as having “redefined industrial-scale crypto theft” by deploying all three tactics simultaneously. 

Admoni pointed out that while cybercriminals often specialize in a single method, GreedyBear’s decision to operate on multiple fronts is the start of a shift toward more complex and ambitious scams targeting crypto users.

The campaign involved more than 650 malicious tools, including over 150 fake browser extensions published to the Firefox marketplace. These extensions impersonated popular crypto wallets like MetaMask, TronLink, Exodus, and Rabby Wallet. By using a technique called “Extension Hollowing,” the attackers first created legitimate extensions to pass security checks, then later modified them to steal wallet credentials directly from user input fields within fake wallet interfaces. This method allowed the malicious extensions to maintain positive ratings and user trust before being weaponized.

(Source: Medium)

In addition to browser-based attacks, GreedyBear deployed close to 500 samples of crypto-focused malware. These included credential stealers like LummaStealer, which targets wallet information, and ransomware like Luca Stealer, which demands payments in cryptocurrency. Much of the malware was distributed through Russian websites offering cracked or pirated software.

The third arm of the operation involved an extensive network of scam websites posing as legitimate crypto products, hardware wallets, or wallet repair services. Unlike traditional phishing pages, these sites were designed to look like polished landing pages to lure unsuspecting users. 

One central server acted as a command-and-control hub, coordinating credential theft, ransomware operations, and scam deployments. Signs of AI-generated code were also found, which allowed the group to scale and diversify their attacks very rapidly.

Admoni warned that this is “the new normal” for online threats against crypto holders, while Cyvers CEO Deddy Lavid believes there is an urgent need for better vetting by browser vendors, greater developer transparency, and stronger user vigilance to combat these very sophisticated and multifaceted attacks.