A thief disguised as a delivery driver stole $11 million in cryptocurrency from a San Francisco homeowner Saturday morning after pulling a gun, binding the victim with duct tape, and forcing him to hand over his wallet credentials. The attack adds to what security researchers are calling a record year for physical violence targeting crypto holders.
The suspect arrived at the residence near 18th and Dolores streets in Mission Dolores around 6:45 a.m., using the delivery disguise to gain entry before brandishing a weapon.
After restraining the homeowner with duct tape, the attacker forced him to provide access to his crypto wallets along with a laptop and phone, according to a police report obtained by the San Francisco Chronicle.
San Francisco police haven’t released details about injuries or arrests. The department didn’t respond to requests for comment.
Wrench Attacks Hit Record Pace
Jameson Lopp, chief security officer at self-custody platform Casa, maintains a database tracking physical attacks on crypto holders. His data shows over 50 documented “wrench attacks” globally this year, roughly double the number recorded in 2024. The term comes from a 2009 webcomic illustrating how threatening someone with a $5 wrench defeats even the strongest encryption.
Recent incidents show the pattern spreading globally. Russian crypto promoter Roman Novak and his wife were murdered in the UAE in October after meeting with men posing as investors who demanded access to his crypto wallets.
Just yesterday, Thai police arrested a South Korean man and three Thai nationals for allegedly kidnapping and robbing a Chinese victim of over $10,000 in cash and crypto.
The San Francisco robbery represents one of the largest single-victim thefts this year. At $11 million, it dwarfs most wrench attacks, which typically target smaller amounts but have become far more frequent as crypto prices recover and adoption spreads.
Cybercrime consultant David Sehyeon Baek explained that investigators will “move on all three fronts at once: devices, blockchain, and victim profiling, rather than choosing one over the others.” The first 24 to 72 hours are critical.
“In the first 24–72 hours, they’ll push hard on the hardware side,” Baek said. Authorities will attempt to track the stolen phone and laptop while working to secure any remaining assets held on exchanges before attackers can move them. “In parallel, they’ll try to identify the exact wallets and addresses involved so blockchain specialists can start tracing outflows in real time.”
That timeline matters because coerced transfers let attackers move crypto within minutes, especially if they route funds through privacy-focused services.
Digital-only thefts are more likely to be flagged and frozen by exchanges, but physical attacks bypass those safeguards entirely. Once the victim provides wallet access under duress, the crypto moves immediately.
“The hard truth is that identifying the suspects is usually far more achievable than recovering the stolen crypto,” Baek noted. Blockchain analysis can trace where funds go, but recovering them requires cooperation from exchanges or mixers that may not be willing or able to freeze assets, particularly if attackers move quickly through privacy tools.
Why Physical Attacks Are Surging
Crypto’s core features, which include self-custody, irreversible transactions, and pseudonymity, make physical attacks attractive to criminals. Digital exploits require technical skills and often leave traceable evidence. Physical attacks need only a weapon and knowledge that someone holds significant crypto.
The delivery driver’s disguise represents a common pattern. Attackers nowadays will pose as couriers, service workers, or business associates to gain access without raising suspicion. Once inside, they use violence or threats to extract wallet credentials, seed phrases, or hardware wallet PINs.
Mission Dolores, where Saturday’s attack occurred, sits in one of San Francisco’s more affluent neighborhoods. The area has seen tech workers and crypto investors move in over the past decade, creating a concentration of potential high-value targets. Attackers likely research victims beforehand, identifying those with substantial holdings through social media posts, professional profiles, or leaked database information.
The 6:45 a.m. timing suggests planning. Early morning reduces the chance of witnesses while catching victims when they’re less alert. Using a delivery service as cover provides a plausible reason to knock on doors at odd hours without attracting neighborhood attention.
See also: $25M Ethereum Exploit Trial of MIT Brothers Ends in Mistrial After Jury Deadlocks
Even with rapid investigation, recovering stolen crypto remains extremely difficult. Blockchain transparency means investigators can watch funds move in real-time, but watching isn’t the same as stopping. If attackers transfer crypto to addresses controlled by non-compliant exchanges or privacy services, those funds effectively vanish.
Some sophisticated attackers use mixers or privacy coins to obfuscate the trail within hours of a theft. Others hold stolen crypto for months before moving it, betting that investigation resources will have shifted elsewhere by the time funds resurface. Either strategy drastically reduces recovery chances.
Hardware like the stolen laptop and phone might provide leads. If the victim’s devices contain exchange account information, investigators can alert those platforms to freeze remaining funds. Device tracking might reveal where the attacker went immediately after the robbery, potentially leading to physical evidence or surveillance footage.
But the $11 million already transferred from the victim’s wallets is probably gone. Unless the attacker makes mistakes using a KYC exchange, leaving funds sitting in an identifiable address, or getting caught with the victim’s devices still in possession, recovering that crypto approaches impossible.
Crypto enthusiasts promote self-custody as protection against exchange hacks, government seizure, and institutional failure. Not your keys, not your coins. But self-custody still poses a different vulnerability: your physical safety becomes the weak point in security.
Someone holding $11 million on a major exchange faces platform risk, but attacking them physically accomplishes nothing. The exchange controls the funds, not the victim. Someone holding $11 million in self-custody is personally responsible for securing those assets, and a gun plus duct tape defeats most security measures.
This paradox explains why Casa and similar firms have built businesses around secure self-custody solutions.
Multi-signature wallets, geographically distributed keys, and time-delayed transactions can prevent coerced transfers even if attackers gain physical access to one keyholder. But these solutions require technical knowledge and planning that most crypto holders haven’t implemented.
The Mission Dolores victim presumably held $11 million in self-custody that could be accessed from a single location with the right credentials. That setup prioritizes convenience over security against physical threats. It’s a reasonable trade-off when wrench attacks seem like distant risks. It becomes a catastrophic mistake when someone shows up at 6:45 a.m. disguised as a delivery driver.
See also: New Amatera Stealer Targets 149+ Crypto Wallets Using Fake CAPTCHA Trick
San Francisco police will work with federal agencies and blockchain forensics firms to trace the stolen funds and identify suspects. The FBI and Secret Service both investigate high-value crypto thefts, especially when they involve interstate or international components.
If the attacker used the victim’s devices to transfer funds, metadata from those transactions might provide location data or IP addresses.
Exchange cooperation will be critical. If any portion of the $11 million hits a major platform like Coinbase, Binance, or Kraken, those exchanges can freeze assets and potentially identify the account holder.
Smaller exchanges or decentralized platforms offer less recourse, but investigators will likely issue broad alerts across the industry.
Whether investigators identify the suspect or recover any portion of the $11 million, this incident will likely be added to Lopp’s database as another data point in crypto’s ongoing physical security crisis. The technology promises financial sovereignty, but that sovereignty comes with risks that most early adopters never anticipated.
If you’re reading this, you’re already ahead. Stay there by joining Dipprofit’s private Telegram community.
Discover more from Dipprofit
Subscribe to get the latest posts sent to your email.
