When the kidnappers told Rocelo Lopes they had taken his wife, he didn’t believe them.
The then-46-year-old cryptocurrency entrepreneur received a phone call early one evening in April 2017, while he worked from his office in the Brazilian island city of Florianópolis, telling him to expect a formal ransom demand in bitcoin in the coming hours. “This is just another scammer. This is someone trying to be funny with me,” he thought, and he hung up the phone.
He checked in with his family’s maid anyway. His 32-year-old spouse had taken their daughter to school hours earlier, only a stone’s throw from the family home, but never came home, the maid said. She didn’t know where his wife had gone. That’s when Lopes checked his home’s security-camera system.
Blurry CCTV footage from shortly after lunch that day showed several people loitering on the street just past his garden. His wife walked down the sidewalk toward their home when a man in a black-and-white top approached her.
She recoiled. A person in white swooped in behind her to intercept her. The huddle momentarily disappeared behind a fence. A few seconds later, pressed close to the person in white, she was hurried down a side street, and vanished.
“It’s hard when you see someone you love is taken from you. It’s really, really difficult,” he said in an interview. “My first thing was: ‘Holy shit. What am I going to do now? I have no idea.’ I was not prepared for that kind of situation.”
Lopes had made a name for himself in Brazil as the head of the blockchain firm CoinBR and a few months earlier had sold the operation to Stratum, where he still worked. The kidnappers’ demands were high. They wanted tens of millions of dollars, paid in various cryptocurrencies.
“Either you pay, or we kill her,” Lopes recounted the hostage-takers telling him via WhatsApp. “We’re gonna send pieces of her to you.”
The cryptocurrency boom has created a new class of wealthy quasi-celebrities.
Investors and techies who made early bets on crypto are now hailed as revolutionary financial prophets and gilded with the allure of sudden wealth — often flaunted through a conspicuous-consumption culture of “Lambos,” yacht parties, aggressive boostering, million-dollar profile pictures, and crypto-branded everything.
In the process, some have become prime targets for opportunistic criminals.
Hacks and digital scams are a dime a dozen in crypto circles — but security experts, investors, and others in the space say not enough attention is being paid to physical crimes targeting crypto owners, from simple robberies to home invasions, kidnappings, torture, and even murder.
Such attacks illustrate a fundamental weak link in the blockchain-based digital currencies that tout new levels of financial security and privacy: For all the complex cryptographic math that underpins the integrity of cryptocurrencies, if someone with a gun forces you to hand yours over, there’s not much you can do about it.
That’s no different than any other sort of wealth stuff, right? You’re flashy about what you have, then you’re more likely to be robbed.
Jameson Lopp, a privacy-focused technologist and bitcoin advocate, has made a habit of tracking physical security threats to cryptocurrency users. His interest in the subject is personal. In October 2017, a heavily armed police unit descended on his North Carolina home after an anonymous hoaxer swatted him, submitting a false hostage report to law enforcement, as part of an effort to extort him for bitcoin.
“On one hand it was a kind of amusement and bewilderment because I knew about swatting stuff — it was always something that I figured would only really happen to celebrities,” he said. “On the other hand it was extreme anxiety and, you know, not wanting the cops to run into my house and potentially shoot my dog.”
Since then, he has been tracking physical attacks targeting crypto owners, from swatting attempts like the one he faced to kidnappings and more. He has identified almost 100 incidents publicly reported in the media over the past few years, and he believes that number is most likely a drastic undercount as a result of victims not wanting to attract more attention from criminals.
Lopp’s list reads like a comprehensive primer to different flavors of violence across the globe. A man who was drugged by his Tinder date to induce him to give up his passwords. A 14-year-old schoolboy in Northern England who was beaten and held for ransom after bragging on social media about his crypto-trading profits. A digital trader in the Netherlands targeted by attackers dressed as police officers who broke into his home in 2019 and tortured him with an electric drill in front of his 4-year-old daughter in an attempt to force him to surrender his crypto holdings.
These incidents have become colloquially known as “$5 wrench attacks” — a reference to a webcomic by the “xkcd” artist Randall Munroe in 2009. It jokes about how a “crypto nerd” might like to imagine that a bad guy’s plot is foiled when faced with unbreakable encryption, but the reality is often simpler: “Drug him and hit him with this $5 wrench until he tells us the password.” (This forcible approach to obtaining someone’s private keys is also euphemistically known among cryptographers as “rubber-hose cryptanalysis.”)
Cryptocurrencies are different from other financial assets in one important way: Most assets in finance today are no longer “bearer assets,” Lopp said. “They’re generally controlled by some sort of authority that can revoke access or return access if it gets transferred incorrectly,” he said, describing bitcoin as “really more of a reversion back to a gold or physical-commodity type of asset such that if you get ahold of it and you can get away with it, then no one can just claw back.”
Combined with the lack of real identities tied to digital wallets, and their ease of transferability — the keys for tens of millions of dollars’ worth of bitcoin can be stuck on a USB stick, inconspicuously emailed, or even written down and mailed — crypto is a uniquely attractive target.
Crypto owners make themselves easy targets
In the early hours of a June morning in 2021, an entrepreneur stumbled out of an after-party for the Bitcoin Miami conference and into what he thought was an ordinary cab waiting outside a South Florida club.
The driver asked for his passenger’s phone for “directions,” and, intoxicated, the entrepreneur handed it over. But the driver kept asking for his phone pin, and the entrepreneur slowly realized he was being driven the opposite direction of his hotel. The driver then demanded more than $100 — far more than the fare — before he’d take him home.
After somehow persuading the driver to temporarily pass his phone back, the entrepreneur jumped out at a red light, miles away from his hotel, only to realize the driver had disabled his phone by removing the SIM card.
The pair hadn’t directly discussed crypto, and it’s unclear whether the driver was planning to look for digital-currency wallets on the phone or whether it was instead a traditional robbery attempt. But, the entrepreneur told Insider in an interview, the abundance of wealthy cryptocurrency owners in the area was hardly a secret: “This was BTC Miami. If you’ve been around that week, you know, there’s a bunch of crypto people there.”
For the entrepreneur it was a reminder of the vulnerability of his cryptocurrency holdings. Had the driver accessed his on-phone crypto wallet, he said, “he could’ve stolen enough for a house payment.”
Much of the vulnerability is a result of the crypto community’s own actions.
With its public displays of braggadocio and financial boasting, the crypto culture is inherently performative. Bullish crypto devotees identify themselves by adding laser eyes to their online profile pictures, and they broadcast their predilection for preferred coins with all manner of memes and catchphrases.
It’s not hard to find people sharing their latest crypto trades on Twitter and Instagram, bragging about their commitment to hanging (or “hodling”) on to all their crypto holdings and showing off some of the expensive, often bitcoin-branded swag they’ve acquired thanks to their crypto riches.
That kind of behavior is a beacon to enterprising criminals, said Rigel Walshe, a burly, tattoo-covered New Zealander who worked as a cop protecting his nation’s prime minister before becoming a developer at a crypto startup. “You could, if you’ve done your homework, find a person or a group of persons where if you and a team of five well-trained individuals showed up with a gun, you’d very likely be able to walk out with a very substantial amount of money,” Walshe said.
He added: “That’s no different than any other sort of wealth stuff, right? You’re flashy about what you have, then you’re more likely to be robbed.”
NFTs — buzzy, art-linked digital assets — also present unique security risks. They’re often used as flashy profile pictures on public-facing social media, and there are clear records of their sometimes-astronomical values (the famous “Bored Ape Yacht Club” NFTs have been sold for multimillion-dollar sums), but custodial tools aren’t yet readily available to most people for protecting them.
“These NFTs are starting to be worth a lot of money, millions of dollars,” a venture investor warned. “For the most part, I don’t think they’re using institutional-grade custody solutions.”
“They’re just in someone’s wallet,” he continued, calling it “extremely scary.”
Unlike cybersecurity threats, like
and hacking, that have become well-understood among the public, there is less thought paid to real-life assaults — in part because such physical robberies are more difficult to pull off and, consequently, much less common. And, as was the case with two clients of the security consultant Karl Perman, victims often prefer to stay mum. Despite losing millions in digital assets as a result of home invasions last year, the victims avoided all publicity about the burglaries, Perman said, with one not even talking to the police.
The total number of such attacks is unknown, and it’s unclear to what degree they’re on law enforcement’s radar. An FBI representative, when asked whether the agency tracked these crimes or whether the bureau could comment on their prevalence, said “we do not have information to provide.”
But crypto crime is almost as old as cryptocurrency. The first cryptocurrency enthusiast to grapple it with appears to have been Hal Finney, a 58-year-old cryptographer and early bitcoin adopter who some suspect may have secretly been Satoshi Nakamoto, the pseudonymous creator of bitcoin.
Finney had the degenerative disease ALS, and in the months before he died in 2014 he was subjected to a vicious extortion campaign by an assailant demanding $400,000 worth of bitcoin. At one point his home was swatted, with the prank call prompting an armed police response.
Fake names, panic rooms, and the lockbox in the forest
Michael Arrington, a media entrepreneur turned crypto investor, recently tweeted that he was “forced” to move out of an 8,300-square-foot Miami home, which he had recently purchased for $16 million. Arrington accused a Sotheby’s real-estate agent of leaking information about the deal, sabotaging the efforts he said he’d taken to keep the home’s location a secret “because of the unique and violent security threats against people in crypto.”
Awareness of the risks is rising among some members of the gilded crypto class. Some have taken it to the extreme, going so far as to cloak their identities with usernames and pseudonyms — even among their coworkers — to maintain anonymity and personal security.
Demand for high-tech physical security gear and services is growing. Many owners of crypto rig up their homes with visible alarms and cameras. Panic rooms are not unheard of at some particularly wealthy figures’ properties, according to tech workers, along with executive-protection agents — as well as sniffer dogs that have occasionally been seen patrolling the grounds at parties.
People don’t need to make themselves invulnerable; they just need to create enough of a hassle to make attackers decide to go after easier targets, said Nick Neuman, who cofounded the crypto-security firm Casa with Lopp and is its CEO. “It’s kind of like the joke or metaphor of running from the bear,” he said. “You just need to not be the slowest person.”
For some crypto owners that means using “custodial” services like Anchorage, Coinbase Custody, or Fireblocks to remotely store their crypto assets for them, essentially serving as a digital bank vault. This makes it more difficult for anyone to steal them or forcibly obtain them. “If you kidnap me today, I have no direct control of the funds,” a venture capitalist said of his firm’s holdings. An alternative is “multisig” wallets, where the consent or signatures of multiple “key holders” are required to move funds — protecting assets even if one person is compromised.
Geography matters too, with some countries seen as presenting higher risks. A former employee of a high-profile crypto project was warned by its corporate-security team that they believed a cartel in Mexico was developing a “hit list” of wealthy targets associated with cryptocurrencies.
But given the ethos of fierce independence among cryptocurrency devotees, there’s an inherent wariness of third-party services. A core tenet of the crypto culture is “Not your keys, not your coins.” It refers to the idea that decentralized networks like bitcoin allow people to transact directly, without intermediaries. If you’re relying on a bank-like service to hold the keys to your crypto, it’s arguably no longer really yours.
In some cases, crypto owners have resorted to decidedly old-fashioned methods to protect their high-tech treasures. One well-connected tech-industry figure said he knew someone who kept the keys to $350 million worth of cryptocurrencies in a physical safe and had another contact who buried the private keys for millions of dollars of cryptocurrencies in a forest for safekeeping.
Rocelo Lopes spent days trying to persuade his wife’s abductors not to harm her — and trying to persuade them to lower their initial demand of an eye-watering $40 million, to be paid via the privacy-focused cryptocurrencies ZCash and Monero.
Eventually, the price dropped as low as $2 million. Then the kidnappers screwed up. They had been communicating with him via the encrypted messaging app WhatsApp, but one of them finally placed a call to him from a payphone near their location.
Despite the warnings not to, Lopes had secretly looped in law enforcement, and police investigators were able to identify the hostage-takers’ location: São Paulo, a 10-hour drive away. Armed police officers descended on the location and were able to free the hostage and arrest many of the conspirators, killing one in the process. Lopes’ wife was unharmed.
In the aftermath, he reassessed his approach to security. His family moved to a more secure condominium, bought a bulletproof car, and hired bodyguards to protect his wife and children.
At the time Lopes’ wife was kidnapped in 2017, bitcoin was on an upward tear at about $1,300 a coin. In 2022, bitcoin and other cryptocurrencies are worth many times that. Even after the recent crash in crypto values, bitcoin is worth nearly $44,000 a coin — and many owners of crypto assets are no better prepared than Lopes was in 2017.
In November, attackers broke into the Spanish home of the social-media entrepreneur Zaryn Dentzel and tortured him in an attempt to force him to give up tens of millions of dollars in bitcoin. Ten days later, thieves elsewhere in Spain forcibly stole a bitcoin ATM from a Barcelona store after ramming it with an SUV. The following month, two men were arrested in Indonesia over a robbery that cost a couple $400,000 in cryptocurrency and cash. Two weeks after that, 11 people serving time at a jail in Ontario were accused of taking two of their fellow prisoners hostage to force them to transfer their cryptocurrency holdings.
“This is still pretty niche and edge-case type of thing,” Lopp said. “But you know as the space goes more mainstream, it’s something that we expect to come up more and more often — just because more malicious-minded people will be testing out to see what the risk and reward is for trying to physically attack people who have bitcoin and other digital assets.”