San Francisco, San Jose, Sunnyvale, Los Angeles.\u00a0<\/p>\n
In each city, the plan was the same: Stake out a major cryptocurrency holder, pose as a food or package courier and pull out the gun.\u00a0<\/p>\n
Documents obtained by the Chronicle reveal evidence that police say links three attempted armed crypto robberies in the Bay Area and Los Angeles in December to a harrowing home invasion a month earlier, in which a San Francisco man was drained of $13 million worth of digital currency after members of the crime ring ordered pizzas to his home before binding him with duct tape, pistol-whipping him and threatening to cut off his fingers.<\/p>\n
As of this week, three men from Tennessee were in custody and charged in connection with the targeting of large crypto account holders in two of the crimes, in Sunnyvale and Los Angeles. Sources said authorities were still looking for higher-level operatives in the four cases, which resemble an emerging strain of cryptotheft known as \u201cwrench attacks.\u201d<\/p>\n
Article continues below this ad<\/p>\n
Unlike other crimes that use hacking or social engineering scams to access victims\u2019 funds remotely, wrench attacks rely on more brutish methods of coercion like kidnapping and torture. The crime\u2019s nickname stems from a stick-figure web comic<\/a> depicting one cybercriminal instructing another to hit a victim \u201cwith this $5 wrench until he tells us the password.\u201d<\/p>\n San Francisco Chronicle Logo<\/p>\n Make us a Preferred Source to get more of our news when you search.<\/p>\n <\/p>\n Add Preferred Source<\/p>\n <\/a><\/p>\n A recent report from cybersecurity firm Certik showed 72 documented instances<\/a> of wrench attacks across the globe in 2025 \u2014 a 75% spike from the year prior \u2014 though the company said the crimes are most certainly underreported.\u00a0<\/p>\n Cases that are known to the public have laid bare some of the extreme measures criminals have taken to extract the victims’ funds. In January 2025, a gang in France abducted a crypto firm\u2019s co-founder and his wife<\/a>, cut off one of the man\u2019s fingers, and held the pair ransom under demands for funds from the company. In May, an Italian man was held captive for weeks<\/a> in a Manhattan townhouse while abductors beat him, shocked him with electric wires and held him over a ledge in order to get his Bitcoin password.<\/p>\n The attacks bring into sharp relief how some of the key selling points of crypto \u2014 decentralization from banks, the ease of transferring large sums, irreversible transactions \u2014 also double as its vulnerabilities.<\/p>\n Article continues below this ad<\/p>\n Banks are tightly regulated by laws meant to protect consumers from theft and fraud. They can freeze accounts or reverse funds, set limits on the amounts that can be transferred in one day, and flag suspicious activities.<\/p>\n Crypto, meanwhile, is attractive because of the autonomy it allows accountholders, said Ari Redbord, head of global policy at the blockchain analytics firm TRM Labs.<\/p>\n \u201cThe promise of the technology itself is this idea of cross-border value transfer at the speed of the internet,\u201d Redbord said.<\/p>\n \u201cHowever,\u201d he added, \u201cbad guys also want to move funds, and transactions are irreversible, which makes it very ripe for this type of activity.\u201d<\/p>\n While specifics on how the thieves identified or found their targets in California remains unclear, police and court records, as well as interviews with individuals close to the investigations, shed light on some of the patterns.<\/p>\n Article continues below this ad<\/p>\n A Sunnyvale financial crimes detective who investigated one of the recent cases, and asked to withhold his name, described the robberies as a \u201clong play\u201d that begins with surveillance. In at least some of the recent cases, this involved infiltrating the victim\u2019 delivery apps like DoorDash or Uber Eats with malware, allowing thieves to learn the victim\u2019s address and other key information.\u00a0<\/p>\n \u201cThey figure out your trends, your life cycle,\u201d said the detective. \u201cWhat do you normally order online? What do you normally order for takeout? Where do your packages normally come from? And then the suspects are disguising themselves as Door Dash drivers or UPS delivery drivers \u2014 finding a way to get you to your front door and open the front door.\u201d<\/p>\n A victim who spoke to the Chronicle but asked that their name be withheld said the suspects visited their home multiple times. Three days before the incident, someone had dropped off cookies from a bakery he had recently ordered from.\u00a0<\/p>\n After speaking with detectives, the victim learned one of his recycled passwords was likely compromised in a data breach, laying the groundwork for a targeted attack.\u00a0<\/p>\n While he said it\u2019s not clear exactly how the suspects found him, the victim said a common scenario begins with hackers distributing batches of information to a second layer of bad actors, often through apps like Telegram or Signal.<\/p>\n Article continues below this ad<\/p>\n From there, the victim said the attacker will try something known as \u201cpassword spraying\u201d \u2014\u00a0 testing out email and password combinations on multiple apps.\u00a0<\/p>\n \u201cThey\u2019ll just spam that password on as many accounts as they can get into,\u201d the victim said. \u201cFor me, it was my DoorDash and Uber Eats accounts. I hadn\u2019t changed those passwords in so long.\u201d<\/p>\n In his own case, the victim said he learned from detectives that the suspects at his house were in contact with a third party who passed along intel on some of the victims\u2019 online orders.\u00a0<\/p>\n \u201cThey would get screenshots from the person behind it, like, \u2018Hey, this guy\u2019s DoorDashing up at this place. Go pick up a fake order.\u201d\u00a0<\/p>\n Records show at least two victims in the recent California attacks were expecting a delivery when the suspect arrived carrying the same item or a similar one. In the San Francisco and Los Angeles cases, the suspects called their victims on multiple occasions \u2014 from the same phone number \u2014 to confirm a time to accept their purported delivery. In at least three of the cases, the victims received food deliveries that they didn\u2019t order prior to the attack.\u00a0<\/p>\n Article continues below this ad<\/p>\n Mentions of DoorDash were another common thread. Records showed one of the phone numbers linked to a suspect called DoorDash\u2019s customer service line three times between the time the phone account was created on Nov. 21, and the San Francisco robbery the following day. In the Sunnyvale case, one of the coffees that the victim didn\u2019t order had a DoorDash receipt on its bag.\u00a0<\/p>\n A spokesperson for DoorDash said it could not respond to specific questions due to the ongoing nature of the investigations. The spokesperson said the company was working with the FBI and other law enforcement agencies \u201cto support their investigations and help ensure those responsible are brought to justice.\u201d<\/p>\n Local police agencies told the Chronicle that the FBI is involved in investigating the cases. A spokesperson for the FBI declined to comment other than to confirm the agency is investigating the San Francisco case.\u00a0<\/p>\n The San Francisco victim told police he had been expecting a package when a young man arrived at his doorstep in the Mission Dolores neighborhood around 5 p.m. on Nov. 22, carrying a white box.\u00a0<\/p>\n The victim had received multiple calls from the same phone number in the hours before the visit, from a caller who claimed to be a UPS employee attempting to deliver a package.\u00a0<\/p>\n What came next, according to police reports, was an hour-long ordeal in which the robber, after pushing his way into the home, bound the victim with duct tape, pistol-whipped and repeatedly threatened to kill him while demanding access to his phone and laptop.\u00a0<\/p>\n All the while, the robber spoke on the phone, taking instructions from several people, including a man with a \u201craspy voice,\u201d according to records. The victim recalled hearing what sounded like a voice modulator used by a person on the phone, as well as threats to cut off his fingers if he didn\u2019t comply with the group\u2019s demands. The thieves ultimately made off with $10 million in Bitcoin and $3 million in Ethereum \u2014 holdings the victim later told police were publicly known.\u00a0\u00a0<\/p>\n It wasn\u2019t until after the robbery that the victim noticed two boxes of pizza that he didn\u2019t order, sitting outside his home.<\/p>\n At the onset of the investigation, San Francisco police obtained search warrants for two key phone numbers: One for a number that ordered the pizzas, and another for one that called the victim about the purported UPS delivery.\u00a0<\/p>\n The numbers were burners, created only a day before the robbery, but logs of text messages and phone calls cracked open other leads and helped signal to police that the cases were related, according to documents reviewed by the Chronicle.\u00a0<\/p>\n Six phone calls made from one of the suspect numbers \u2014 in between calls to the San Francisco victim on the day of his robbery \u2014 were to a Los Angeles man who was zip-tied, duct-taped and beaten inside his Los Angeles home on New Year\u2019s Eve, following a delivery ruse. The two home invaders, as well as another suspect on the phone, demanded the man\u2019s crypto.\u00a0<\/p>\n \u201cIt appears a suspect in the San Francisco crypto robbery was seeking intel on the Los Angeles victim on the same day,\u201d San Francisco police Sgt. Ryan Hart told a judge in January as part of a request for additional search warrants.\u00a0<\/p>\n On Dec. 17, a San Jose man who was stepping out of his vehicle after returning to his home noticed someone standing next to his driveway.\u00a0<\/p>\n The person, the resident later said, produced a black handgun and ordered him to enter the garage and close the door. The suspect then hit the man on the back of the head. The victim fell to the ground, he told police, pretending to be injured.\u00a0<\/p>\n The attack was interrupted by an Amazon truck that drove by, the victim said, prompting the suspect and another person to flee on foot. The victim later told officers he believed he was targeted because information on his crypto holdings had recently been leaked, according to a police report.\u00a0<\/p>\n He additionally relayed strange, earlier incidents he suspected could be connected. On Dec. 6, he received two pizza deliveries he didn\u2019t order, the man said. About a week later, on Dec. 15, he was approached by people who claimed to work for a power-washing company and offered to clean his driveway for free. The victim \u201cbelieved this was odd and he rejected their attempts several times,\u201d police said.\u00a0<\/p>\n Five days after the San Jose attack, on the morning of Dec. 22, Sunnyvale police were called to a home to investigate a report that a man who said he was delivering a DoorDash order for coffee had pushed his way inside and aimed a gun at the victim who answered the door.\u00a0<\/p>\n After the victim pushed back, the man ran away and fled in a black Kia sedan. The suspect, identified as 21-year-old Nino Chindavanh of Tennessee, was pulled over and arrested and is facing charges of attempted robbery and burglary in Santa Clara County.\u00a0<\/p>\n In the car, police seized a wallet containing identification, medical documentation and debit cards issued to a man named Jayden Rucker, police said.\u00a0<\/p>\n A police review of the residents\u2019 doorbell camera footage showed Chindavanh and another unidentified man attempting to deliver Starbucks coffees both before and after the real order.<\/p>\n Four times in a matter of two hours, police said, either Chindavanh or the other man approached the residence. In the final visit, police said, Chindavanh said, \u201cIt says I can\u2019t cancel the order,\u201d before pulling out the gun.<\/p>\n Eight days later, a resident in the Sunnyvale home contacted police again, reporting that another coffee no one had ordered had arrived at the house. The victim told police they had a large sum of cryptocurrency.\u00a0<\/p>\n After viewing security footage, police said they believed this person was Jayden Rucker, the man whose wallet was left in the Kia. Police believed Rucker was also the second suspect who was in the bushes at the time of the incident a week earlier.\u00a0<\/p>\n The following day, at a home in Los Angeles\u2019 tony Brentwood neighborhood, a man delivering a package to the resident asked for a glass of water. The victim agreed and walked into the kitchen, police said.\u00a0<\/p>\n The suspect followed him inside, pointed a gun at him and bound him with zip ties and duct tape. A second suspect arrived, and the pair called a third person on speaker phone whose voice appeared to be distorted by a modulator.\u00a0<\/p>\n The victim said he gave the intruders the password to his computer, allowing them to view his crypto holdings. The voice on the phone became angry, the victim said, and ordered the home invaders to cut off the victim\u2019s fingers until he showed them the \u201creal amount he had in crypto currency.\u201d\u00a0<\/p>\n One of the suspects picked up a knife. But after hearing a helicopter circling above, the two men fled. A witness who had been hiding in the pantry during the attack said she was able to slip out of the house and call 911, according to police records.\u00a0<\/p>\n After a brief car chase, police arrested two suspects, identified as Elijah Armstrong and Jayden Rucker.\u00a0<\/p>\n Armstrong and Rucker were both charged with robbery, burglary, assault with a firearm and attempted extortion for threatening to cut off the victim\u2019s fingers. Armstrong faces an additional charge of fleeing a pursuing peace officer\u2019s motor vehicle.\u00a0<\/p>\n It isn\u2019t clear whether any suspects other than the three charged in Los Angeles and Santa Clara counties have been arrested or identified.\u00a0<\/p>\n The Sunnyvale detective said similar enterprises have involved multiple levels of operatives, with everyone getting paid different amounts.\u00a0<\/p>\n \u201cThe larger masterminds behind it don’t want to be the ones physically at a door, that are subject to more risk,\u201d he said. \u201cThey’re going to find somebody local, or different crews working throughout the state for a percentage of the profits.\u201d<\/p>\n The detective said police believe all of the suspects who committed the in-person robberies and assaults in the Bay Area and California have been arrested.<\/p>\n Redbord, of TRM Labs, said that despite crypto\u2019s inherent vulnerabilities, law enforcement and security firms are able to trace the flow of funds through blockchains\u00a0\u2014 the technology underpinning crypto transactions that acts as a ledger. The analysis makes it easier to identify the criminals behind cyberattacks, and has enabled law enforcement to at times seize back the stolen money. It was not clear whether law enforcement has been able to locate or seize back the funds from the San Francisco case.\u00a0<\/p>\n Wrench attacks, Redbord said, are in some ways a natural evolution of crimes like robbery and narcotics trafficking.\u00a0<\/p>\n \u201cThis is not a \u2018crypto-ring\u2019, per se,\u201d he said. \u201cIt\u2019s a, \u2018Bad guys always go where the money is.\u2019\u201d<\/p>\n","protected":false},"excerpt":{"rendered":"San Francisco, San Jose, Sunnyvale, Los Angeles.\u00a0 In each city, the plan was the same: Stake out a…\n","protected":false},"author":2,"featured_media":250056,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[30],"tags":[184,7,723,101,103,102,104,106,105,995,2013],"class_list":{"0":"post-250055","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-san-francisco","8":"tag-bay-area","9":"tag-california","10":"tag-crime","11":"tag-san-francisco","12":"tag-san-francisco-headlines","13":"tag-san-francisco-news","14":"tag-sf","15":"tag-sf-headlines","16":"tag-sf-news","17":"tag-tech","18":"tag-us-and-world"},"_links":{"self":[{"href":"https:\/\/www.newsbeep.com\/us-ca\/wp-json\/wp\/v2\/posts\/250055","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.newsbeep.com\/us-ca\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.newsbeep.com\/us-ca\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.newsbeep.com\/us-ca\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.newsbeep.com\/us-ca\/wp-json\/wp\/v2\/comments?post=250055"}],"version-history":[{"count":0,"href":"https:\/\/www.newsbeep.com\/us-ca\/wp-json\/wp\/v2\/posts\/250055\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.newsbeep.com\/us-ca\/wp-json\/wp\/v2\/media\/250056"}],"wp:attachment":[{"href":"https:\/\/www.newsbeep.com\/us-ca\/wp-json\/wp\/v2\/media?parent=250055"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.newsbeep.com\/us-ca\/wp-json\/wp\/v2\/categories?post=250055"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.newsbeep.com\/us-ca\/wp-json\/wp\/v2\/tags?post=250055"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}