Wrench Attack

A wrench attack is the use of physical force, threats, or coercion to make someone reveal a password, seed phrase, or PIN — defeating even unbreakable cryptography by attacking the person rather than the math. The name comes from a widely shared 2009 xkcd comic that pointed out the futility of ever-stronger encryption against an attacker willing to use a cheap wrench. In security literature the same idea is called rubber-hose cryptanalysis.

Why it has become a Bitcoin problem

As cold storage, multisig, and hardware wallets have made remote theft genuinely hard, criminals have shifted to the human attack surface: if you cannot break the code, you break the person. Researchers tracking these incidents have documented hundreds of physical attacks on cryptocurrency holders, and the pattern is growing because Bitcoin is high-value, portable, and irreversible once transferred. A victim coerced into signing a transaction has little recourse.

Defending against it

Because cryptography offers no protection here, defenses are behavioral and structural. The first and cheapest layer is privacy: practice rigorous OPSEC so that no one knows you hold Bitcoin in the first place. Structural defenses make coercion less profitable — for example, geographically distributed multisignature setups where the attacker in your home cannot access enough keys to move funds, or timelocks and decoy wallets holding small balances. The aim is to ensure that an attacker who reaches you physically still cannot extract everything by force.

A realistic wrench-attack scenario belongs in every holder's Threat Model, even if it is uncomfortable to contemplate.