Full Report
France-based victims hit especially hard, while UK named most-targeted country generally Researchers are seeing a "dramatic" increase in cybercrime involving physical violence across Europe, with at least 18 cases reported since the start of the year.…
Analysis Summary
# Incident Report: Surge in European Cybercrime Involving Physical Violence (2025)
## Executive Summary
Since the start of 2025, researchers have observed a "dramatic" increase in cybercrime incorporating physical violence across Europe, with at least 18 cases reported. This trend, termed "violence as a service," impacts victims across sectors, with France being disproportionately targeted (13 cases) and the UK identified as the most generally targeted country overall. High-profile incidents involved physical coercion, kidnapping, and theft of cryptocurrency hardware or passkeys.
## Incident Details
- **Discovery Date:** Throughout 2025 (Ongoing trend analysis)
- **Incident Date:** Since January 2025 (Trend observed)
- **Affected Organization:** Multiple individuals and entities, notably Ledger co-founders (January 2025) and victims of crypto theft.
- **Sector:** Primarily Cryptocurrency/Finance, Luxury/Hospitality, Tourism.
- **Geography:** Europe, heavily concentrated in France (13 cases) and the UK (most-targeted generally).
## Timeline of Events
### Initial Access
- **Date/Time:** Varied throughout 2025. High-profile events occurred in January (Ledger kidnapping) and later in the year (Suresnes/Paris attacks).
- **Vector:** For physical access operations, vectors involved on-site Wi-Fi connection via 'burner' hardware. For crypto theft elsewhere, vectors included drugging (e.g., Uber driver using suspected scopolamine) or vishing/social engineering targeting passkeys/wallets.
- **Details:** Specific cybercrime groups ("The Com," potentially linked to Scattered Spider) leverage traditional cyber techniques (like RDP access planning) combined with physical coercion specialists for high-value payout extraction.
### Lateral Movement
- *Not explicitly detailed for the physical violence trend, but implied for digital compromise:* Mention of Scattered Spider recruitment of "Com members" to conduct close-access operations at corporate headquarters, suggesting physical presence to establish a digital foothold.
### Data Exfiltration/Impact
- **Impact:** Theft of physical hardware containing cryptocurrency (e.g., hard drive with €2 million in Bitcoin), direct transfer of crypto tokens via coerced access to wallets/passkeys ($123,000 stolen in one case). Physical harm, including kidnapping and assault (severed finger, punches).
### Detection & Response
- **Detection:** Incidents uncovered following physical assaults, subsequent police investigations, and tracking of violent crypto crime (e.g., Jameson Lopp tracking).
- **Response:** Arrests made in connection with major incidents (e.g., 10 arrested after Ledger incident; ringleader detained in Morocco).
## Attack Methodology
- **Initial Access:** Close-access physical breach (recruits sent into HQ to use onsite Wi-Fi and deploy RDP access), drugging/coercion.
- **Persistence:** Not detailed; focus is immediate extraction.
- **Privilege Escalation:** Not detailed in the physical context, but digital operations likely use vishing tools (OTP interception bots) to target crypto exchange accounts.
- **Defense Evasion:** Use of "burner" laptops and coordination across loosely affiliated criminal networks ("The Com").
- **Credential Access:** Coercion/robbery of digital wallet passkeys or hard drives containing crypto.
- **Discovery:** Target identification tied to victims holding significant cryptocurrency assets.
- **Lateral Movement:** Coordination between eCrime specialists (keyboard actors) and actors willing to carry out physical jobs.
- **Collection:** Physical theft of storage devices or digital access keys.
- **Exfiltration:** Physical removal of hardware, or instantaneous digital transfer of stolen crypto assets.
- **Impact:** Financial extortion, physical injury, kidnapping.
## Impact Assessment
- **Financial:** Significant losses, exemplified by a stolen hard drive valued at ~$2.3 million and a smaller theft of $123,000 after drugging. Ransom demands undisclosed in the Ledger case.
- **Data Breach:** Theft of hardware wallets/drives containing cryptocurrency access, rather than traditional PII data breach, though digital accounts were compromised.
- **Operational:** Disruption to management/founders (kidnapping). Broader trend targeting UK organizations (leading source of claimed attacks on Data Leak Sites: 2,100+ attacks claimed since Jan 2024).
- **Reputational:** High-profile nature impacting major entities like crypto firm Ledger and undermining personal safety perception in targeted regions.
## Indicators of Compromise
- **Network Indicators:** Planning for close-access involved connecting a "burner" Windows laptop to corporate onsite Wi-Fi and establishing RDP access (URLs/IPs defanged).
- **File Indicators:** Theft of physical hard drives containing crypto.
- **Behavioral Indicators:** Use of Telegram-based tools for vishing/OTP interception automation; physical coercion and threat of violence associated with eCrime groups like "The Com."
## Response Actions
- **Containment:** Physical apprehension of victims/suspects by local law enforcement (France, Morocco).
- **Eradication steps:** Arrests of key suspects linked to kidnapping rings.
- **Recovery actions:** Recovery of some stolen assets/arrests of perpetrators, though ransom payout details are private.
## Lessons Learned
- The convergence of sophisticated digital targeting (eCrime) with high-stakes physical violence ("violence as a service") represents a significant escalation in threat tactics, distinguishing Western eCrime operations.
- Organizations and individuals with high-value digital assets (especially crypto) are targets for physical coercion, not just remote intrusion.
- The reliance on third-party access facilitators (IABs) remains a major vector, especially targeting the UK, which sees the most claimed attacks.
## Recommendations
- Implement mandatory physical security assessments for personnel holding high-value digital keys.
- Review protocols for remote access granted from remote or temporary devices connecting to corporate infrastructure (e.g., strict RDP monitoring/VPN requirements).
- Enhance physical security awareness for high-net-worth individuals and executives regarding travel and suspicious service use (e.g., ride-sharing).
- Monitor underground forums for discussions involving "close-access" recruitment targeting critical company headquarters.