Crime ring stole millions in crypto in California ‘wrench attacks’

San Francisco, San Jose, Sunnyvale, Los Angeles. 

In each city, the plan was the same: Stake out a major cryptocurrency holder, pose as a food or package courier and pull out the gun. 

Documents obtained by the Chronicle reveal evidence that police say links three attempted armed crypto robberies in the Bay Area and Los Angeles in December to a harrowing home invasion a month earlier, in which a San Francisco man was drained of $13 million worth of digital currency after members of the crime ring ordered pizzas to his home before binding him with duct tape, pistol-whipping him and threatening to cut off his fingers.

As of this week, three men from Tennessee were in custody and charged in connection with the targeting of large crypto account holders in two of the crimes, in Sunnyvale and Los Angeles. Sources said authorities were still looking for higher-level operatives in the four cases, which resemble an emerging strain of cryptotheft known as “wrench attacks.”

Article continues below this ad

Unlike other crimes that use hacking or social engineering scams to access victims’ funds remotely, wrench attacks rely on more brutish methods of coercion like kidnapping and torture. The crime’s nickname stems from a stick-figure web comic depicting one cybercriminal instructing another to hit a victim “with this $5 wrench until he tells us the password.”

San Francisco Chronicle Logo

Make us a Preferred Source to get more of our news when you search.

Add Preferred Source

A recent report from cybersecurity firm Certik showed 72 documented instances of wrench attacks across the globe in 2025 — a 75% spike from the year prior — though the company said the crimes are most certainly underreported. 

Cases that are known to the public have laid bare some of the extreme measures criminals have taken to extract the victims’ funds. In January 2025, a gang in France abducted a crypto firm’s co-founder and his wife, cut off one of the man’s fingers, and held the pair ransom under demands for funds from the company. In May, an Italian man was held captive for weeks in a Manhattan townhouse while abductors beat him, shocked him with electric wires and held him over a ledge in order to get his Bitcoin password.

The attacks bring into sharp relief how some of the key selling points of crypto — decentralization from banks, the ease of transferring large sums, irreversible transactions — also double as its vulnerabilities.

Article continues below this ad

Banks are tightly regulated by laws meant to protect consumers from theft and fraud. They can freeze accounts or reverse funds, set limits on the amounts that can be transferred in one day, and flag suspicious activities.

Crypto, meanwhile, is attractive because of the autonomy it allows accountholders, said Ari Redbord, head of global policy at the blockchain analytics firm TRM Labs.

“The promise of the technology itself is this idea of cross-border value transfer at the speed of the internet,” Redbord said.

“However,” he added, “bad guys also want to move funds, and transactions are irreversible, which makes it very ripe for this type of activity.”

While specifics on how the thieves identified or found their targets in California remains unclear, police and court records, as well as interviews with individuals close to the investigations, shed light on some of the patterns.

Article continues below this ad

A Sunnyvale financial crimes detective who investigated one of the recent cases, and asked to withhold his name, described the robberies as a “long play” that begins with surveillance. In at least some of the recent cases, this involved infiltrating the victim’ delivery apps like DoorDash or Uber Eats with malware, allowing thieves to learn the victim’s address and other key information. 

“They figure out your trends, your life cycle,” said the detective. “What do you normally order online? What do you normally order for takeout? Where do your packages normally come from? And then the suspects are disguising themselves as Door Dash drivers or UPS delivery drivers — finding a way to get you to your front door and open the front door.”

A victim who spoke to the Chronicle but asked that their name be withheld said the suspects visited their home multiple times. Three days before the incident, someone had dropped off cookies from a bakery he had recently ordered from. 

After speaking with detectives, the victim learned one of his recycled passwords was likely compromised in a data breach, laying the groundwork for a targeted attack. 

While he said it’s not clear exactly how the suspects found him, the victim said a common scenario begins with hackers distributing batches of information to a second layer of bad actors, often through apps like Telegram or Signal.

Article continues below this ad

From there, the victim said the attacker will try something known as “password spraying” —  testing out email and password combinations on multiple apps. 

“They’ll just spam that password on as many accounts as they can get into,” the victim said. “For me, it was my DoorDash and Uber Eats accounts. I hadn’t changed those passwords in so long.”

In his own case, the victim said he learned from detectives that the suspects at his house were in contact with a third party who passed along intel on some of the victims’ online orders. 

“They would get screenshots from the person behind it, like, ‘Hey, this guy’s DoorDashing up at this place. Go pick up a fake order.” 

Records show at least two victims in the recent California attacks were expecting a delivery when the suspect arrived carrying the same item or a similar one. In the San Francisco and Los Angeles cases, the suspects called their victims on multiple occasions — from the same phone number — to confirm a time to accept their purported delivery. In at least three of the cases, the victims received food deliveries that they didn’t order prior to the attack. 

Article continues below this ad

Mentions of DoorDash were another common thread. Records showed one of the phone numbers linked to a suspect called DoorDash’s customer service line three times between the time the phone account was created on Nov. 21, and the San Francisco robbery the following day. In the Sunnyvale case, one of the coffees that the victim didn’t order had a DoorDash receipt on its bag. 

A spokesperson for DoorDash said it could not respond to specific questions due to the ongoing nature of the investigations. The spokesperson said the company was working with the FBI and other law enforcement agencies “to support their investigations and help ensure those responsible are brought to justice.”

Local police agencies told the Chronicle that the FBI is involved in investigating the cases. A spokesperson for the FBI declined to comment other than to confirm the agency is investigating the San Francisco case. 

The San Francisco victim told police he had been expecting a package when a young man arrived at his doorstep in the Mission Dolores neighborhood around 5 p.m. on Nov. 22, carrying a white box. 

The victim had received multiple calls from the same phone number in the hours before the visit, from a caller who claimed to be a UPS employee attempting to deliver a package. 

What came next, according to police reports, was an hour-long ordeal in which the robber, after pushing his way into the home, bound the victim with duct tape, pistol-whipped and repeatedly threatened to kill him while demanding access to his phone and laptop. 

All the while, the robber spoke on the phone, taking instructions from several people, including a man with a “raspy voice,” according to records. The victim recalled hearing what sounded like a voice modulator used by a person on the phone, as well as threats to cut off his fingers if he didn’t comply with the group’s demands. The thieves ultimately made off with $10 million in Bitcoin and $3 million in Ethereum — holdings the victim later told police were publicly known.  

It wasn’t until after the robbery that the victim noticed two boxes of pizza that he didn’t order, sitting outside his home.

At the onset of the investigation, San Francisco police obtained search warrants for two key phone numbers: One for a number that ordered the pizzas, and another for one that called the victim about the purported UPS delivery. 

The numbers were burners, created only a day before the robbery, but logs of text messages and phone calls cracked open other leads and helped signal to police that the cases were related, according to documents reviewed by the Chronicle. 

Six phone calls made from one of the suspect numbers — in between calls to the San Francisco victim on the day of his robbery — were to a Los Angeles man who was zip-tied, duct-taped and beaten inside his Los Angeles home on New Year’s Eve, following a delivery ruse. The two home invaders, as well as another suspect on the phone, demanded the man’s crypto. 

“It appears a suspect in the San Francisco crypto robbery was seeking intel on the Los Angeles victim on the same day,” San Francisco police Sgt. Ryan Hart told a judge in January as part of a request for additional search warrants. 

On Dec. 17, a San Jose man who was stepping out of his vehicle after returning to his home noticed someone standing next to his driveway. 

The person, the resident later said, produced a black handgun and ordered him to enter the garage and close the door. The suspect then hit the man on the back of the head. The victim fell to the ground, he told police, pretending to be injured. 

The attack was interrupted by an Amazon truck that drove by, the victim said, prompting the suspect and another person to flee on foot. The victim later told officers he believed he was targeted because information on his crypto holdings had recently been leaked, according to a police report. 

He additionally relayed strange, earlier incidents he suspected could be connected. On Dec. 6, he received two pizza deliveries he didn’t order, the man said. About a week later, on Dec. 15, he was approached by people who claimed to work for a power-washing company and offered to clean his driveway for free. The victim “believed this was odd and he rejected their attempts several times,” police said. 

Five days after the San Jose attack, on the morning of Dec. 22, Sunnyvale police were called to a home to investigate a report that a man who said he was delivering a DoorDash order for coffee had pushed his way inside and aimed a gun at the victim who answered the door. 

After the victim pushed back, the man ran away and fled in a black Kia sedan. The suspect, identified as 21-year-old Nino Chindavanh of Tennessee, was pulled over and arrested and is facing charges of attempted robbery and burglary in Santa Clara County. 

In the car, police seized a wallet containing identification, medical documentation and debit cards issued to a man named Jayden Rucker, police said. 

A police review of the residents’ doorbell camera footage showed Chindavanh and another unidentified man attempting to deliver Starbucks coffees both before and after the real order.

Four times in a matter of two hours, police said, either Chindavanh or the other man approached the residence. In the final visit, police said, Chindavanh said, “It says I can’t cancel the order,” before pulling out the gun.

Eight days later, a resident in the Sunnyvale home contacted police again, reporting that another coffee no one had ordered had arrived at the house. The victim told police they had a large sum of cryptocurrency. 

After viewing security footage, police said they believed this person was Jayden Rucker, the man whose wallet was left in the Kia. Police believed Rucker was also the second suspect who was in the bushes at the time of the incident a week earlier. 

The following day, at a home in Los Angeles’ tony Brentwood neighborhood, a man delivering a package to the resident asked for a glass of water. The victim agreed and walked into the kitchen, police said. 

The suspect followed him inside, pointed a gun at him and bound him with zip ties and duct tape. A second suspect arrived, and the pair called a third person on speaker phone whose voice appeared to be distorted by a modulator. 

The victim said he gave the intruders the password to his computer, allowing them to view his crypto holdings. The voice on the phone became angry, the victim said, and ordered the home invaders to cut off the victim’s fingers until he showed them the “real amount he had in crypto currency.” 

One of the suspects picked up a knife. But after hearing a helicopter circling above, the two men fled. A witness who had been hiding in the pantry during the attack said she was able to slip out of the house and call 911, according to police records. 

After a brief car chase, police arrested two suspects, identified as Elijah Armstrong and Jayden Rucker. 

Armstrong and Rucker were both charged with robbery, burglary, assault with a firearm and attempted extortion for threatening to cut off the victim’s fingers. Armstrong faces an additional charge of fleeing a pursuing peace officer’s motor vehicle. 

It isn’t clear whether any suspects other than the three charged in Los Angeles and Santa Clara counties have been arrested or identified. 

The Sunnyvale detective said similar enterprises have involved multiple levels of operatives, with everyone getting paid different amounts. 

“The larger masterminds behind it don’t want to be the ones physically at a door, that are subject to more risk,” he said. “They’re going to find somebody local, or different crews working throughout the state for a percentage of the profits.”

The detective said police believe all of the suspects who committed the in-person robberies and assaults in the Bay Area and California have been arrested.

Redbord, of TRM Labs, said that despite crypto’s inherent vulnerabilities, law enforcement and security firms are able to trace the flow of funds through blockchains — the technology underpinning crypto transactions that acts as a ledger. The analysis makes it easier to identify the criminals behind cyberattacks, and has enabled law enforcement to at times seize back the stolen money. It was not clear whether law enforcement has been able to locate or seize back the funds from the San Francisco case. 

Wrench attacks, Redbord said, are in some ways a natural evolution of crimes like robbery and narcotics trafficking. 

“This is not a ‘crypto-ring’, per se,” he said. “It’s a, ‘Bad guys always go where the money is.’”