The year 2025 has witnessed a disturbing surge in threats aimed directly at cryptocurrency owners, with both real-world violence and digital crime seeing a sharp increase alongside Bitcoin’s rising valuation. During the Baltic Honeybadger 2025 event in Riga, Latvia, Alena Vranova, founder of SatoshiLabs, brought attention to the escalating problem of “wrench attacks”—a phrase describing situations where individuals are forced to hand over their private crypto keys under the threat of bodily harm [1]. Vranova clarified that these attacks aren’t limited to wealthy individuals; even those with as little as $6,000 in cryptocurrency have been targeted through kidnapping, torture, or even murder. She linked this alarming trend to data breaches originating from centralized crypto exchanges, which have exposed the identities of over 80 million users online, including 2.2 million home addresses. This exposed information gives criminals the data they need to locate and target their victims [1].
A clear link exists between Bitcoin’s bull market and the rising frequency of these crimes. Vranova stressed that violent incidents tend to increase during periods of intense market enthusiasm, a pattern further solidified by recent data breaches from major platforms. In May 2025, Coinbase reported a security incident that exposed customer addresses, while in June, Cybernews revealed that data leaks from Apple, Facebook, and Google had compromised over 16 billion login details [1]. These data exposures not only enable physical attacks but also create opportunities for phishing attempts, social manipulation, and identity theft, further endangering cryptocurrency holders.
Simultaneously, the cyber threat landscape has undergone significant changes. Koi Security recently discovered a sophisticated cybercriminal group known as “GreedyBear,” which has successfully stolen over $1 million in cryptocurrency by deploying a coordinated campaign involving fake browser add-ons, malicious software, and fraudulent websites [1]. Tuval Admoni, a researcher at Koi Security, stated that GreedyBear has “redefined industrial-scale crypto theft” by using three distinct attack methods at the same time—a tactic that represents a move towards more complex and ambitious cybercrime strategies [1].
The illicit campaign leveraged more than 650 malicious resources, including over 150 fake browser extensions made available on the Firefox marketplace. These extensions imitated popular cryptocurrency wallets, like MetaMask and TronLink, using a technique called “Extension Hollowing,” in which legitimate extensions were initially used to pass security checks before being modified to steal user credentials. This allowed the malicious extensions to maintain positive user ratings and build trust before being used for criminal purposes [1].
In addition to the browser-based attacks, GreedyBear launched nearly 500 malware samples focused on cryptocurrency, including credential-stealing software like LummaStealer and ransomware like Luca Stealer. Much of this malware was spread through Russian websites offering pirated software [1]. The third aspect of the operation consisted of a network of deceptive websites designed to look like legitimate crypto products and wallet repair services, crafted to appear professional and trustworthy to entice users into revealing their private keys.
A central command-and-control server managed these attacks, and researchers uncovered evidence that AI-generated code was used to rapidly scale and diversify the threat. Admoni cautioned that this represents the new reality for online threats targeting crypto holders, while Deddy Lavid, CEO of Cyvers, emphasized that browser vendors need better vetting processes, developers need greater transparency, and users need to be more vigilant to combat these increasingly advanced threats [1].
As both physical dangers and digital threats continue to evolve, the broader crypto community is being urged to adopt more rigorous personal safety and cybersecurity precautions. With the combination of data breaches, cyberattacks, and real-world crimes, the risks for cryptocurrency owners are greater than ever, marking a critical turning point in the ongoing effort to protect digital assets.
—
Source:
[1] title1: Cryptocurrency Owner Security at Risk: Physical and Cyber Threats Escalate
https://coinpaper.com/10443/physical-threats-to-crypto-owners-hit-record-highs