The Physical Attack Database Every Crypto Developer Should Study

Hook

Between 2014 and today, over 200 cryptocurrency holders have been robbed, kidnapped, or extorted at gunpoint—not because of weak private keys, but because attackers knew where they lived. This repository catalogs every documented case.

Context

The cryptocurrency community loves discussing the '$5 wrench attack'—the XKCD comic scenario where an attacker bypasses cryptography entirely by threatening physical violence. For years, this remained theoretical discussion fodder in security forums. But as Bitcoin's price climbed from hundreds to tens of thousands of dollars, and early adopters became visibly wealthy, the theoretical became grimly practical.

Jameson Lopp, a veteran Bitcoin developer and security engineer, created this repository to document what the industry preferred to ignore: cryptocurrency's meatspace problem. While billions were invested in hardware wallets, multi-signature schemes, and zero-knowledge proofs, holders were being followed home from LocalBitcoins meetups, targeted through social engineering, and subjected to home invasions. The repository emerged from a recognition that the weakest link in cryptocurrency security isn't elliptic curve cryptography—it's human beings with physical addresses, predictable routines, and an inability to withstand torture.

Technical Insight

Unlike typical GitHub repositories, physical-bitcoin-attacks contains no executable code—its architecture is pure data curation. The core artifact is a markdown table functioning as a flat-file database, with each row documenting an incident through seven fields: date, victim type (individual/business), location, estimated loss, attack vector, source links, and narrative description. This simplicity is architectural genius: it makes the dataset forkable, diffable, and accessible to non-technical researchers while remaining machine-parseable.

The data structure reveals design decisions worth examining. Consider a representative entry:

| 2021-11-02 | Individual | Netherlands | Unknown | Home invasion, torture | [Source](https://archive.link) | Victim forced to transfer cryptocurrency after attackers broke into home |

This schema prioritizes verifiability (archived news links prevent link rot) and geographic/temporal analysis over granular financial data. The "Unknown" loss field appears frequently—an honest acknowledgment that victims rarely disclose exact amounts post-attack. This contrasts with typical security vulnerability databases that demand CVE-style structured severity scores.

The repository's contribution model leverages GitHub's native collaboration features as a crowdsourced threat intelligence platform. Anyone can submit incidents via pull requests, with discussions happening in issues. This distributed curation model means the repository scales beyond what any single researcher could maintain:

# Example: Parsing the dataset for analysis
import re
from datetime import datetime

def parse_markdown_table(md_content):
    incidents = []
    lines = md_content.split('\n')
    for line in lines[2:]:  # Skip header rows
        if line.startswith('|'):
            fields = [f.strip() for f in line.split('|')[1:-1]]
            if len(fields) >= 6:
                incidents.append({
                    'date': datetime.strptime(fields[0], '%Y-%m-%d'),
                    'victim_type': fields[1],
                    'location': fields[2],
                    'loss': fields[3],
                    'attack_vector': fields[4],
                    'description': fields[6] if len(fields) > 6 else ''
                })
    return incidents

# Analyze attack patterns
def analyze_vectors(incidents):
    vectors = {}
    for incident in incidents:
        vector = incident['attack_vector']
        vectors[vector] = vectors.get(vector, 0) + 1
    return sorted(vectors.items(), key=lambda x: x[1], reverse=True)

The dataset's real architectural innovation is its integration with external analysis tools. The stats.gart.io dashboard consumes this repository's data to provide interactive visualizations—temporal heat maps, geographic clustering, attack vector taxonomies. This separation of concerns (data repository vs. analysis frontend) demonstrates how simple, well-structured datasets enable an ecosystem of derivative tools without requiring the core maintainer to build everything.

Pattern analysis reveals sobering insights. Early incidents (2014-2017) cluster around in-person trading meetups—LocalBitcoins robberies where attackers posed as buyers. Post-2017, attacks shifted toward targeted home invasions, suggesting adversaries developed reconnaissance capabilities. The Netherlands and UK show disproportionate incident counts, possibly reflecting both actual attack frequency and English-language reporting bias. High-profile victims include cryptocurrency company executives, visible advocates, and influencers—people who failed operational security by publicly linking their identity to wealth.

The repository also documents attack sophistication evolution. Early cases involved opportunistic street robbery. Later incidents show premeditation: attackers researching victims' addresses through social media, conducting physical surveillance, and timing attacks when victims were alone. Some cases involved SIM-swapping (digital attack) followed by physical confrontation, demonstrating hybrid threat models that blur the digital-physical boundary.

Gotcha

The repository's greatest strength—crowd-sourced, news-based documentation—is also its fundamental limitation. The dataset suffers from severe selection bias: only publicly reported incidents appear here, while victims who quietly relocate after attacks or never report to authorities remain invisible. Lopp himself acknowledges this in the README, noting the true number of attacks likely exceeds documented cases by an order of magnitude. Wealthy holders have strong incentives to keep attacks private, creating a survivorship bias toward dramatic, newsworthy incidents.

Data quality varies wildly. Some entries include precise Bitcoin amounts and detailed attack narratives; others offer only "Unknown" losses and vague descriptions like "robbery." There's no standardized taxonomy for attack vectors—terms like "home invasion," "kidnapping," and "extortion" sometimes overlap. Geographic data is inconsistent (city-level vs. country-level granularity), and currency reporting mixes BTC amounts, USD equivalents at time of attack, and current valuations, making loss aggregation nearly impossible without extensive normalization. For researchers seeking statistical rigor, this dataset requires significant preprocessing and comes with large error bars. Additionally, the repository provides no verification methodology—it trusts news sources at face value, which may propagate inaccuracies or sensationalized reporting.

Verdict

Use if: You're developing custody solutions and need empirical threat models beyond "secure the private keys." Use if you hold significant cryptocurrency and need a reality check about operational security—this dataset will make you reconsider posting wealth signals on social media, attending public crypto meetups, or keeping holdings at your primary residence. Use if you're researching cryptocurrency-related crime patterns for academic or policy purposes and need a starting dataset (despite its limitations). Use if you're building security education materials and want real-world case studies demonstrating why opsec matters. Skip if: You're looking for technical security implementations, code libraries, or automated threat detection tools—this is raw intelligence data, not software. Skip if you need statistically rigorous, verified data for formal research; the dataset's selection bias and quality inconsistency make it unsuitable for most academic publications without substantial supplementary work. Skip if you're seeking comprehensive global coverage; English-language reporting bias means attacks in non-English-speaking regions are systematically underrepresented.