— Briefing 001 · July 2026

The target has
moved.

Physical coercion, digital asset wealth, and the new protective standard for principals, families, and firms.

Download the PDF →✦ Six pages · No registration required
+75%

Verified physical attacks on crypto holders, 2025 vs 2024

+66%

Kidnapping incidents year over year

>40%

Of global incidents occurred in Europe; France led all countries

~2×

2025 tracked toward double the prior record year for physical attacks

01

Summary

In 2025, physical violence became a structural feature of digital asset risk. Verified coercive attacks against cryptocurrency holders rose 75 percent year over year, kidnappings rose 66 percent, and Europe overtook North America as the most affected region, with France recording more incidents than any other country. Both major tracking firms state plainly that the confirmed numbers understate reality: many cases are resolved privately and never reported.

The pattern is not random street crime. It is targeted, researched, and increasingly organized. Attackers select victims whose wealth is discoverable, whose movements are predictable, and whose assets can be transferred irreversibly in minutes under duress. The household, not the exchange, is now the soft point: spouses, children, and parents are within scope because they are leverage.

The central argument of this briefing is simple: for anyone holding or controlling significant digital assets, custody design is now a personal safety control, and personal security is now a custody control. Firms and families that continue to treat these as separate problems are defended against the previous decade’s threat, not this one’s.

02

2025 was the inflection point

The numbers no longer describe an edge case. Blockchain security firm CertiK verified 72 physical coercion incidents against crypto holders worldwide in 2025, up from 41 the year before. Kidnapping was the most common method. Physical assaults rose 250 percent. Confirmed losses exceeded 40 million dollars, a 44 percent increase, a figure the firm itself describes as significantly understated due to under-reporting, silent settlements, and untraceable payments.

Chainalysis reached the same conclusion from independent data, and added a finding that matters for planning: the frequency of physical attacks correlates with the forward price expectation of bitcoin. Rising asset values do not merely enrich holders. They recruit attackers. Periods of market strength should be treated as periods of elevated physical threat.

Two further shifts deserve attention. First, targeting has moved down-market: victims now include individuals with moderate holdings who are simply known to own crypto, not only funds and founders. Second, the attacks are increasingly the work of organized, transnational crews using open-source research to select and locate targets, rather than opportunists. Publicly reported cases across France, Austria, the UAE, and the United States in 2025 involved planning, surveillance, and coordination across borders. Several ended in the death of the victim.

03

Why digital assets break traditional protection

Executive protection and kidnap-for-ransom response matured around the mechanics of traditional finance. Those mechanics quietly did protective work. Moving large sums required banks, institutions, business hours, and time. Transfers could be delayed, flagged, frozen, or recalled. That friction created negotiating room, gave responders time to operate, and made the victim more valuable alive and unharmed over a period of days or weeks.

Digital assets held in self-custody remove nearly all of it. A private key or a recovery phrase is a bearer instrument: whoever holds it holds the asset, and a coerced transfer settles in minutes, irreversibly, at any hour, from anywhere. Time-to-loss collapses. The person becomes the vault: where custody is concentrated in one individual’s knowledge or devices, that individual is a single point of failure, and coercing them is the attack. Recovery is not a fallback: there is no issuer to reverse the transaction, which raises the value of prevention relative to response. And the family is in scope: because leverage is the mechanism, anyone the principal will trade assets to protect is a target.

None of this means traditional protective disciplines are obsolete. It means they are insufficient on their own, and that the custody architecture itself must be designed to hold under physical duress, not just cyber attack.

04

How exposure accumulates

Principals rarely become targets through one mistake. Exposure accumulates across layers that individually look harmless. On-chain transparency makes wealth legible: public ledgers are permanent and searchable, and address clustering can connect holdings a holder believed were separate. Breached identity data joins that wealth to a name and an address: exchange and service breaches have repeatedly exposed customer records, and the 2025 insider-enabled leak at a major U.S. exchange demonstrated publicly how a cyber incident converts directly into physical targeting risk.

Professional visibility, lifestyle signal, and pattern of life complete the chain. Funding announcements and conference speaking establish that a person controls significant assets. Social posts that display wealth, locations, or family routines materially assist target selection. Predictable routines between residence, office, and school runs are what convert interest into opportunity: reported European cases have clustered around residences and routine movements, not offices or events.

The protective takeaway is that exposure review must span all five layers at once. Reducing any single layer helps; the compounding across layers is what an assessment must map, because it is what an organized crew maps.

05

The protective framework

ERS organizes protection around one moment: the incident, the X. Everything a principal, family, or firm can do falls before it or after it, and the disciplines reinforce each other.

Before the X: reduce what is discoverable, through structured exposure assessment and systematic reduction, with protective intelligence monitoring for the indicators that typically precede targeting. Design custody to fail safely under duress: multi-party approval, transaction limits, time-locks, allowlisted destinations, and formal duress protocols, so that no single person, under any pressure, at any hour, can move everything. Done well, this is also a deterrent: crews select targets by expected yield, and architecture that visibly cannot pay quickly changes the calculus. Train the principal and the household in situational awareness, surveillance recognition, and family crisis protocols, rehearsed rather than merely briefed. Harden the fixed points: residence, movement, devices.

After the X: response quality is decided before the incident. A credible posture includes a pre-agreed response protocol defining who communicates, who decides, and who engages law enforcement and counsel; duress signals and pre-positioned decision rights; kidnap and ransom insurance coordinated with a professional response capability; and liaison established in the jurisdictions where the principal actually lives and moves.

06

Implications for boards, funds, and family offices

For organizations, this threat class lands as a duty-of-care and continuity issue, not only a personal one. Key management staff are targets precisely because of their organizational role, and an attack on an executive’s family is an attack on the firm’s ability to operate. Boards and investment committees should be able to answer four questions. Which individuals, including family members, could be coerced into moving material assets, and what stops a transfer executed under duress? What identity and address data about those individuals exists in third-party systems, and what happened to it in the last breach? Have at-risk principals and their households received scenario-based prevention training, or only a briefing document? If an incident began tonight, who would know, who would decide, and within how many minutes?

Where the answers are unclear, the gap is usually organizational: custody sits with the CISO or operations, personal security with a separate vendor, and the family with no one. The threat exploits exactly that seam. Converged risk requires a converged program with single-point accountability.

Sources: CertiK, Skynet Wrench Attacks Report (February 2026); Chainalysis, 2025 Crypto Crime Mid-Year Update. Consistent with ERS editorial policy, this briefing discusses targeting and attack patterns at the level required for protection and omits operational detail, victim identification, and ransom specifics.

— Future briefings

Receive future briefings privately.

Pattern-level analysis for principals, families, and the firms that protect them. No fear-mongering. No operational detail. Unsubscribe at any time.