Apparently, the key to stealing millions in cryptocurrency is one question: “Do you have a pen?”
That’s how a thief gained access to the home of a person with a flush crypto “wallet” on Saturday, ultimately running off with $11 million in cryptocurrency, according to a report by Megan Cassidy in the San Francisco Chronicle. This is just the latest example of a trend of criminals physically targeting the owner to get access to their crypto rather than defrauding or hacking them online. In response, some big-time crypto investors are even hiring bodyguards and taking survival courses.
Saturday’s incident unfolded in the early evening at a home on Dorland Street in Mission Dolores. Security camera footage shared on X by Y Combinator head Garry Tan shows a man in dark clothing, a mask, and sunglasses approach the front door. (Tan has since deleted the video, but it was preserved by other sources online.).
“I have a package for Joshua. Can you sign for it?” he asks.
The victim opens the door, at which point the “deliveryman” acts like he has misplaced his pen. On the video, you can hear the victim turn around and go back inside to look for one. The thief then calmly walks in behind him. What unfolded next is unclear, but police told the Chronicle that the thief held the victim at gunpoint and tied them up with duct tape before fleeing with a phone and laptop.
Cryptocurrencies like Bitcoin and Ethereum have been hailed by some investors as the future of money because they use a decentralized network independent of central financial authorities (like banks). All transactions are tracked on a public, permanent ledger known as the “blockchain,” and users are only identifiable by an “address” for sending and receiving transactions.
This system does not mean that a criminal cannot find out who an individual investor is and take their crypto by brute force, said Stacey Blau, a former CIA operative and security expert who is now president of Integritas Investigations and Security.
A crypto address is akin to a bank account number, and each user has an elaborate, unique “key,” not unlike a PIN number, that lets them access their funds. Some choose to host this information online for the convenience of faster transactions and third-party security. Others, however, keep their crypto data on their own physical “wallet,” which often look like external hard drives or USB sticks. These wallets can be taken in what are called “wrench attacks.”
“There have been some high-profile attacks on large crypto exchanges where people lost money,” Blau told me. “For these reasons, we’ve seen the rise of physical devices to store crypto information. Of course, criminal networks now see it as an opportunity.”
Wrench attacks are often followed by a series of rapid fund transfers designed to confuse investigators. This operation requires less technical expertise and planning than a remote crypto scam or hack. All the thief needs to do is get a victim to give up their private key.
Thieves have targeted all kinds of people, from small-time retail investors to public figures. In March, the home of streamer and OnlyFans star Amouranth was invaded by four teenage robbers while she slept; they demanded her crypto accounts and physically attacked her before her husband appeared and shot at the assailants, sending them fleeing. She had previously posted information online about her crypto accounts, highlighting some $20 million in holdings.
So far in 2025, there have been about 48 wrench attacks targeting crypto investors — a 33% increase compared to the same time last year, according to an analysis by Jameson Lopp, an engineer and expert in crypto.
Blau stressed that the simplest way criminals find their targets is by tracking people who talk about their crypto accounts and transactions on social media, podcasts, and elsewhere.
But an investor doesn’t have to announce their own holdings to risk being targeted, Blau said. Criminal networks can hack identifying information from exchanges and, in some cases, glean the user’s physical address. Other times, a user’s mistake while connecting a physical crypto wallet to the internet can inadvertently leave a digital trail for thieves to follow.
“Obviously, I can’t speak to this specific case in SF, but there’s no way these attacks are occurring randomly,” Blau told me. “Whomever carries out an attack like this has some kind of physical or professional proximity to the victim or their information.”
The question of whether law enforcement can track down the person who made off with the crypto in Mission Dolores remains murky. Federal agencies like the Internal Revenue Service and FBI already work with mainstream crypto exchanges like Coinbase that collect and verify user data. But tracking such evidence requires cooperation from the exchange; many smaller exchanges are hosted offshore in international waters and purposefully do not cooperate with police, Blau explained.
There are ways to make a crypto wallet safer, including using layers of verification with so-called “multisig” wallets and other tools. But nothing beats the foundational steps: Not sharing your crypto activity in public, and making sure you maintain awareness of personal and home security, Blau said.
“The perpetrator in this SF case played his role very effectively, using social engineering to pose as a courier. One lesson is that if you look the part, if you’re confident, you can make it past a gatekeeper, whomever that is,” she observed. “That’s not just in crypto, but all kinds of crime.”
