When Hackers Start Knocking: The Merger of Cybercrime and Physical Violence

In January 2025, masked men broke into the home of David Balland, co-founder of cryptocurrency hardware wallet firm Ledger, in central France. They abducted Balland and his wife, severed one of his fingers, and demanded access to his private keys and a ransom payment [1]. The couple was freed the next day after a police operation, but the attack signaled something that security professionals had been warning about for years: cybercriminals are no longer content to operate from behind screens.

Between January and November 2025, at least 69 physical attacks against cryptocurrency holders were documented worldwide — nearly triple the 24 reported in all of 2024 and almost four times the 18 incidents logged in 2023 [1][2]. The trend extends well beyond crypto. Ransomware operators now routinely threaten executives with bodily harm. Youth cybercrime networks coordinate swatting attacks and kidnappings. And a new criminal service model — dubbed "violence-as-a-service" by Europol — has emerged to broker physical attacks across borders [3].

The Numbers: How Common Are Physical Threats?

Quantifying the overlap between cyberattacks and physical violence remains difficult because many incidents go unreported. The best available survey data comes from Semperis, a cybersecurity firm that polled 900 IT and security leaders across the U.S., U.K., France, and Germany. Its 2025 study found that in 40% of ransomware incidents, threat actors threatened to physically harm executives at targeted organizations [4]. In the United States, that figure climbed to 46% [5]. Separately, 47% of victims said attackers threatened to file regulatory complaints — a form of institutional intimidation — if they refused to pay [4].

Source: Semperis 2025 Ransomware Study

Data as of Jul 1, 2025CSV

These tactics appear to correlate with higher payment rates. Among all ransomware victims surveyed, 69% paid at least one ransom demand. Among U.S. victims — where physical threat rates were highest — 81% paid [5]. Half of those who paid handed over between $500,000 and $1 million, while 8% paid more than $1 million [5]. The causal link between physical threats and payment decisions is not definitively established in the data, but Semperis CEO Mickey Bresman noted that "every dollar handed to ransomware gangs fuels their criminal economy, incentivizing them to strike again" [5].

By comparison, purely digital extortion demands — where attackers threaten only data leaks or continued encryption — have historically produced lower payment rates. The FBI's Internet Crime Complaint Center reported $12.5 billion in total cybercrime losses in its most recent annual figures, but does not break out the physical-threat subset as a separate category [6].

Who Is Doing This?

The Com

The FBI released extensive research in late 2024 and 2025 identifying a sprawling cybercriminal network called "the Com" — shorthand for "the community" — as a primary driver of the cyber-to-physical convergence [7]. The network comprises thousands of members, predominantly between 11 and 25 years old, organized into three subsets [7][8]:

Hacker Com conducts DDoS attacks, SIM swaps, phishing campaigns, and ransomware operations. The group known as Scattered Spider — responsible for more than 100 business intrusions since 2022, including the high-profile attacks on MGM Resorts and Caesars Entertainment — emerged from this ecosystem [9][10].

In Real Life (IRL) Com operates swat-for-hire services, coordinates kidnappings, and carries out physical extortion. The FBI describes swatting — filing false police reports designed to trigger armed law enforcement responses at a target's home — as a tool for "gaining credibility among members" and enforcing internal obedience [7].

Extortion Com systematically targets minors, coercing victims as young as nine years old into producing sexual abuse material under threat of violence or exposure [7][8].

Ransomware-as-a-Service Affiliates

The physical intimidation tactic has also spread within the ransomware-as-a-service (RaaS) economy. Affiliates of groups like LockBit and ALPHV/BlackCat operate as quasi-franchises, renting malware and infrastructure while independently deciding how aggressively to pursue payment [11]. Some affiliates have contacted executives' neighbors, sent threatening packages to home addresses, and doxxed personal information including home addresses, family members' schools, and internet browsing habits [12]. This represents a deliberate strategic choice rather than isolated behavior: as RaaS has commoditized the technical side of ransomware, affiliates compete on extortion effectiveness, and physical threats have become a differentiator.

Violence-as-a-Service Networks

CrowdStrike's 2025 European Threat Landscape Report documented a "dramatic" increase in what it calls "violence-as-a-service" activity across Europe [13]. Threat actors use Telegram-based networks to coordinate physical attacks, kidnappings, and extortion tied to cryptocurrency theft. Groups connected to the Com ecosystem and hybrid adversaries like RENAISSANCE SPIDER are bridging cyber and physical operations, offering payments for sabotage, arson, and targeted violence [13].

The Crypto Kidnapping Surge

The most visceral manifestation of the trend is the surge in physical attacks on cryptocurrency holders. Security firm Crisis24 and blockchain analytics firm TRM Labs have tracked a sharp acceleration [1][2].

Source: Crisis24 / TRM Labs

Data as of Nov 1, 2025CSV

France has been a particular hotspot, with 18 recorded cases between mid-2024 and late 2025 — more than any other country [1]. The attacks follow recognizable patterns: assailants pose as couriers, law enforcement, or potential business partners to isolate victims before using violence to extract wallet keys or ransom payments [1]. TRM Labs found that these "wrench attacks" — named for the meme about using a $5 wrench to extract a crypto password — correlate with bitcoin price movements, suggesting opportunistic targeting during periods when holdings are most valuable [2].

The May 2025 attempted abduction of the family of Pierre Noizat, co-founder of French cryptocurrency exchange Paymium, demonstrated how attackers are now targeting executives' relatives rather than the principals themselves [1]. In the United States, six men were charged in connection with the November 2024 kidnapping of a Chicago family of three and their nanny, with the attackers demanding $15 million in cryptocurrency over a five-day hostage situation [1].

Law Enforcement Response: Operation GRIMM and Beyond

Europol launched Operational Taskforce GRIMM in April 2025, bringing together 11 European countries to target violence-as-a-service networks [3]. In its first six months, the operation arrested 63 perpetrators, 40 enablers, 84 recruiters, and 6 instigators — including five high-value targets [3]. By April 2026, total arrests had reached 280, with investigators identifying more than 1,400 individuals linked to these networks [14].

"Violence is no longer confined to isolated acts or local dynamics," Europol stated. "It is increasingly offered as a service: accessible, scalable and driven by online ecosystems that enable recruitment, coordination, and execution across borders" [3].

In the United States, the FBI has primarily prosecuted Com-related cases through existing cybercrime and child exploitation statutes. Two leaders of the "764" offshoot were arrested in April 2024 for operating an international child exploitation enterprise, carrying maximum penalties up to life imprisonment [7]. A British teenager was charged in September 2025 in connection with at least 120 Scattered Spider hacks [10]. However, prosecutions specifically targeting the physical threat component — as distinct from the underlying cyber offense — remain rare. U.S. federal law does not have a single statute covering hybrid cyber-physical extortion, forcing prosecutors to layer charges across multiple criminal codes.

A former FBI official proposed in April 2026 that ransomware hackers targeting hospitals should receive terror designations, arguing that existing cybercrime frameworks fail to capture the physical harm caused by these attacks [15]. The proposal has not been adopted but reflects growing frustration among law enforcement with jurisdictional gaps.

Who Bears the Greatest Risk?

Healthcare Workers

Hospitals remain among the most targeted institutions because disruptions create urgent pressure to restore operations, increasing the likelihood that victims will pay [16]. The FBI has warned of escalating threats specifically targeting healthcare, where ransomware attacks can directly endanger patient lives by disabling medical equipment and delaying treatment [17]. When ransomware operators add physical threats against hospital administrators on top of the operational crisis, the coercive pressure compounds.

Corporate Executives

CISOs and C-suite executives at breached firms face a growing personal risk profile. CrowdStrike's reporting highlighted that employee home addresses, executive travel calendars, and customer PII "are no longer just compliance items — they are potential leverage for physical coercion" [13]. The Semperis data showing that 40% of ransomware incidents now involve physical threats against executives suggests this is becoming a standard playbook rather than an anomaly [4].

Cryptocurrency Holders

The surge in crypto-related kidnappings disproportionately affects individuals whose wealth is publicly visible on blockchain ledgers but whose identities can be unmasked through data breaches, social media, or on-chain analysis. During the first half of 2025, the number of crypto millionaires rose 17%, expanding the pool of financially lucrative targets [2]. WTW, the insurance broker, noted that crypto executives face "broadening risks" that combine traditional kidnap-and-ransom exposure with cyber-specific vulnerabilities [18].

Minors

The FBI's warnings about the Com's Extortion Com subset highlight that minors — particularly girls aged 10 to 17 — are systematically targeted for sextortion that includes threats of physical violence [7]. This population is among the least equipped to seek help and the most vulnerable to psychological coercion.

The Historical Parallel: Is This Really New?

Critics of the current media framing argue that pairing extortion with physical threats is as old as organized crime itself. Mob-linked protection rackets in the 1980s and 1990s operated on the same fundamental model: pay or face consequences in the physical world [19]. The Las Vegas Mob Museum has drawn explicit parallels between historical organized crime tactics and modern cybercrime, noting that the structural similarities — hierarchical organizations, franchise models, territorial control — are significant [20].

The steelman case that the novelty is overstated rests on several observations. First, the actual follow-through rate on physical threats issued during ransomware negotiations appears to be low. While 40% of victims report receiving such threats, documented cases of ransomware groups actually carrying out physical violence against corporate targets remain rare [4]. The threats function primarily as psychological escalation — a way to bypass the rational cost-benefit analysis that might lead a victim to refuse payment. Second, the scale of physical violence associated with cybercrime, while growing, remains small compared to the peak of mob-related violence in the United States. The FBI documented several hundred mob-related murders during the 1980s and 1990s; the total number of deaths linked to cybercrime-adjacent physical violence worldwide stands at roughly six as of late 2025 [1].

However, the counterargument is that several features distinguish the current phenomenon from traditional organized crime. Cybercriminals can target anyone globally, not just businesses within a geographic territory. The cost of issuing a threat is near zero when done digitally. And the combination of cryptocurrency anonymity, dark-web infrastructure, and stolen personal data makes it possible to credibly threaten specific individuals without revealing one's identity — a capability that mob enforcers never had [11][19].

Systemic Enablers and Proposed Fixes

Several structural factors have enabled the cyber-to-physical escalation:

Cryptocurrency traceability gaps. While blockchain transactions are traceable in principle, mixing services, privacy coins, and cross-chain bridges allow attackers to obscure the flow of ransom payments. Chainalysis reported that crypto crime remained a significant challenge through the first half of 2025 [21].

Data broker and breach ecosystems. Attackers source executives' home addresses, family information, and daily routines from data brokers, prior data breaches, and social media. This information makes physical threats credible without requiring the attacker to conduct surveillance.

Telegram and encrypted messaging. Violence-as-a-service networks primarily coordinate through Telegram, which has historically been slower to moderate criminal content than other platforms [13]. CrowdStrike identified Telegram-based networks as the primary coordination mechanism for physical attack brokering across Europe.

Jurisdictional fragmentation. Cybercriminals operating across multiple countries exploit the fact that no single law enforcement agency has jurisdiction over both the cyber and physical components of a hybrid attack. Even within the EU, Europol's GRIMM taskforce required coordination across 11 nations [3].

Security researchers have proposed several interventions: mandatory reporting of physical threats during cyber incidents, stronger know-your-customer requirements for cryptocurrency exchanges, platform liability for violence-as-a-service coordination, and dedicated hybrid-threat prosecution units that combine cyber and violent crime expertise [3][15].

Insurance and Corporate Costs

The cyber insurance market has grown rapidly — from $7.5 billion in global premiums in 2020 to an estimated $20.3 billion in 2025, with S&P projecting $23 billion by 2026 [22]. But the introduction of physical violence into the threat model creates underwriting challenges that the industry is only beginning to address.

Source: S&P Global / Industry Reports

Data as of Dec 1, 2025CSV

Traditional cyber insurance policies cover digital losses: business interruption, data restoration, ransom payments, and liability. Physical threats introduce bodily harm, kidnapping, and property damage — risks historically covered by separate kidnap-and-ransom (K&R) policies [18]. As the boundaries blur, insurers face pressure to either expand cyber policy coverage or create hybrid products, both of which increase actuarial complexity and premiums.

Allianz reported that in the first half of 2025, 40% of large cyber claims exceeding €1 million involved data theft with double extortion tactics — a sharp increase from 25% in 2024 [23]. The average premium for a U.S. mid-sized firm reached $17,600 annually in 2025, up 12% year-over-year [23]. If physical threats become a standard component of cyber extortion, insurers will likely demand additional security controls — executive protection programs, residential security assessments, travel security protocols — as conditions of coverage.

The downstream effects may extend beyond insurance costs. If victims believe that reporting cyber incidents will expose them to physical threats from retaliating attackers, reporting rates — already estimated to capture only a fraction of actual incidents — could decline further. This creates an information gap that makes it harder for law enforcement and the broader security community to track and counter the threat.

What Comes Next

The trajectory points toward continued escalation. Europol's 2026 Internet Organised Crime Threat Assessment warned that growing relationships between state-sponsored hybrid threat actors and cybercrime groups will further blur the line between digital and physical threats [24]. CrowdStrike projects that violence-as-a-service activity will continue to spread beyond Europe into other regions as the model proves effective [13].

For organizations, the implication is that cybersecurity can no longer be treated as a purely technical discipline. Physical security, executive protection, and crisis response must be integrated into incident response planning. For policymakers, the challenge is building legal and jurisdictional frameworks that can keep pace with threats that move fluidly between the digital and physical worlds. For individuals — particularly those with visible cryptocurrency holdings, executive roles at targeted organizations, or public profiles that make them easy to locate — the personal security calculus has fundamentally changed.