Today's guest is Jameson Lopp, co-founder and chief security officer of Casa.
Welcome, Jameson.
Hi, good to be here.
The crypto world was shocked to hear about a crypto-related kidnapping in Veers in France
of David Balland, a co-founder of Ledger.
Although such attacks have been happening for a while in crypto, what caught more people's
attention about this particular one is that the kidnappers cut off one of his fingers and
sent it with their ransom to his associates.
And you have been chronically in these types of attacks for years on a GitHub page, but I
was curious just to hear your thoughts and reaction to hearing this particular story.
Yeah.
I mean, there were a few unique aspects to this.
For example, in this particular case, even though the victim himself was kind of an OG in the
space, it seems like the attackers were not trying to extract money from him, but rather using
him as a hostage to go up the food chain, so to speak.
To one of the other OG players at Ledger.
And I think this is the first time that we've heard of someone cutting off fingers as a part
of ransom, but it is by no means the first time that we've heard of torture and other types
of mutilation that have been used in these type of attacks.
But usually that is to try to extract money directly from the victim themselves.
And so I wasn't aware.
So they were trying to extract the ransom from what other Ledger co-founders?
Yes.
My understanding is that they basically sent a video or a photo of the finger to Eric, who
was one of the other co-founders of Ledger and that he was really the primary person that
they were trying to get money from.
Okay.
Eric Larchevich, I guess.
I don't speak French, but I'm guessing that's how you pronounce his last name.
Eric Larchevich, Yeah, I'm not sure.
Eric Larchevich, And explain how this particular incident got resolved.
Eric Larchevich, Well, thankfully the Ledger team really jumped into action and it seems like
law enforcement in France is also quite responsive.
Eric Larchevich, So they started working with law enforcement immediately.
We don't know many of the details of what happened, but somehow they were able to locate David and
then shortly after that locate his wife, who was at some other different location.
Eric Larchevich, And as this was going on, I think it was like a one to two day long incident.
They were dealing with the attackers.
They were sending some partial ransom payments, and then they had a whole team of people behind
the scenes that was working on the money aspect of things of basically trying to keep track of
the money.
And then as a result of those efforts, they were successful, I think, in freezing and seizing
a large amount of the ransom payment.
So, you know, all in all, once this got wrapped up, I think it was a pretty big operation.
It sounded like 10 people got arrested and who knows if there still might be other people
out there that were involved in the incident, but I think this is kind of showing that these
type of attacks are becoming more sophisticated and they're becoming more organized.
It's not just the random one off guy trying to attack someone with a weapon, but we're seeing
now groups of people coming together.
And, you know, some people may specialize in certain things and, you know, they're continuing
to play this game of figuring out what is the return on investment for performing this type
of attack.
And so I think we should expect that these type of attacks are going to continue to be
more sophisticated, especially against the well-known public figures who are either explicitly
or implicitly expected to have many, many millions of dollars worth of crypto assets.
Yeah.
And what was interesting too about this case involving David Balland is that he hadn't
even worked at Ledger for four years or something.
So, you know, it wasn't like he had a current role there, but yeah, they used him to target,
I guess, other executives who are currently there.
You know, I gotta, I gotta give it to Dave or David because he updated his X profile, like
pretty much right after it all got resolved saying kidnapping championship 2025 with like
a trophy emoji.
And then he wrote Ledger co-founder fingers, nine of 10, which definitely seemed cheeky
and, you know, showed like a certain kind of resilience very shortly after what must have
been a terrifying experience.
Um, so let's now talk about your GitHub page where you have been chronicling these types of
attacks, which are also known as wrench attacks.
Why did you start doing that?
Uh, mainly because I, I'm a, a numbers nerd.
I mean, I do all types of metrics and analytics track all types of different trends in this
space.
And I felt like this was an interesting trend because it's not like directly like a part of
any blockchain or, you know, network metrics.
Uh, this is more, you know, meat space metrics, like real world adoption, but it's real world
adoption by, you know, criminals attacking known people in this space.
Um, it was also, you know, it was somewhat self-serving because a I work in the security
space.
So I want people to have a better understanding of, you know, what is the actual risk and frequency
of these type of attacks.
And it was very personal because I myself am on the list.
I got swatted in 2017 and that turned into this whole multi-year ordeal of me trying to
get justice for the attack against me.
Yeah.
I recall that incident and yeah, I, I feel like, I feel like you came on the show maybe and talked
about it even.
Yeah.
Quite possible.
I've talked about it to so many people.
I've lost track.
Right.
Well, you know, as you've been chronicling this over time, what trends have you noticed
in these types of attacks in terms of where they're located or who they tend to target or,
you know, you kind of already mentioned they are, it seems like they're getting more organized.
Yeah.
Now I think one of the, the big caveats that kind of has to go along with this is the fact
that there's absolutely no guarantees of accuracy in my archive due to the nature of how I get
these stories.
And it's basically mostly through word of mouth or Google alerts.
So I think it likely vastly under reports the, the true number of attacks for several reasons.
One of those is that I, and really a lot of security professionals in the space are well
aware that a lot of these attacks never get publicized because the victims don't want to
talk to anybody, even law enforcement, because they're afraid that, you know, that will make
them an even bigger target and result in follow-up attacks.
And there have been people who have had follow-up attacks in this space.
So it is a legitimate concern.
Also, I probably miss out on a lot of attacks that happen in non-English speaking countries
You know, unless an attack gets published by the media and that gets picked up and syndicated
and in somewhere translated into English, it's probably not going to make its way to me and
into the archive.
So, you know, we don't really know, for example, like how many attacks have been happening in
Russia.
You know, there have been a few though.
I think it's been a few years.
More recently, some of the trends that I've been seeing, there seem to be more attacks happening
in like the Thailand, Philippines, South Asia areas.
I've been hearing some interesting trends where it seems like organized crime in China is targeting
Russian nationals.
It's targeting Russian nationals who are living or visiting abroad.
I'm not entirely sure why that's happening.
You know, maybe it's, you know, they learn about the people because they're from that area
And then maybe they think for some reason it'll be safer for them to perpetrate the crime abroad
and then go back to their nation.
I don't know.
I think it's just an interesting point to note.
And, you know, we haven't had, I think, as many wrench attacks in places that are considered
safer, you know, whether that's like America, Europe, England, whatever.
But then in the past month or so, there have been like four different attacks in France and
right along the French border in Belgium.
So I think it's hard to say that there's like any specific place that's more dangerous than
another.
The main thing that I've been trying to tell people is that it's really, it's more about
your personal risk profile than it is of like the, the nature of crime in your area, because
this is not a normal type of crime, right?
This is a really fringe edge case, at least right now, hopefully it stays that way, but with
the trends going the way they are, I doubt it will.
And so essentially, if you pop up on somebody's radar because you're engaging in risky activity,
then you could live in a completely safe neighborhood.
But if you're getting specifically targeted, especially by organized crime, you know, they're
not going to necessarily care about that.
They're going to do what they can to bypass as many safeguards as possible and get to you,
the high value target.
Yeah.
What you said about the data being incomplete, I, I definitely can say for sure, there are
more attacks than are reported.
So, you know, people should, should be aware of that.
Yeah.
This archive is a great resource, but it's just limited in its nature.
So in a moment, we'll talk a little bit more about some of the factors that Jamison mentioned,
but first a quick word from the sponsors to make this show possible.
Mantle is revolutionizing its on-chain financial hub.
Powered by a $4 billion treasury and proven products like Mantle Network and EmEath Protocol,
Mantle is launching three innovation pillars: Enhanced Index Fund for optimized crypto exposure,
Mantle Banking for blockchain-powered banking, and Mantle X for AI-driven innovation.
Experience the future of finance with Mantle, and follow Mantle on X to stay tuned.
Behold Kwai Network, born of proof of work, a layer one to end the system's murk.
With energy and currency entwined, the first energy dollar is designed.
Decentralized, it stands both stable, strong.
To scale commerce the globe sought so long.
Unstoppable, it fuels the DeFi dream, where global trade and power cross the stream.
DeFi carves paths for monetary change, a platform where these forces rearrange.
Sustainability and money blend.
Discover how at qu.ai transcends.
We have another listener comment, this one in response to Chris Stixson talking about just
how bad debanking in crypto was under the previous administration.
On X, P.R. Murphy said, "It's not just debanking.
It's also excessive KYC at both banks and crypto exchanges.
It took us six months to get approved at an exchange you've probably heard of.
And debanking has become so normal, we always try to keep two spare corporate accounts.
Massive time suck."
Again, if you want to hear your comment featured on the show, please write a review or leave
a comment on an episode on YouTube or X.
Back to my conversation with Jameson.
One comment I want to make before I ask you my next question is just when you mentioned
the Southeast Asia area, that is a center for the pig butchering scams.
So I wonder if more people are like understanding crypto there.
And that's maybe one of the reasons there's been an uptick in these types of crimes in the
area.
So something that you mentioned was you said that you felt it's not so much about any particular
geography or anything, but it's about somebody's personal risk profile.
When you use those words, what exactly do you mean?
Well, you know, we have nearly 200 cataloged physical attacks at this point, which is starting
to get to be enough of a data set that you can start to try to tease out some patterns.
And there are definitely some patterns in terms of activity by the victim that I think people
should be aware of, because I think if you avoid those things, then you make yourself less
likely to become a target.
And some of those are engaging in face to face high value OTC trades, which basically means buying
or selling crypto assets for large amounts of cash, regardless of which side of that transaction
you're on, if you're, if you're going physically to some location where you're meeting with
someone that you don't trust with your life, then, you know, that's a big potential for them
to basically defraud you, right?
They show up and they say, okay, you give me your stuff.
And then they don't give you their side of the trade.
And I've seen this seems to be happening a lot in both like the Middle East and in Thailand,
I believe where we're seeing people essentially meet up in hotel rooms.
And then, you know, you, you go into the hotel room and you immediately get jumped and tied
up and they take everything they can and run away.
So don't do that.
If you're going to engage in a transaction of that nature, you should do it somewhere that's
either, you know, highly secure or highly public someplace that has, you know, lots of video
surveillance, preferably physical security.
It sounds kind of silly, but if I was going to engage in something like that, I would do it in a bank
or in some sort of like high security financial institution.
Next biggest issue that seems to come up a lot is basically people flaunting their wealth.
So in this case, it really is more of the, like the, the influencer types who are like the lifestyle influencers.
And you know, they're out on social media and they're, you know, spending lots of money, showing off, spending lots of money, showing off watches, other types of goods that are high value and easily stolen.
And if you're throwing crypto in the mix, you know, that just kind of makes it even more palatable, you know, there, there have been a handful of what you might call like crypto influencers who have been hit.
I actually just last week as a part of some of these French attacks, and I was looking into more French attacks.
I realized that there was a, a French YouTube crypto influencer guy who had a home invasion like three years ago.
And I just never heard about it until I started digging into these things more recently.
I suspect that a number, or at least of the ones that I'm aware of some of the undisclosed unpublished attacks are against fairly big names, fairly influential people in the space, but you don't have to be a big name.
You, you can certainly be a nobody.
And if you are in a data leak, for example, we believe we don't have like hard evidence, but we believe that at least a few of these attacks are the results of data leaks from various crypto provider services over the years, because some of those leaks had a lot of personal identifiable information, including home addresses for people.
And how do you think it is that people that attackers are deciding on their targets?
Is it literally just what you said?
They, they meet a stranger and the stranger agrees to meet them in some way that puts them at risk or, or their influencers where they're flaunting their wealth or, you know, aside from those that are somewhat obvious kind of risky behaviors, like how else do you feel like they're finding out about who they'd like to target?
Yeah.
I mean, I think a lot of it is what you would just call open source intelligence, which is a, if people are voluntarily posting stuff on social media that can get people's attention.
And that's how I got attacked was, it was basically, I was pissing people off during the Bitcoin block size wars in 2017 and the wrong person took something the wrong way.
And then they happened to know somebody who specialized in swatting people and they're like, Hey, you should hit this guy and extort him.
So, you know, it can be somewhat random like that.
This is something that I try to get people to understand with regard to privacy is that, you know, the internet is a double-edged sword.
On one hand, it's great because we now have essentially access to all of human knowledge at our fingertips instantly.
The flip side is that when you start publishing information, you can go in a matter of minutes or hours from being a nobody, you know, nobody's paying attention to you, to being somebody who may have the ire of millions of people drawn to them.
And this, you know, this happens all the time on social media where one person just says the wrong thing that triggers people.
And that goes viral.
And there can be real world consequences from that.
You know, people losing jobs, having folks like showing up at their house, getting swatted.
So it happens on a daily basis now on the internet.
If you are a controversial person, or even if you're usually not, and you just say one thing that gets taken the wrong way and becomes controversial, it's a, it can be a very fickle thing.
So, you know, that's why I think you have to be very careful about what you're doing or saying and what you're putting out there.
Because it can all be used against you.
And oftentimes the information that you put out there is used against you in ways that you never really considered.
Yeah.
This isn't like necessarily a negative example, at least initially, but the Haktua girl is a perfect example.
Yeah.
Where she was a nobody and she just said one thing and, you know, became instantly famous.
So crypto at this moment, as everybody in crypto is very much aware right now, it's just been put under the spotlight in a much bigger way than it ever has been.
You know, I mean, we literally just had the president give crypto a national, you know, priority status.
And I wonder, do you feel like the attacks have been on an upswing because of that?
Yeah.
I mean, they roughly are correlated with the price.
And I will say specifically over the past month or two, it has been accelerating at a rate that we've never seen before.
Now, of course, plenty of caveats there.
Maybe more of the attacks are getting reported because the media is just getting more interested in crypto.
Maybe there actually are more attacks happening.
And that's because once again, these just the general public consciousness and understanding and interest in this space is increasing because more public people who have large audiences are talking about it.
Therefore, more people are just thinking about it, then that kind of trickles down to the fact that sociopaths and criminally minded people then start thinking about it more.
So, you know, in the in general, I'm optimistic about humanity in the sense that I think like most people are good people and they don't want to hurt others for their own gain.
But I do work in the security space.
I've seen kind of the worst side of things.
And, you know, there's some tiny fraction of people out there who just don't have the same ethics and morals as the rest of us, and they are willing to harm others for their own gain.
So let's talk a little bit more about the solution that they used in this ledger attack.
They basically contacted a bunch of these different like stablecoin companies and things like that to freeze the funds.
What do you think of that solution?
I mean, it's not surprising.
The vast majority of quote unquote stablecoins are highly centralized and can be frozen and seized by their issuers.
The main problem that usually you run into with that is just speed of being able to, you know, get the messages to the administrators fast enough to actually be able to stop it before it gets sent off to some either centralized or decentralized exchange where it's moved around and transferred to other networks.
And fast, early action is a very key aspect of being able to intervene in cases like that.
You know, if you wait even a few hours or a day or two, then oftentimes the proceeds from crime has already been dispersed through so many different networks and mixers and whatnot that it becomes very difficult to track.
Yeah, I think that I read that while they were dealing with the kidnappers, they were making calls frantically to have the solution in place.
So that way they could immediately freeze the funds at the, you know, exact right moment.
So of course, I'm sure you're aware that people listening to the show will want to know how they can limit these types of wrench attacks.
So what would you recommend, especially, you know, for people who do want to maintain some sort of self custody or, you know, maintain or adhere to some principles of decentralization?
Yeah, well, I mean, the first thing, like I said, is just don't engage in high risk activities.
Don't flaunt your wealth beyond that, especially if you're going into self custody and thinking more about the technical aspects of security.
You know, you want both good physical security and good digital security.
And I've written about this extensively.
If you're thinking about wrench attacks, you basically have to envision a scenario in which you are a single point of failure.
You know, essentially your body, your mind, you're no longer under control of yourself.
You have to assume you're under duress and that you will do whatever you are instructed to do.
So from a purely technical perspective, the only way that you can then protect your assets against yourself is to actually have them spread out such that you cannot immediately directly access them.
And this is where things like what we do at Casa with multi signature, multi key distributed wallet solutions comes into play.
And it's it gets really complicated because it's it's personal for everyone's situation.
And, you know, what physical places they have access to, you know, what friends or family they may trust enough to give one or two keys to.
And it's it's something that I think you either have to spend a ton of time researching and building for yourself or hire an expert like us.
And you consider us basically a security consultant because we've done this thousands of times and we've seen basically every permutation of situation under the sun.
So, you know, a lot of people out there are kind of bearish on self custody.
They're like, oh, you can't protect against all of these things.
And I'm like, well, it's possible.
It's just not simple.
You know, you have to have a fairly high level of knowledge and understand all of the things that can go wrong so that you can architect a solution that will protect you from them.
And, you know, we've had a number of successes in that case because I guess the short version of what we do is we architect solutions that eliminate single points of failure.
And that includes you as a person that includes us as a company and as a security service.
Yeah.
And, you know, just to make clear for people who feel like, oh, it's it's such a hassle and I would put myself at risk.
I would just want to hire another company to, you know, manage my custody for me.
You know, the reason why places like Casa exist is that especially early on in the crypto world, exchanges were hacked all the time and people lost so much money by entrusting the security of their assets to another exchange or just any other entity.
So, you know, there's risks that you have to weigh on both sides.
Yeah, no, there's there's always risks.
And, you know, we definitely hear a lot of people who say, well, I'm just going to leave all my money on reputable exchange X because they haven't had a major hack.
And, you know, they have dozens or if not hundreds of employees who do nothing but specialize in the security for their platform.
And, you know, that that is a valid way of looking at it.
But you also have to understand that even a lot of these reputable exchanges that haven't had their primary wallets hacked and drained.
Individual account holders at those services get hacked and drained all of the time.
Like there are still single points of failure all over the place.
You know, you could get hit by a SIM swap.
You could get hit by some sort of impersonator that has all your private information.
You can get phished.
And if they get into your email account, they can usually own basically all of your other accounts and drain everything of value.
So, you know, just because you have it with a highly reputable service doesn't mean that you're still not in danger.
Like even if they're able to protect their cold storage, your account could still potentially get compromised and drained.
Yeah.
Yeah.
There's definitely like a lot of research people should do to figure out kind of what trade offs they're willing to make or, you know, what solution feels most comfortable for them.
All right, Jameson.
Well, this has been a great conversation.
Thank you so much for coming on Unchained.
You bet.
It's an unfortunate topic to talk about, but I think the reality of it is that it's going to become more and more prevalent in the coming years.
Yeah.
Yeah.
Well, let's hope not, but people should definitely be wary.