Key Takeaways

  • A wrench attack is physical coercion — robbery or kidnapping aimed at forcing you to hand over crypto. No amount of cryptography stops it once someone has access to you.
  • The biggest enabler is exposure: people who publicly signal large holdings become targets. Privacy is your first and cheapest defense.
  • Duress PINs and decoy wallets let you surrender something believable while protecting the bulk of your funds.
  • Layered custody — small spending wallets, hidden vaults, and multisig — limits how much any single coerced action can lose.
  • Operational security is a habit, not a product. The goal is to make yourself a hard, low-information target.

The name comes from an old security joke: instead of breaking your encryption, an attacker just hits you with a $5 wrench until you unlock it yourself. It stopped being funny once self-custody went mainstream. When you hold your own keys, you are also holding your own physical risk. There is no support line to freeze a transfer that you signed at gunpoint.

This piece is not about scaring you out of self-custody. It's about the part of security most guides skip: what to do when the threat is a person standing in front of you, not a hacker on the other side of the world. The practical answer is a small set of techniques — duress PINs and decoy wallets chief among them — built on top of one simple principle: never make it obvious you have anything worth taking.

What a wrench attack actually is

A wrench attack is any in-person attempt to coerce you into transferring crypto. It can be a street robbery, a home invasion, a kidnapping, or a slower scheme where someone close to you applies pressure over time. The defining feature is that the attacker bypasses your digital defenses entirely. Your seed phrase could be split across three vaults on two continents, and none of it matters if someone has your hands and your hardware wallet at the same moment.

Crypto makes this category worse than traditional cash robbery for two reasons. First, transfers are irreversible and near-instant, so an attacker can extract value in minutes and be gone. Second, balances can be enormous and portable — there is no equivalent of a bank vault's time-lock or a teller who can quietly trigger an alarm. The attacker knows this, which is exactly why visibility is the thing that turns an ordinary person into a target.

Why exposure is the real vulnerability

Most wrench attacks start with information. Someone has to believe you hold enough to be worth the risk. That belief usually comes from things you can control: posting gains on social media, using your real name on public addresses, bragging in group chats, or simply living a lifestyle that doesn't match your visible income. On-chain data is public, so a wallet tied to your identity is a permanent, searchable advertisement of your balance.

This is the cheapest fix available and the one people resist most. Privacy is security. Keep large holdings off any address connected to your real name. Don't discuss specific amounts. Be wary of meeting strangers from online communities in person, especially anyone who already seems to know what you hold. The goal is to be a question mark, not a confirmed target.

Decoy wallets: give them something to take

A decoy wallet is a real, funded wallet you are willing to lose. The idea is straightforward: if you are forced to hand over crypto, you surrender the decoy, which holds a small but believable amount. The attacker sees a successful transfer, gets paid, and has less reason to keep pushing. Meanwhile the bulk of your funds sits in a separate location they never learn about.

The decoy has to be convincing. An empty wallet or one holding a trivial amount can enrage an attacker who believes you're hiding more — which is the worst outcome. Fund it with an amount that looks like "this person's whole stash" relative to how you present yourself. Many hardware wallets support this directly through a feature often called a passphrase or hidden wallet: one PIN or passphrase opens the decoy, a different one opens the real vault. To anyone inspecting the device, only the decoy exists.

How passphrase-based hidden wallets work

A passphrase is an extra word or phrase added on top of your recovery seed. The same 24-word seed produces a completely different set of wallets depending on the passphrase you enter. No passphrase reveals one wallet; a specific passphrase reveals another. There is no on-device flag saying "a hidden wallet exists," so an attacker cannot prove you're holding back. The trade-off: if you forget the passphrase, those funds are gone forever, because it is never stored anywhere.

Duress PINs: trigger a fake unlock

A duress PIN (sometimes called a wipe PIN or decoy PIN) is a second code that does something other than open your real wallet. Depending on the device and configuration, entering it can open a decoy wallet, show a low balance, or — on some hardware — wipe the device entirely. Under coercion, you enter the duress code instead of your real one. The attacker watches you "comply" and sees exactly what you've configured them to see.

Duress features pair naturally with decoy wallets. A duress PIN that quietly opens a believable decoy is generally safer than one that wipes the device, because a sudden wipe can look like resistance and provoke the attacker. Whatever you choose, the behavior under duress must be plausible. The whole technique fails if the attacker can tell the difference between your real unlock and your fake one.

Layered custody limits the damage

No single trick should hold your entire net worth behind it. The stronger model is to spread funds across layers so that no one coerced action drains everything:

  • Spending wallet: a small hot wallet on your phone for daily use. Treat anything here as expendable.
  • Decoy vault: a modest, believable balance you can surrender under duress.
  • Main vault: the bulk of your holdings, protected by a passphrase or hidden wallet and never discussed publicly.
  • Deep storage: long-term holdings under multisig, where multiple keys held in different places are required to move funds.

Multisig deserves special mention for high-value holders. A multisignature setup requires several independent keys to approve a transaction — say, two of three. If those keys live in different physical locations, a single wrench attack can't move the funds, because you genuinely cannot complete the transfer alone. You can tell an attacker the truth — "I physically cannot send this without keys I don't have here" — and it holds up, because it's real. The cost is added complexity and the discipline to manage keys properly.

Comparing the main defenses

Defense Protects against Main trade-off
Privacy / low profile Being selected as a target Requires ongoing discipline
Decoy wallet Losing everything in a forced transfer Must be funded believably
Duress PIN Real wallet exposure under coercion Behavior must look plausible
Passphrase / hidden wallet Discovery of main holdings Forgotten passphrase = total loss
Multisig deep storage Single-point coercion Complex, slower to use

If it happens: comply, then recover

Security writers agree on one uncomfortable point: in an active wrench attack, your life is worth more than your coins. The point of decoys and duress codes is to give you something safe to surrender so you never have to choose between your funds and your safety. Hand over the decoy. Do not improvise heroics. Once you are safe, contact local authorities and move any funds that may have been exposed.

This is also why layered custody matters before anything goes wrong. If your real vault was never on the device the attacker held, recovery is simply moving funds to fresh keys at your own pace. If everything was behind one PIN, there is nothing left to recover. The work you do calmly today is what gives you safe options on the worst day.

Pros
  • Decoy wallets and duress PINs let you comply safely while protecting most of your funds.
  • Privacy costs nothing and removes you from most attackers' target lists.
  • Layered and multisig custody make a single coerced action far less catastrophic.
Cons
  • Hidden wallets and passphrases mean total loss if you forget the credential.
  • Decoys only work if funded and rehearsed convincingly; sloppy setups can backfire.
  • More layers mean more complexity and more ways to lock yourself out.

Not by itself. A hardware wallet protects against remote hacking, but if someone physically forces you to unlock it, the cryptography doesn't help. Features like passphrases and duress PINs are what add physical-coercion protection on top.

A decoy wallet is a separate, modestly funded wallet you can surrender. A duress PIN is the mechanism that opens it — a second code that, under coercion, reveals the decoy or a fake balance instead of your real funds.

It can be. If an attacker realizes the device wiped, it may look like resistance and escalate the situation. A duress code that opens a believable decoy is generally safer than one that visibly destroys access.

Risk scales with perceived holdings, not just actual ones. If you've publicly signaled gains or your address is tied to your name, you can become a target regardless of real balance. Privacy and a small decoy are low-effort protections worth having.