[HN Gopher] Wrench Attacks: Physical attacks targeting cryptocur...
___________________________________________________________________
Wrench Attacks: Physical attacks targeting cryptocurrency users
(2024) [pdf]
Author : pulisse
Score : 84 points
Date : 2025-05-25 11:56 UTC (11 hours ago)
(HTM) web link (drops.dagstuhl.de)
(TXT) w3m dump (drops.dagstuhl.de)
| imaginator wrote:
| Jameson Lopp maintains a comprehensive list at
| https://github.com/jlopp/physical-bitcoin-attacks
|
| Side joke: with inflation the XKCD $5 wrench attack
| (https://xkcd.com/538/) is no longer possible.
| qoez wrote:
| The alt text does say "Also, I would be hard-pressed to find
| that wrench for $5." so I guess even at the time without
| inflation it wasn't really possible
| apples_oranges wrote:
| For Americans now difficult. Rest of the world can still
| order cheaply in China ;)
| cluckindan wrote:
| Maybe those orders should be limited given how the tools
| have no other valid use than password extraction
| hansvm wrote:
| You speak with the same sort of hard-earned wisdom of
| someone who has also snapped a few cheap wrenches in
| half.
| grues-dinner wrote:
| It could be a second-hand wrench. Or maybe smuggled in without
| tariffs: a 1-foot, 3-pound wrench is $3.45 on Taobao (including
| shipping, a pair of gloves and a roll of PTFE tape). It might
| not be Snap-On but it'll probably survive being hit with a few
| crypto speculator skulls.
| krisoft wrote:
| Or a stolen wrench. If you are already on the path of
| criminality.
| lazide wrote:
| Hey man, some of us have limits (/s)
|
| Seriously though, most B&E's will use tools stolen from
| some prior victim. Why spend money you don't need to, or
| something.
| dylan604 wrote:
| Or tools from the current victim. Someone broke into my
| house using the utensils from my grill on the patio to
| try to pry open a rear window before just using them to
| break the glass.
| grues-dinner wrote:
| Also you can't be filmed at the hardware shop buying the
| weapon. Premeditation makes things worse if you do get
| caught.
| brewdad wrote:
| The key is to have made the investment long ago. I never put
| money in crypto but I do own two large pipe wrenches from the
| mid 1990s.
| nssnsjsjsjs wrote:
| Next they'll hit someone over the head with a shitcoin to try
| and steal their wrench!
| oulipo wrote:
| No worries, now you can simply use $5 of Toblerone lol
| https://archive.ph/TZ9oq
| os2warpman wrote:
| https://www.harborfreight.com/hand-tools/wrenches/18-in-stee...
|
| $7.99
|
| They also have an 8-inch wrench on sale for $3 but I'd spend
| the extra for the pipe wrench.
|
| Better whackin' with an 18-incher.
| margorczynski wrote:
| I guess the name is in reference to https://xkcd.com/538/
| martinky24 wrote:
| They quite literally say this explicitly in the first few
| paragraphs. No need to guess.
| TheAmazingRace wrote:
| This write up is very interesting to me for one main reason. It
| underscores how incredibly important it is for anyone dealing in
| this stuff to do the following...
|
| Keep. Your. Mouth. Shut.
|
| Pseudo-anonymity, with the emphasis on the pseudo part, is only
| as good as you. If you truly believe in Bitcoin and all that
| implies, it really is in your best interest to be quiet and keep
| it to yourself, and this knife cuts in more ways than you might
| expect. You don't have layers of security like at a traditional
| bank. You are the weakest link wrt private keys and storage.
|
| Also, even talking about it amongst folks you think are your
| friends, like fellow Bitcoin users, isn't wise either.
| Hypothetically, if you became exceedingly wealthy on paper, it
| would be in the interest of others to take you out of the
| equation so you can't cash out. If that means a five dollar (or
| whatever they cost these days) wrench to the head so you stop
| moving... now that value is locked up in the blockchain! Could
| this happen to any given bitcoin users with just a few satoshi or
| whatnot? Very unlikely, but don't forget that a decade and a half
| ago, a handful of bitcoins could cost you very little money. Now
| it has gone up exponentially in value and would make you a big
| fat target.
|
| There are those on /r/bitcoin that think a wrench won't ever
| break their wills and spirits. That math is invincible. Don't
| think they've ever been on the wrong side of one before. Math
| might be bulletproof, but wetware is very fragile.
| jsheard wrote:
| The tension is between needing to keep your mouth shut (for
| your own safety) and needing to loudly evangelize crypto at
| every opportunity (because its value is still mostly predicated
| on hype and FOMO, which must be maintained). For people to
| believe the narrative that buying crypto will make them rich,
| there has to be crypto-rich people shouting about how crypto-
| rich they are.
| TheAmazingRace wrote:
| That is quite a balancing act, isn't it?
| throwanem wrote:
| Not before Miami slides into the Atlantic...
| TheAmazingRace wrote:
| Lol
| dylan604 wrote:
| > Keep. Your. Mouth. Shut.
|
| The interesting thing to me about this is watching how we've
| changed over the past 40 years. As a kid, it was impressed up
| on kids to not talk to strangers. You don't tell people where
| you live. You don't tell people anything more than necessary.
| Now, people share the most intimate details of their daily
| lives. People share/invite random strangers to their accounts
| without any concerns about who they are or what they might do.
| People just do not think about how the most benign of posts can
| be used for nefarious purposes by someone else. So we've gone
| from share nothing to over sharing everything.
| TheAmazingRace wrote:
| So just another point on this... you are probably not as
| anonymous on the internet as you might think. You can brag
| about wealth in cryptocurrency. But use a handle long enough,
| or even across several accounts that can somehow be linked,
| and a fingerprint of you could be constructed. It really can
| be done with some forensic analysis.
|
| And I think it all boils down to the fact that some humans
| need to make noise about their successes so they feel
| validated. Much like the cryptocurrency evangelists, they
| probably can't help themselves because they want to ensure
| they defend "the mission" even if it comes at great personal
| cost in the long run.
| throwanem wrote:
| I've recently quoted on here something about learning to
| spend what's in your pocket. That is a special case of the
| same general principle evinced here, which is that if you
| don't put work into maintaining a broad perspective, you
| lose the ability to distinguish what you're used to and
| what's ordinary.
|
| It's worth worrying about in the general case, too. There
| are subtler and much more noxious failure modes here than
| merely getting beaned with a Swedish nut rounder.
| ummonk wrote:
| Ehh, changes in privacy expectations have gone both ways. 40
| years ago people also voluntarily listed their home address
| and telephone number in phone books that would be mailed to
| the whole community.
| dylan604 wrote:
| If you think the telephone book is any where close to the
| same thing as the amount of information available via a web
| search, then you're just not even trying to have a serious
| conversation. At the time of printed phone books, it's not
| like you could pull out the super computer in your pocket
| and get turn by turn directions to that address. If you
| were fancy, you could maybe pull out your Mapsco and figure
| out how to get there, but only if that address was in the
| same area as the set of Mapsco books you had on hand.
| egypturnash wrote:
| You could go to the bookstore and get an appropriate map
| or two pretty easily. Or a gas station. Or join the AAA
| and get them to put together a TripTik. Or some
| combination.
|
| Sure it'd take longer than pulling up directions on your
| phone does now but if you're planning a cross-country
| trip to kidnap someone and beat their passphrases out of
| them or demand a ransom from their family or whatever
| then you've probably got some other plans to make. If
| it's a total impulse then you just grab your duct tape,
| chainsaw, masks, and continental-scale road atlas and hit
| the road; when you get to your target's state you can
| pick up maps that'll get you to their place at the first
| gas station you hit. Don't make jokes about why you're on
| a road trip when you stop at the whimsical roadside
| attraction shaped like a dinosaur, someone _will_ come
| forwards when your case makes the news.
| mattgreenrocks wrote:
| It's definitely changed from generation to generation.
|
| During covid some SWEs had pretty sweet gigs due to lowered
| expectations and a rush on talent. And what do a small
| fraction of SWEs do? Make "life in the day of" videos that
| glamorize how cushy and easy-going it is, painting the whole
| group of SWEs as spoiled and entitled who make too much
| money. Point is they could've just realized they had it good
| and kept quiet.
|
| But, no, they had to hustle for internet points, even risking
| their job inadvertently. It's unbelievable to me how fast we
| flipped from the internet being an accessory to life to it
| being a surrogate for actual social interaction.
| throwanem wrote:
| > Keep. Your. Mouth. Shut.
|
| With events like the recent Coinbase breach, is this even
| enough?
| TheAmazingRace wrote:
| Nobody has to use Coinbase. That said, yes you aren't wrong.
| The more intermediaries you deal with, the higher your
| exposure risk.
| throwanem wrote:
| That, and there's zero backward or forward secrecy by
| design. Avoiding intermediaries can't ameliorate the
| hazards of the protocol.
| TheAmazingRace wrote:
| Exactly. Hence why I don't advocate for any
| cryptocurrency at all, personally. It's fraught with
| peril and the juice really isn't worth the squeeze to me.
| Others may have a different calculus, but I'd rather not
| be looking over my shoulder constantly.
| throwanem wrote:
| Oh, same, I've never touched the stuff. That was pure
| intuition 15 years ago; these days I think of it as a
| longterm investment paying major dividends in peace of
| mind.
|
| Of course it would be easy to _say_ one 's never touched
| crypto, and not so easy to prove, as with any negative. I
| don't care. If I ever get bounced with a King Dick, it'll
| _far_ more likely be because I said something someone
| didn 't like - which seems to happen about as often as I
| open my mouth, these days. Or because I said something
| someone failed to comprehend and so took insult at.
| Brains are severely out of fashion this decade, and I
| can't seem to help having some, so presumably someone
| will seek to scatter them sooner or later. Why not? I
| hear it's the last argument of kings, and their time too
| seems coming 'round again.
|
| In any case they better not let me hear them coming.
| Wiser to spin the block in a car, really. I've never been
| hit with a wrench before, but it did once take more than
| a hammer to get me off my feet.
| hibikir wrote:
| This kind of works, until you have a medical issue that impairs
| your brain enough,an event that loses hardware keys or backups,
| or you care about possible inheritors when you die.
|
| Everything you do to keep keys safe from some risks weakens
| your posture against other risks. Making sure most people don't
| know about your holdings is nice and all, but ultimately key
| management is a really hard problem. It's hard enough for
| companies, but I'd argue it's even worse for individuals.
| TheAmazingRace wrote:
| You are correct about key management being hard. I've been
| telling folks that absolutely insist on getting into Bitcoin
| that it's best to leave out any notions of convenience at
| all, as convenience is the enemy of security. If you
| absolutely must have the stuff, stick to a cold wallet using
| pen and paper. It still has its own downsides, but it's
| arguably one of the most simple ways to handle the keys
| problem.
| XorNot wrote:
| Except that's irrelevant. Key management doesn't mitigate
| the threat against you.
|
| If the person who kidnaps you believes you have the
| necessary keys on you, or remember them or whatever, they
| aren't going to let you go because you genuinely do not
| have the ability to provide them.
| busyant wrote:
| > Keep. Your. Mouth. Shut.
|
| Matt Levine had a recent article about this. Another part of
| the problem is that some BTC repositories* got hacked and the
| hackers got people's names and _addresses_ and maybe quantity
| of BTC
|
| So, even if you keep your mouth shut, if people can get your
| address, you're a potential target.
|
| *(I can't recall the details and I don't know enough about
| crypto to know if I'm using the proper terminology)
|
| * edit: here's the article. skip down to "$5 wrench attack"
|
| https://archive.is/lUNox
| PicassoCTs wrote:
| You know, there are people here who have a living memory
| growing up in a high trust society.
| https://en.wikipedia.org/wiki/High-trust_and_low-trust_socie...
| And i refuse to accept all this advice, all this barbed wire as
| normal and all these grifters and gangsters as socially
| acceptable. And i refuse the victim reversal, of the "stupid"
| victim calling for it.
|
| No, all those trying to normalize the wild-west and those who
| try to prosper from the wild west- they have to go. Now.
| Wherever they came from. Take your low-thrust, non-working
| societies with you. The enablers too, if you want to co-exist
| with this, you are wrong here. You need to go. Now.
| tmnvix wrote:
| You seem to be implying that immigrants are responsible.
|
| While I agree that we are seeing a shift towards lower trust
| societies in the west, I can think of plenty of potential
| domestic causes.
| thasso wrote:
| Why don't we hear about this happening to people who are equally
| wealthy in classical (non-crypto) assets? Are they more discreet
| and harder to make out or are there protections in place at,
| e.g., banks that limit the efficacy of these kinds of attacks? I
| guess most wealth people don't have enough of their wealth in
| liquid assets to be a good target but people with lot's of crypto
| assets can easily transfer it all.
| Horffupolde wrote:
| Because the public doesn't relate to these victims.
| acdha wrote:
| It seems like quite a stretch to think the public feels
| significantly greater affinity to wealthy people who hold
| stocks, real-estate, and other traditional assets compared to
| cryptocurrency speculators. It seems like a much more
| parsimonious explanation that the attacks are more prevalent
| in the less secure medium since attackers are more likely to
| succeed.
|
| "Be your own bank" makes a cool bumper sticker but it's like
| saying "be your own pilot" or "do your own surgery" in terms
| of complexity and risk. There's a reason why these things
| traditionally involve teams of people with various safety
| precautions baked in to make attacks riskier.
| topranks wrote:
| Those people keep their money in banks.
|
| Sure you can pressure people to transfer money from banks to
| you. But that will be easier to trace and the transactions
| could just be reversed. If moving all your wealth the bank is
| likely to ask some questions, maybe want to see you in person.
|
| With crypto the philosophy is "be your own bank". It's like
| keeping your money under the mattress. So you are a much more
| promising target.
| XorNot wrote:
| Also bank transactions are reversible.
|
| e.g. you have not had a wonderful windfall of someone
| mistypes an account number and send you a $1 million. You are
| in fact obligated to report the issue and not simply go
| "great!" and start spending the money, tonthe point that you
| can be held legally liable.
|
| It's not 100% but as people are fond of saying: we do live in
| a society, it's hardly onerous.
| wslh wrote:
| When you create your own keys, you essentially become the bank.
| Additionally, with exchanges or other custodial platforms, once
| you move funds, the transactions are irreversible and can be
| very difficult, or even impossible, to trace.
| brulard wrote:
| Why would you say they are difficult/impossible to trace?
| It's publicly visible where it goes and where it gets
| eventually spent. Ill gained bitcoin even gets flagged and
| its very hard to spend.
| batshit_beaver wrote:
| 1) You can track the transactions publicly, but once the
| crypto hits the wallet of someone that can trade cash for
| it, you've lost track of the criminal.
|
| 2) Privacy focused currencies like Monero make it
| exceedingly difficult to attribute transactions to specific
| individuals.
| ls612 wrote:
| Kidnapping for ransom used to be big business for US organized
| crime. Then the law changed to basically outlaw paying ransoms
| (all negotiations had to go through the FBI) and while a few
| people died, kidnapping for ransom in the US largely died as
| well after the 80s.
| _tom_ wrote:
| Literally yesterday:
|
| https://www.nytimes.com/2025/05/24/nyregion/crypto-investor-...
| dang wrote:
| Discussed here:
|
| _Crypto investor charged with kidnapping and torturing_ -
| https://news.ycombinator.com/item?id=44085188 - May 2025 (67
| comments)
| Adrig wrote:
| Two instances of crypto kidnapping happened recently in France
| just a few weeks apart. The first was the father of a crypto
| milionnaire who was rescued after a few days, missing a finger.
| The second is the daughter of a crypto CEO who fended off a
| kidnapping in broad daylight in the center of Paris, while she
| was with her husband and baby. Insane stuff.
|
| This will only go worse and harder to protect from. Most of the
| instances I heard about were carried by "amateurs", which makes
| all this quite unpredictable.
| morkalork wrote:
| Recently happened in Montreal too and yes, very amateurish
| operation that went very very wrong:
| https://globalnews.ca/news/10868204/quebec-crypto-influencer...
| yupyupyups wrote:
| Thinking of cryptocurrencies, and trade with them, as the wild
| west, it shows that many people out there will turn into
| absolute animals and take the rights of others if the law
| wasn't there holding a gun to their heads to keep them in
| check.
| mensetmanusman wrote:
| These events will cause crypto to reinvent the entire
| financial and legal system then :)
| hn_throwaway_99 wrote:
| The irony of this is that the completely irreversible nature of
| crypto transactions, which crypto boosters highlight as one of
| the primary security benefits of crypto, is actually its
| biggest Achilles heel.
| specialist wrote:
| Mugging, larceny, robbery, assault & battery, a stick-up.
|
| Kids these days.... Always inventing new words for old ideas,
| amirite?
|
| More seriously: I'm still a little unclear how stealing crypto is
| feasible. There's a ledger, right? Tumblers are really that
| effective at hiding the chain of custody?
|
| At some point(s) the cyberspace "durable digital asset" (h/t
| a15z) has to emerge in meatspace, right? Even if it pops up in
| Russia, NK, or Golden Triangle, there's always some heads to
| bash, fingers to break. Right?
| brewdad wrote:
| I imagine it works like the stolen art world. You can't just
| put that lost Picasso on auction at Sotheby's, but the right
| buyer will take that wallet off your hands and wash it.
| akrymski wrote:
| You mean there's a point to banks after all?
___________________________________________________________________
(page generated 2025-05-25 23:00 UTC)