The figures presented in this article are based on verified incidents, as of April 30, 2026, cross-referenced with public sources. This data represents the visible portion of a significantly underreported phenomenon.
In our Skynet Wrench Attacks Report published in February 2026, we concluded that this type of incident had become an established threat vector for cryptocurrency holders. A few months later, the data continues to amplify this trajectory.
2026 Numbers: A Closer Look
Between January and April 2026, we recorded 34 verified incidents internationally, compared to 24 over the same period in 2025, representing a 41% increase. The monthly breakdown shows 13 incidents in January (vs. 9 in January 2025), 5 in February (vs. 6), 10 in March (vs. 7), and 5 in April (vs. 2). The February dip reflects the delayed effect of large-scale police operations conducted across Europe in late January, before a sharp rebound in March.
Estimated losses across all demand types (failed, ransom paid, frozen funds, funds recovered, etc.) amount to approximately $101 million over 4 months.
If the observed trend continues linearly, 2026 will close with approximately 130 incidents and several hundred million dollars in losses.
The European Hyper-Concentration
The most striking shift is geographic. Our 2025 report documented a gradual tilt from Asia and North America toward Europe, and these first four months of 2026 mark a European hyper-concentration. 28 of the 34 recorded incidents occurred on the continent, accounting for 82% of the global total. By comparison, Europe represented 39.5% in the whole 2025.
All other regions recorded a decline in absolute terms over the same period: North America dropped from 9 incidents to 3, Asia from 25 to 2, and the Middle East from 2 to 1.
Within Europe, France dominates the country-by-country breakdown by a wide margin, with 24 documented and public incidents compared to 4 over the period and 20 for the entirety of 2025. The United Kingdom, the United States, Belgium, Hong Kong, the Philippines, Spain and Turkey round out the list.
Why is France the Global Epicenter?
At Paris Blockchain Week 2026, the French Ministry of the Interior publicly acknowledged 41 incidents linked to physical attacks in France since the start of the year, a rate of approximately one assault every 2.5 days. Several converging factors explain the French concentration:
- The presence of several flagship industry companies (Ledger, Paymium, Binance, etc.) and their executives.
- A culture of flexing and voluntary doxxing that remains deeply embedded in the community.
- The proven exposure from numerous sensitive data leaks of both governmental and professional origin. France ranks among the most targeted countries in the world for this type of breach.
The Ghalia C. case, a tax official at the DGFiP (General Directorate of Public Finances), is a prime example. Ghalia is accused of exploiting government tax software to specifically query crypto-asset holder profiles before selling that data to criminal networks.
In January 2026, Waltio, a company specializing in crypto accounting, issued a warning about a data breach. Multiple sources established an operational link between these leaks and the wave of kidnappings observed in France since the start of the year.
Notable 2026 Cases
Three cases stand out from the first months of 2026:
- Yong Wang (Istanbul, Turkey — January 2026). The 38-year-old Chinese entrepreneur, reported missing on January 24 after arriving in Istanbul, was found buried vertically in a shallow pit in the Arnavutköy district, hands and feet bound, mouth sealed. The investigation established a revenge motive linked to a prior crypto-asset dispute, with wallet extraction before execution. Ten suspects, including one woman, were arrested in China following the issuance of an Interpol Red Notice. This case marks the first verified crypto-related homicide of 2026.
- Nancy Guthrie (United States — January 2026). The 84-year-old mother of journalist Savannah Guthrie was kidnapped as part of a $6 million bitcoin ransom demand, illustrating the documented trend of proxy target selection already identified in our 2025 report.
- Sillytuna (UK — March 2026). The longtime crypto figure and indie game developer was physically forced to hand over approximately $24 million in aEthUSDC. The attack involved weapons, kidnapping and rape threats, with the victim reporting he was held down by four assailants. Funds were rapidly laundered across multiple chains and converted into Monero.
Attacker Profiles and TTPs
Attacker Profiles
The first layer consists of ground-level operators: teams of 3 to 5 individuals, predominantly male, ranging in age from 16 to 50, recruited from peripheral urban areas. Most of the time, they are recruited via messaging apps such as Telegram or Snapchat for a few thousand dollars. They don't know each other and are complete amateurs.
On April 25, 2026, the PNACO announced the indictment of 88 suspects, including more than ten minors, across 12 active judicial investigations, with 75 remanded in pre-trial detention. Charges cover kidnapping, unlawful confinement, extortion, and money laundering in an organized criminal setting. The growing proportion of minors signals an increasing externalization of criminal liability toward profiles less exposed to mandatory minimum sentences.
The orchestrators are very often located outside the target country (Morocco, Dubai, Eastern Europe, etc). They purchase data lists, commission coordinators, and receive funds before laundering them.
TTPs
Early 2026 marks the shift to a "data-driven targeting" model in which prior physical surveillance becomes unnecessary once attackers have the victim's full name, home address, financial profile, and so on.
Access techniques remain broadly the same as in 2025, with a strong persistence of the Doorbell Vector (delivery personnel, fake police officers, etc.) and the Honeypot (fictitious business meetings, fake OTC deals, etc.).
However, the systematic targeting of proxies is worth highlighting, particularly in French cases. More than half of incidents involve a member of the primary target's family (spouse, child, elderly parent), either as a direct victim or as a pressure lever.
State Insider Threats
The data extraction carried out via DGFiP software demonstrated that a mid-level government employee could, without triggering any automated alert, exfiltrate tax records containing personal addresses, declared assets, and crypto capital gains history. French authorities are currently investigating potential additional breaches within the tax administration and other agencies holding sensitive data (Urssaf, public banks, etc.).
Certain cybercriminal groups specifically recruit this type of profile to gain access to these databases.
This dimension introduces a systemic risk: as crypto reporting obligations strengthen across Europe (DAC8, MiCA, TRACFIN registers), the concentration of sensitive data in sovereign databases creates an opportunity target for criminal networks.
Conclusion
These first four months of 2026 do not correct the trajectory identified in the Skynet 2025 report; they worsen it. The structural takeaway is clear: as the security of protocols and wallets tends to improve, the threat migrates toward the human link. As long as crypto-asset holdings remain associated with identifiable financial data, physical coercion will remain the economically most rational attack path.
