Latest news with #JamesonLopp
Crypto Insight
2 days ago
- Business
- Crypto Insight
Wrench attacks drive crypto investors to centralized custodians
Crypto custodians are reporting increased interest in their services amid the rising frequency of so-called '$5 wrench attacks' on cryptocurrency traders, investors and project leaders. In the last year, several high-profile wrench attacks — physical attempts to steal someone's crypto — have targeted prominent investors and business executives in the blockchain industry. The crypto mantra of 'not your keys, not your coins' has lost its power among some investors who fear for their personal safety. Cold wallets may offer full control over digital assets, but they also present a single point of attack. As crypto adoption grows, and wrench attacks persist with the proliferation of more high-value crypto investors, custodians are seeing a shift in preference from self-custody to institutional control. Crypto wrench attacks drive security demand Wrench attacks are nothing new. Jameson Lopp, a Bitcoin advocate and chief technology officer of Bitcoin wallet Casa, published a GitHub repository logging hundreds of such incidents since 2014 — and those were only the ones reported in the news. In the last two to three years, as crypto adoption has sped up and become more mainstream than ever, attacks have grown more public and sophisticated. In January 2025, the founder of crypto wallet Ledger and his wife, David and Amandine Balland, were kidnapped, taken to separate locations and held at ransom. Just months later, the daughter of an exchange founder barely fought off attackers who attempted to kidnap her in a van on the streets of Paris. Concern over the rise in attacks and their similar methods led French Interior Minister Bruno Retailleau to meet with cryptocurrency professionals to discuss the issue. As concern over these attacks grows, crypto custodians are noticing an uptick in interest in their services. Emma Shi, over-the-counter and institutional sales director of HashKey, which offers custody and exchange services, told Cointelegraph, 'We're absolutely seeing rising retail anxiety translate into meaningful inflows. Wealthier retail investors are increasingly approaching regulated custodians after high-profile cases like the recent Manhattan kidnapping, where physical coercion was used to access private keys.' Shi said HashKey's custody business has noted increased interest in storage from 'family offices, crypto-native high-net-worth individuals and even those with nest eggs that are large enough to be vulnerable to theft.' Cold wallets have long been lauded by crypto advocates as a way to give investors full control over their assets and to keep them maximally secure offline. However, this single key also provides a 'single point of failure,' per Wade Wang, CEO of multiparty computation (MPC) crypto custody service Safeheron. Wang said that there is a 'flight to security' among crypto investors, where holders 'are actively seeking innovative solutions that eliminate that single point of failure to significantly raise the bar for attacking.' Already in 2023, a report from PricewaterhouseCoopers on the state of digital custody noted the challenge of cold wallets being prone to theft or loss. One solution posited in the report was MPC or multisignature wallet options. Can custody services stop wrench attacks? Crypto self-custody, while boasting a new technology, runs into the same problem as treasure hoarders throughout history — they were vulnerable to physical attacks and theft until they could share that risk with a stronger and securer institution like a bank. Robbing a bank is a lot harder than robbing a person. In the same fashion, crypto investors are now seeking to 'raise the cost' of the $5 wrench attack. Wang said that investors wish to 'return to the fundamental principle: making the cost for an attacker rise exponentially. For example, when it costs $3 million to steal $10 million, the incentive for attack is lost.' Third-party custody can achieve this and mitigate the problem of wrench attacks, adding time-locks and layers of approval and shifting the target from an individual to the custodian's employees. 'But it is not an optimal solution,' per Wang. Trust is still put in a single, centralized institution and, as exemplified by the recent breaches at Coinbase and Bybit, even major regulated crypto businesses are vulnerable to employee misconduct and phishing. Wang suggested that distributed custody, such as MPC, 'is a superior solution because it fundamentally solves the problem. The core principle of MPC is to use technology to decentralize the single point of control and risk […] into a 'multiparty' structure.' In such a system, control doesn't belong to any one person, and transferring funds requires complex consensus protocols from multiple parties. Decentralized solutions may better reflect the ethos of the blockchain industry, but 'we cannot neglect the benefits of centralized custodians,' Wang said. 'Reliable security measures bring better assurance of keeping clients' assets safe, a familiar way of doing things for lots of new crypto players.' Centralized or decentralized, crypto investors could still be at risk if the public image of crypto investors is that they are all walking around with cold wallets full of Bitcoin. Shi said, 'The perception of risk matters, too. Attackers often assume holders store funds themselves, so public awareness that more crypto is held in custodial solutions may deter opportunistic assaults.' Wrench attacks a 'temporary problem' solved by adoption Public perception is indeed changing. Retail investors are increasingly making crypto part of their portfolio, according to a 2024 report from Ernst & Young. New regulations in large financial markets like the EU and the US are creating the frameworks necessary for institutional investors to get involved. This regulatory shift has been good for the custody industry as well, as it 'legitimizes professional custody for everyday investors and is leading to more offerings from not only crypto-native firms but traditional banks as well,' said Shi. 'We're seeing crypto adoption accelerate in regions with regulatory clarity, which creates entirely new custody considerations for investors who previously relied solely on self-custody solutions.' Regulations also raise the stakes of wrench attacks, per Wang. Better regulatory frameworks with more jurisdictions 'proactively setting robust regulations' will 'inevitably lead to more severe law enforcement actions, which will significantly increase the cost of such attacks and fundamentally curb such behaviors.' 'We see the physical attacking as a temporary challenge,' Wang concluded. The crypto industry has evolved through many stages, but the rise of wrench attacks on prominent investors and executives shows that it has yet to reach the maturity of traditional financial markets. In the meantime, executives are not only moving their assets to centralized and decentralized custodians but also finding muscle of their own. Personal security firms have also seen an uptick in interest from crypto's elite to protect their homes and persons. Source:
Yahoo
18-07-2025
- Business
- Yahoo
Bitcoin Traders Are Discussing BTC's Record High, but Quantum Computing Is Threatening the Math Behind It
A new report by Capgemini warns that quantum computing may break the widely used public-key cryptographic systems within the next decade — threatening everything from online banking to blockchain security. The report did not single out bitcoin (BTC), but focused on encryption systems such as RSA and ECC — the same cryptographic primitives that underpin crypto wallets, transaction signatures, and key security in most blockchains. Bitcoin relies on elliptic curve cryptography (ECC) to secure wallet addresses and validate ownership. But ECC, like RSA, is vulnerable to Shor's algorithm — a quantum computing method capable of cracking the discrete logarithm problem, the core math behind bitcoin's private keys. Capgemini's findings were based on a survey of 1,000 large organizations across 13 countries. Of those, 70% are either preparing for or actively implementing post-quantum cryptography (PQC) — a new class of algorithms designed to resist quantum attacks. Yet only 15% of respondents were considered 'quantum-safe champions,' and just 2% of cybersecurity budgets globally are allocated toward this transition. 'Every encrypted asset today could become tomorrow's breach,' the report warned, referring to so-called 'harvest now, decrypt later' attacks. These involve stockpiling encrypted data now in hopes that quantum computers can break it later — a real risk for any blockchain with exposed public keys. In bitcoin's case, that includes over 25% of all coins, which have revealed their public keys and would be immediately vulnerable if Q-Day — the hypothetical moment quantum machines can break modern encryption — arrives. Earlier this week, a draft proposal by Bitcoin developer Jameson Lopp and other researchers outlined a phased plan to freeze coins secured by legacy cryptography, including those in early pay-to-pubkey addresses like Satoshi Nakamoto's wallets. The idea is to push users toward quantum-resistant formats before attackers can sweep dormant funds unnoticed. 'This proposal is radically different from any in Bitcoin's history just as the threat posed by quantum computing is radically different from any other threat in Bitcoin's history,' the authors wrote, as CoinDesk reported. While the timeline for Q-Day remains uncertain, Capgemini's report notes that breakthroughs in quantum error correction, hardware design, and algorithm efficiency have accelerated over the past five years. In some scenarios, researchers believe a cryptographically relevant quantum computer (CRQC) could emerge before 2030. Meanwhile, governments are acting. The U.S. NSA plans to deprecate RSA and ECC by 2035, and NIST has finalized several PQC algorithms like Kyber and Dilithium for public use, Capgemini said. Cloudflare, Apple, and AWS have begun integrating them, but as of Friday no major blockchain network (i.e. with tokens in the top ten by market capitalization) has made such moves. As such, bitcoin's quantum debate remains theoretical and all steps being taken are preemptive. But as institutions, regulators, and tech giants prepare for a cryptographic reset, the math behind crypto's security may not hold in retrieving data Sign in to access your portfolio Error in retrieving data Error in retrieving data Error in retrieving data Error in retrieving data
Yahoo
16-07-2025
- Business
- Yahoo
Bitcoin Devs Float Proposal to Freeze Quantum-Vulnerable Addresses — Even Satoshi Nakamoto's
A new Bitcoin draft proposal wants to do what's long been unthinkable: Freeze coins secured by legacy cryptography — including those in Satoshi Nakamoto's wallets — before quantum computers can crack them. That's according to a new draft proposal co-authored by Jameson Lopp and other crypto security researchers, which introduces a phased soft fork that turns quantum migration into a ticking clock. Fail to upgrade, and your coins become unspendable. That includes the roughly 1.1 million BTC tied to early pay-to-pubkey addresses, like those of Satoshi's and other early miners. 'This proposal is radically different from any in Bitcoin's history just as the threat posed by quantum computing is radically different from any other threat in Bitcoin's history,' the authors explained as a motivation for the proposal. 'Never before has Bitcoin faced an existential threat to its cryptographic primitives.' 'A successful quantum attack on Bitcoin would result in significant economic disruption and damage across the entire ecosystem. Beyond its impact on price, the ability of miners to provide network security may be significantly impacted,' they added. The draft BIP outlined three phases: Phase A: Banning sending funds to legacy ECDSA/Schnorr addresses, nudging users toward quantum-resistant formats like P2QRH. (Starts 3 years after BIP-360 implementation) Phase B: Make all legacy signatures invalid at the consensus layer. Coins in quantum-vulnerable addresses become permanently frozen. (Kicks in 2 years after Phase A) Phase C (optional): Introduce a recovery path for stuck coins using zero-knowledge proof of BIP-39 seed possession. This could be a hard or soft fork. But Why Now? Bitcoin's cryptography has never faced an existential threat and still doesn't, except pre-emptive ones that can possibly target early wallets. Researchers say quantum computers capable of breaking ECDSA may arrive as soon as 2027. A May report by CoinDesk flagged a new study suggesting that breaking RSA encryption with quantum computers may require 20 times fewer resources than previously thought. Although Bitcoin uses elliptic curve cryptography, it remains vulnerable to quantum attacks similar to those threatening RSA. Current quantum computers are not yet capable of breaking these encryption methods, but research is rapidly advancing. Earlier in July, eight legacy Bitcoin wallets moved over $8.5 billion worth of 'Satoshi-era' bitcoin after 15 years of dormancy — sparking speculation, among some, about moving to wallets with improved security as That's the red line for Lopp and the team. Around 25% of all bitcoin have exposed their public keys, meaning they're vulnerable to a 'Q-day' style attack. If attackers are patient, they could use quantum tools to quietly drain dormant wallets over time without tripping alarms. 'Quantum attackers could compute the private key for known public keys then transfer all funds weeks or months later, in a covert bleed to not alert chain watchers,' the draft proposal stated. 'Q-Day may be only known much later if the attack withholds broadcasting transactions in order to postpone revealing their capabilities.' The proposal is still in draft stage and has no BIP number yet. And it may be the only way Bitcoin survives a quantum in retrieving data Sign in to access your portfolio Error in retrieving data Error in retrieving data Error in retrieving data Error in retrieving data
Mint
18-05-2025
- Mint
Severed fingers and ‘wrench attacks' rattle the crypto elite
PARIS—The screams echoed down the narrow street in a trendy neighborhood here early Tuesday morning: 'Help! Help! Help!" Three men in black masks had jumped on a 34-year-old woman whose father runs Paymium, a French cryptocurrency exchange. Brandishing canisters of mace and what looked like a gun, the masked men attempted to force the woman and her toddler into an idling white van disguised as a delivery truck. But her husband threw himself between his family and the attackers, while a neighbor hustled away their child. 'Let go of me!" the woman yelled as the assailants bludgeoned the husband, his head seen spattered with blood in videos taken from nearby buildings. With other neighbors closing in, and a shopkeeper readying to throw a fire extinguisher, the would-be abductors jumped in the back of their van and sped off. The brazen attack was the latest in a wave of violent abductions around the world, including several in the U.S., targeting crypto executives and their families. Victims have been pistol whipped, abducted, and—in two cases—had fingers severed. The criminals' goal: millions of dollars in ransom in cryptocurrency. The assaults are often called 'wrench attacks" because they rely on simple tools for inflicting pain to coerce victims, rather than sophisticated tools for hacking them. Hacking has long been the primary risk for the crypto rich. But to thwart hackers, savvy cryptocurrency investors have increasingly taken their digital wallets offline in favor of physical devices, making remote theft more difficult. Real-world crypto crime bypasses those safeguards. 'A lot of people are getting to the hide-your-gold-under-the-matress level of security," said Jameson Lopp, the co-founder of bitcoin security company Casa. 'But if you are a high-profile person…that's when you have to worry about the physical attack." Those concerns intensified this week with cryptocurrency exchange Coinbase disclosing that as many as 97,000 customers have had their personal information stolen, including addresses and balance snapshots. The company said the data was likely stolen by bribed contractors or employees working in customer support, and that it had refused a $20 million ransom demand. Another factor motivating criminals: Cryptocurrencies have surged in value, with bitcoin up 54% in the last year, minting a whole new array of potential deep-pocketed targets. At least five crypto-related abductions have taken place in France in recent months, and there have been dozens of other recorded cases around the world in the last year, according to government officials and specialists in the sector. An Australian crypto billionaire narrowly escaped abduction in Estonia last July, local media reported, by fighting off attackers posing as painters. And in March a Houston crypto influencer was assaulted before her husband got in a shootout with robbers who invaded their home in the middle of the night demanding her laptop. Some of the assaults have been clumsy, with the criminals quickly caught. But there are signs that organized-crime rings see major profit potential. 'The criminal element is poking around trying to find out what is the [return on investment] on these wrench attacks," Lopp said. In September, a Florida man was sentenced to 47 years in prison for leading a ring that carried out a string of home-invasions across multiple states in search of crypto riches. In one of the attacks, the man held a pink revolver to the head of a 76-year-old Durham, N.C. man and threatened to cut off his genitals. The victim eventually transferred $150,000 worth of crypto to the attacker, who was later ordered to pay more than $500,000 in restitution to his victims as part of the sentencing. On Friday morning, French Interior Minister Bruno Retailleau gathered leaders of crypto companies for a meeting to present new security measures for the sector. Retailleau said Tuesday's attack appears similar to other recent abductions in France, in which officials say ringleaders recruited young criminals they never met using apps like Telegram and Signal and then 'remote controlled" them to execute their plan. 'It's probable that these cases are linked," Retailleau said in a televised interview. So far, most of the victims of reported wrench attacks have been tied to prominent names, either known for working in the crypto sector or for flaunting their wealth online. Killian Desnos, an online gambling influencer under the name Teufeurs—which means 'partier" in French—was well-known for his YouTube and Twitch streams when prosecutors say a person posing as an Amazon delivery driver rang his father's doorbell in a small town in northwestern France in August 2023. That person and an accomplice forced the father into a vehicle—and soon sent Desnos a ransom-demand video of his father, bound, with a gun to his head. Desnos, who was based in Malta, alerted the police but also paid the ransom, prosecutors said. His father was recovered the following day. Police soon arrested two people, who face kidnapping charges. 'Flexing on the internet wasn't a good idea—I realize that now," Desnos wrote on X at the time. A major question now is how criminals are finding their targets in the real world—and what to do about it. Already, members of the crypto community say they are turning their Instagram profiles private and are trying to remove their physical addresses, and those of their families, from public records. One executive said he is particularly worried because he has a young child. Following Tuesday's attack, Paymium urged authorities to lessen disclosure obligations that the company argues could put customers at risk in the event of a data leak. In addition to the Coinbase hack, two data leaks in particular have investigators worried. The first was the July 2020 hack of Ledger, a French crypto-wallet company that makes sleek physical devices that keep the keys to your cryptocurrency offline. In that hack, which accessed Ledger's marketing database, the names, email and postal addresses of 272,000 customers were eventually dumped online. The second was a breach of risk advisory company Kroll, which gave hackers access to addresses and other personal information belonging to creditors in the bankruptcy proceedings of the cryptocurrency company Genesis. Data from both of these hacks has been made available in criminal forums, cybersecurity investigators say. Others point out that a vast amount of personal data has been stolen and dumped in the past decade. In France, in particular, public incorporation records can include entrepreneurs' home addresses. Cybercriminals have become adept at figuring out their victim's home address by cross-referencing databases and even using paid sources of information, said Taylor Monahan, a security researcher at cryptocurrency wallet company MetaMask. This information is often made public in order to threaten and de-anonymize their victims, a form of online attack known as doxxing. 'The younger generation is just very internet savvy and they're very good at doxxing people," she said. Some Ledger users have already complained that the hack exposed them to extortion and threats. In early 2021, Naeem Seirafi, a cinematographer based in Los Angeles, started to receive phishing emails and text messages asking him to enter his Ledger account information to verify new deposits, or prevent a bug from wiping out his assets. Ledger Flex crypto wallets in a vending machine at the bitcoin 2024 conference in Nashville, Tenn. Next, someone sent him a message asking for a ransom of 0.3 bitcoin, then worth about $10,000, to prevent an attack on his home. 'You also happen to keep quite a lot of crypto," the person texted him. 'I'm going to share all that information (and more) with local area bad guys in your area." The threat was carried out, when his home was 'swatted" while he was away but his parents were inside. The local police department received a 911 call from a person who claimed he had just shot a friend at Seirafi's address, according to a police report. Almost a dozen officers swarmed Seirafi's home. After clearing the property, police confirmed it was a hoax. Seirafi later joined a class-action lawsuit seeking damages from Ledger that was filed in a district court in California. 'To the world of hackers, Ledger's customer list is a gold mine," their complaint said. A lawyer representing the class-action claim declined to comment. Ledger has argued to the court that Seirafi wasn't harmed by the hack because he hadn't lost any money. A spokesman declined to comment further. David Balland is one of the co-founders of Ledger. No longer involved directly in the company, he lives with his partner near Vierzon, in central France—where French officials say they were abducted at gunpoint before dawn one Tuesday in January. French police on a street in Méreau, near Vierzon in central France in January, as they secure the area following the kidnapping of David Balland, a Ledger co-founder. Within hours, other Ledger co-founders, including Éric Larchevêque, heard from the ringleader demanding ransom of 10 million euros—messages they knew were authentic because of the T-shirt David was wearing, people familiar with the case said. One message included a video of the abductors chopping off one of Balland's fingers. Police negotiators sat with Larchevêque while he communicated with the hostage takers. The negotiators tried to stall, authorizing an initial ransom payment of more than a million euros, while investigators scoured for clues to where Balland and his partner were being held. 'It was a race against time," Laure Beccuau, the Paris prosecutor, later said in a televised interview. 'It was about liberating these two hostages, it was about saving their lives." The police eventually tracked the kidnappers to a rental house surrounded by farmland some 40 minutes drive south of where the couple was grabbed. The police raided the house and freed Balland—but his partner wasn't there. 'We were convinced that they would actually be together. And well, when we realized that they were separated, that was really, really complicated," said Nicolas Bacca, another Ledger co-founder. Balland's partner wasn't found until the next day, in the back of a stolen van an hour and a half north, after another ransom had been paid. Paris prosecutor Laure Beccuau addresses a press conference after Balland and his partner were kidnapped from their home. Fortunately, the ringleader had asked to be paid in a dollar-pegged cryptocurrency called tether that is possible to freeze. Since the Ledger team put in place a plan to do that as soon as the hostages were freed, they were able to claw back roughly 80% of the 3 million euro ransom they'd paid, and more in subsequent days, people familiar with the case said. 'We've lived through unimaginable violence," Balland said in a social-media post asking for privacy for his family. He temporarily changed his profile description on X to read, 'Fingers: 9/10," according to a screenshot from the time. It's unclear how the attackers found Balland. His home address wasn't leaked in the Ledger hack, a person familiar with the breach said. Prosecutors in April filed preliminary charges against a man who people familiar with the case said was already being held in jail for charges related to the 2023 kidnapping of Desnos's father, and who allegedly had helped organize Balland's abduction while incarcerated. Investigators are still probing whether he was working for another boss, one of the people said. Earlier this month, the father of another Malta-based crypto entrepreneur was abducted while he was walking his dog in Paris. One ransom demand showed the father getting a finger chopped off. Several people were arrested in that attack, all between the ages of 18 and 26, according to prosecutors. Officials had to wait barely two weeks for another example to study. On Tuesday, the Paymium CEO's daughter only escaped by fighting back along with her husband, according to police, who said the gun brandished at the scene turned out to be a toy. Éric Larchevêque, a co-founder of Ledger, in 2018. 'They're doing as well as can be expected," Paymium CEO Pierre Noizat said of his daughter and son-in-law, whom he called a hero, in a televised interview on Friday morning. 'He has a few stitches." Noizat and others involved in prior attacks say the crime wave is shaking their faith in France's ability to control criminal gangs and drug dealers. Writing on X this week, Ledger's Larchevêque decried what he called the 'Mexicanization" of the country. 'How many entrepreneurs, how many talented individuals, are seriously considering leaving a country that no longer protects its people?"
