Jameson Lopp is our next speaker Jameson has been building multi-sig wallet since
2015 in addition to Casa he also founded Mensa's Bitcoin special interest group
Mensa is that organization for the really smart people I'm in it I mean the
Facebook quiz that I took said that if I wanted to be in it I could be in it it was
like three minutes and after I bought their literature they said that I could
but he actually formed the Mensa's Bitcoin special interest group so within the subset of people who
invest in Bitcoin there are genius level people that have been accredited by the Mensa organization
within that subset of people and within that subset of people there are a special interest
group of people that Jamison worked with to form this group is that an accurate depiction was that
highfalutin enough okay the triangle Bitcoin and business meet up and several open source Bitcoin
projects he enjoys researching various aspects of the ecosystem and giving presentations about what
he has learned the hard way while trying to write robust software that can withstand both advert
adversaries and unsophisticated users like all of you obviously based on this that's been the theme
so far it's like mobile devices for the people and y'all cheer and the Mensa people are like these people
I'm just playing and how to protect yourself from a wrench attack please welcome Jameson Lopp am I
saying that right Lopp Lopp okay come on high IQ green button yes I got the last mic so I'm good all right
yeah so I'm a nerdy engineer guy but there's a lot of stuff about this ecosystem that's very fascinating
outside of just the technology the humans in particular and so I have been specializing in
security for about 10 years and while a lot of that does have to do with the technical aspects you know at
at the end of the day we're all humans and we're trying to secure these tiny amounts of data these private
keys and doing that sounds easy on its face but is ultimately a really massive user experience challenge
and you know to top it all off of everything else now we actually have you know physical criminal elements
that are going out and coercing people into basically bypassing all of the technical security measures
that they have set up around their keys so that's why I just want to give a detailed analysis of the wrench
attacks that we've been seeing and if any of you have been paying attention on social media you may have
noticed that they seem to be happening a bit more frequently so what is a wrench attack it all goes
back to this xkcd from I think over 10 years ago but the point being oh you know I'm a super nerdy guy
and I've got this really fancy encryption that's keeping all of my data protected and you'll never
get access to it and then of course the common criminal just comes along and says I just beat him
with this wrench until he hands over the the password and the decryption and so that kind of goes
kind of goes to show that it's very easy to overthink the level of security that you have
and completely miss a fairly obvious flaw that might be sitting right in front of you and I think
this is actually a good example of a lot of people who may have complex and convoluted technical security
schemes but ultimately they themselves and their physical body are a single point of failure and they
haven't really thought about how to deal with that from a technical architecture so I will say you know I
don't want to be the the fud guy I think that it is important to put this all in context wrench
attacks are probably the rarest type of attack that happens in this space we are aware of about 230 so
far though there have definitely been more than that that have not been publicized but there are many many
greater more common threats that you should be worried about long before you start worrying about the wrench
attack and unless you're up standing on a stage in front of a lot of people talking about bitcoin crypto
security stuff you're probably not as much of a high profile target for wrench attacks but you know if
you're thinking about like what are the the higher risk things that I should be worried about obviously
trusted third parties you should not be leaving your crypto assets on exchanges you should be taking
self-custody that immediately gets rid of a large swath of issues beyond that of course getting your keys
off of the internet that protects you from probably like 95 percent of remote type hacking attacks and these
days I would say one of the more trendy up-and-coming attacks that people should be more worried about
is just social engineering and that's because over the past 15 years we have done a great job of improving
the best practices creating new technical sophisticated security software hardware and other mechanisms that
make it harder for a hacker to get in and just wipe you out so what are the adversaries
doing now they've realized the weakest point for a lot of people in this ecosystem is their brain
this is essentially what social engineering is it is hacking your brain to convince you to basically
bypass all of your authentication and security measures and voluntarily give access to a third party or
literally send your money to them so this is something we're seeing a lot actually as a result of various data
data leaks you may have heard about like coinbase has had data be data leaks recently a number of other
exchanges and service providers are unfortunately required by government's regulatory agencies to
request and store very sensitive information your personal information and of course information is very
difficult to keep from flowing freely this information ultimately tends to get leaked passed around and the
criminals then get a hold of that and they use this to create highly targeted spear phishing and
social engineering attacks that's what we're seeing happen a lot today
now like i said we're only aware of a few hundred like media and law enforcement
attacks that has been you know corroborated by legitimate authorities but there's reason to believe
that there have been far more and there was actually a study by some academics at cambridge a couple of
years ago where what they did is they went out and they grabbed the entire bitcoin talk forum data set and
they basically used ai and other search methods to try to find everyone who ever talked about
something that could have been a wrench attack and they actually found 672 posts that were talking about
physical you know real world attacks that's more than three times as many as we're aware of that have been
authenticated by media and law enforcement so right there off the bat there's reason to believe that there there could very easily be three to four times as many
many physical attacks happening compared to what we're actually aware of
they interviewed a number of people that uh that would respond to their messages
because they obviously wanted to better understand exactly what had happened in all of these incidents
and this is another interesting stat they came up with is that of the people who did respond to them
only two out of the eleven bothered to report the attack to law enforcement so you know that's another
reason to believe that the attacks that we know of may only be in the like 20 25 30 range and there's
there's some logical reasons why people don't go to law enforcement for one you're going to start creating
public records you may end up in the media you may end up getting even more attention and you may end up
getting attacked again there certainly have been people who have been wrench attacked multiple times
and also i think in general especially in the earlier days this may be less true today but in the earlier days
a lot of law enforcement would look at this and say oh you've got some funny internet nerd money there
there's nothing that we can do about this we don't really care we're not going to spend much time
trying to help you out and um this is also just consistent with a lot of types of online property
crime and for a variety of reasons online crime can be much more difficult for law enforcement to deal with
especially you know if the perpetrator is in a completely separate jurisdiction i can tell you
from personal experience that you know when in the united states if you're dealing with crimes that are
happening across state lines you're probably out of luck unless you can get federal law enforcement
involved federal law enforcement you know has limited resources and they're probably not going to get
involved unless you're talking millions of dollars in damages or some sort of imminent life and death
situation so of the attacks that we're aware of you can actually see some fairly obvious correlations
where if you look at the years and the number of attacks it's it's roughly correlated with the price
right so you know we had the massive spike in 2017 and there was a bit of a lag where then 2018
a bunch of criminals came in and started attacking people and then we had a few years of a bear market
everybody get disinterested including the criminals then we have another
uh bull market same thing happening and it is noteworthy if you see 2025 here uh we're already
well on pace for the highest annual number of wrench attacks we're definitely going to have more than
one wrench attack per week this year and so by the end of the year you know i expect that you know we'll
basically be at an all-time high of wrench attacks once again keeping this all in perspective you know
compared to all of the other security issues and attacks that happen in the space this is relatively
small what if we break it down by geography well if you look at the just absolute number of attacks
the united states uh seems to have the most there's a lot of caveats here uh one you know i am generally
the one uh who is keeping track of these things a lot of people come and contribute to the open source
repository where i keep track of them but there there is a number of different biases that are likely
inherent in this data one being that you know a lot of the alerts that i have set up of course are for
english language so if french attacks are happening in other languages and they're not getting translated they
may not matriculate uh around the ecosystem and eventually end up on my radar um there's also
possibility that that just has to do with the media and what they're looking for and picking up on and the
fact that you know bitcoin crypto adoption in the united states is really high compared to a lot of other places
and um this of course is only absolute numbers so i wanted to understand what happens if we look at it
per capita this actually greatly changes the landscape of what it looks like the security risk for wrench
attacks will be now this is kind of weird because we're working with a really really tiny data set
and it may be even difficult for you to see where the the red is on this map but it's iceland estonia
madagascar and the united arab emirates now those first three are kind of edge case aberrations
because there's only been one wrench attack in each of those countries but they have such tiny
population that per capita it puts them at the top uh uae in particular in particular dubai has had
nine wrench attacks so it's not a one-off there there is a very strong pattern of wrench attacks there
with otc trades for large amounts of cash so dubai is actually from a number of different perspectives
very risky uh only really if you're doing these otc trades i will say to dubai's credit it's a very
bad place to be a criminal performing these wrench attacks because dubai has a 100 success rate in
catching these criminals very quickly before they can escape the country so there there have been no
known wrench attacks in dubai where the criminals have gotten away with it what if we start looking
at all of the different characteristics of these attacks though um while you know the vast majority
of them are some sort of violent robbery where a perpetrator has a weapon and is basically coercing
the victim into handing over their money there's a number of different
aspects that could go along with that one interesting thing is that home invasions are quite common
and i suspect this is because of what i mentioned earlier with a lot of you know personal identifiable
information kyc information basically people's home addresses tend to be very easy to find so if you have
someone who's a known holder of digital assets you can probably find out where they live and most people
do not have particularly hardened uh physical security at their house and that's where we end up with a large
number of home invasions basically someone comes uh knocks on the door you open the door and that's game
over for you uh very similar number though of kidnappings are happening which is basically you know instead of
striking when someone's at home they are surveilling you they're figuring out what your movements are
and either uh enticing you to go somewhere where they can then entrap you and kidnap you or just
grabbing you off of the street that's you know actually happened a few times just in the past month
in paris in fact the parisian authorities believe that there is one single organized crime ring that is
perpetrating all of the recent kidnappings and attacks that are happening in france
now as i said otc trades that's another very common thing because they're basically
going out and there's websites of course where people are advertising their services of doing otc trades
so they can just ring you up and say hey i want to do a trade for a few hundred thousand dollars
and usually they get you to come to a hotel room where there's no surveillance there's nobody
watching and that's when they tie you up and take whatever you have a decent number of these also
involve torture this is a particularly nasty aspect of what's happening in this space you may have heard
about just last week i believe in new york city um there was a a couple of different entrepreneurs in
this space who seem to have had a business dispute with someone that they were involved with and they
enticed him to come and talk about the issue and they basically uh tied him to a chair and tortured
him for several weeks and to that man's credit he never handed over the assets and he eventually
escaped and those guys are currently in prison um there are some non-violent ones burglary theft
uh sort of snatch and grab scenarios we've seen stuff where people will um basically get you to hand
your phone to them and then they'll uh move whatever assets you have available on the phone
uh there's also a number of drugging attacks where people use things like scopolamine to
make you highly compliant so that you will just do whatever you're told and you don't even need to
really be coerced now what are the attackers return on their investments this is another thing where there's
really big caveat here because we're already really far down uh into this tiny number of cases
where most of them don't get reported and even the ones that do get reported very few of them talk
about how much value was taken so it's entirely plausible that these numbers are an order of
magnitude smaller than they really are simply because we don't have the information but once again you can
kind of see um you know somewhat related to bull and bear market cycles um 2017 2018 we're aware of like
seven eight million dollars in total that were taken in 2019 there were attacks but none of them actually
said how much was taken but really like 2021 and on we seem to be off to the races and we've had you know
over three we've had three years with over 30 million dollars uh accumulated total taken by these physical
attacks and um you know that was basically averaging millions of dollars per attack
and to get even more specific uh there have been several attacks right here in vegas uh just last
november there was one attack was actually a a sex worker and she drugged a guy she was with and took
three hundred thousand dollars from him and then there was another guy who's a resident of las vegas and he
was putting on a crypto event and several guys followed him home after the event then kidnapped
him took him out to the desert said we're going to kill you and leave you here unless you give us
everything and uh that he handed four million dollars over to them so point being you know we're in this
discovery phase where the criminal element the small number of sociopaths out there who are willing to
hurt other people for their own personal gain they're trying to figure out you know should i rob a bank
should i rob an armored car why would i go after a really hard physical target when i can probably get
an order of magnitude bigger payday against a really soft target that has basically no physical security
so also um it's kind of interesting that it seems about 10 percent of these cases the attackers knew their
victims like i said in the new york case it was like a business dispute so definitely be wary of who
you're hanging out with and who you're sharing information with you never know uh what someone's
situation might be you know maybe they're incredibly in debt and owe people a bunch of money who are going
to hurt them if they don't pay them off it's it's hard to know what people's incentives are so you know if
you're telling somebody about your financial situation especially in this space where we're talking about
digital bearer assets that are highly liquid you probably shouldn't tell them any details unless it's
someone that you literally trust with your life so what's the success rate of these attacks well it's
not it's good for the criminals it's not so great for us because you know we are sending a signal to these
criminals that they're going to have a high rate of success if they attack us so amongst the 225-230
attacks that i've cataloged two-thirds of them the attackers are successful that doesn't mean that they
get away with it permanently but at least the initial attack they get the money from the victim what about
the justice rate this is another uh potentially biased metric because the media doesn't always follow up
with whether or not these people uh the perpetrators got attacked but at least amongst the uh incidents
that i have looked into 60 percent of the suspects uh in these incidents were captured a lot of them were
actually captured and they had failed in their attack but um it's once again not a very good news for us
because i think we're sending a bad signal to the criminals here uh until we start putting up more of
a fight and and making sure that they are failing in these attacks um i think we're basically incentivizing
criminals to to harm us so some not so fun facts very low success rate when it comes to self-defense
i see a lot of people on social media being like oh uh i'm good i have a gun i would be able to stop
anyone who can attack me and of course you don't want to have to rely upon defending yourself with a weapon
you have to sleep at night you don't have eyes in the back of your head unless you have like a security
team of multiple people that are acting as your bodyguards you have weaknesses and the criminals will
surveil you and they will wait for a weak moment to attack you so that's one reason why i think we
have such a a low success of self-defense on the bright side only about three percent of these cases
end up in murder i think the criminals who are committing these crimes do not want a homicide charge
hanging over their heads they just want the payday they want to get in they want to get out and move on
and you should be aware that they tend to pose sometimes as law enforcement sometimes as service
workers this is usually because they want to get you to open the door to your house to do a home invasion
but in some cases it's actual law enforcement doing this i don't think in the united states it has been
law enforcement but especially in like southeast asia india pakistan area there have been a number of
corrupt cops that have performed these attacks so what should you do well shut up uh stop flaunting
your wealth a lot of the people who are getting attacked are the like lifestyle luxury influencer
types who are basically showing off walking around with you know million dollar watches and stuff
don't do face-to-face trades if you really have to do face-to-face trades do it in a secure environment
where there's like public people watching and it's not just like a private parking garage or a hotel room
obviously don't talk about your finances be aware of the risks of where you are know your exits
situational awareness is important don't accept food drinks or smokes or anything that you're ingesting
from people you don't trust with your life that's how you get drugged and in general just think about
what does it take for you to move large amounts of your wealth if it's possible for you to do that
very quickly in a few minutes then you're not doing a good job of being your own bank you are making
yourself open to coercion and how do you get around that well that would be where i would show my own
company what we do at casa is we help people get into distributed multi-sig setups where it's intentionally
very difficult to spend those funds but just realize that you know with great power comes great
responsibility so think about your home security like i said a quarter of these attacks are home
invasions don't give out your home address if you can get away with it obviously kyc can make that very
difficult hey use use some of these decks and swap services that they're talking about that don't require
kyc that's just another reason why you should be interested in that type of functionality and of course
don't open the door for anyone that you're not expecting there's a lot of very common physical
security advice that's out there of how you make your home less appealing and you know a little harder
target when it comes to physical security one of the best things you can do is get a dog you know it's man's
best friend but they're also one of the best nature's best security systems so i didn't have a ton of
time to go into all the details but i'm the paranoid security guy so feel free to hit me up or call us
up at casa or security consultation experts and we're happy to talk about all of the digital and physical
security issues that those of us in this space are facing thank you