5. Execution of the kidnapping
The abduction consists of seizing the victim quickly and transporting the victim to a controlled environment( e. g., abandoned building, rented house or apartment), which is typically done by an ambush:
▪ Home invasion: Criminals break into or storm the victim’ s residence, often early in the morning or late at night. The victim is usually isolated, off guard and has direct access to their assets. Criminals may also pose as delivery workers to lure the victim.
▪ Street abduction: The victim is ambushed while walking alone in a public space between their home and office or to some other place, for example. The execution is typically fast and violent. This type of ambush often involves a delivery van that pulls up quickly and drives away.
▪ Family member or colleague abduction: Rather than abducting the main target directly, criminals abduct a relative( e. g., parent, spouse, child) or colleague as a pressure point for the ransom. This is typical of cases involving high-profile or well-protected individuals, or those that reside abroad.
6. Coercion and ransom negotiation
When the victim is successfully abducted, OCGs attempt to extract the maximum ransom in cryptocurrency via different means such as physical and psychological torture, while imposing time pressure to avoid delays or detection. The amounts usually consist of multimillion-dollar ransoms. In some instances, smaller or partial payments are made by indirect victims such as family relatives and colleagues with the aim of diffusing the situation and gaining some time.
7. Post-payment resolution
When LE is unable to thwart a kidnapping operation in time and the ransom is paid, the victim is released or relocated while evidence( e. g., phones, vehicles) is destroyed in order for criminals to escape detection. In some rarer instances, the kidnapping may result in the death of the victim.
Mitigating risk and responding to crypto kidnapping
In conclusion, it is worth mentioning some risk mitigating best practices for the private sector, which play a critical role in preventing and responding to crypto kidnapping. In this regard, it is important to establish or set up preestablished secure channels between crypto companies and LE to share real-time data and intelligence on kidnapping( or any type of major) incidents. Crypto companies can also set up crisis and rapid response units, or establish protocols and train designated investigators to deal with such incidents. This form of collaboration also requires setting up direct, pre-vetted points of contact between crypto companies and LE in order to coordinate in real time when such emergencies arise. These points of contact should not be limited to LE but also include designated personnel within other crypto companies as these cases often involve the rapid movement of funds across multiple virtual asset service providers. In order to trace and intercept ransom funds, investigators must have established channels and points of contact to share actionable intelligence in real time as well.
It is also worth mentioning the importance of physical security and protective intelligence roles, which can play a role in mitigating the growing risk of crypto kidnapping. Physical security focuses on protecting individuals, facilities and physical assets from immediate physical threats, while protective intelligence focuses on gathering and analyzing information to identify and mitigate potential threats before they escalate into physical harm. In the context of crypto companies, wealth is decentralized and highly mobile; therefore, such roles are essential to protecting individuals with privileged access to digital assets and who can control millions of dollars from a single device.
Overall, proactive cooperation, real-time intelligence sharing, crisis readiness and joint investigations are key to countering this new form of criminality. Crypto kidnapping is a hybrid crime; therefore, its prevention and response require hybrid partnerships between crypto companies and LE as well as between crypto companies themselves. In addition, robust physical security and protective intelligence protocols also strengthen these efforts by identifying vulnerabilities, detecting early threats and safeguarding internal personnel who can be exposed to this new form of crime.
Jonathan Dupont, lead investigator and law enforcement liaison, Tether, Crypto Taskforce leader, Anti-Human Trafficking Intelligence Initiative( ATII), jonathandupont @ protonmail. com
Disclaimer: The views and ideas expressed in this article are solely those of the author.
1
“ Known Physical Bitcoin Attacks,” GitHub, https:// github. com / jlopp / physical-bitcoinattacks;“ The Rise of Wrench Attacks and Crypto-related Violent Crime,” TRM Labs, May 23, 2025, https:// www. trmlabs. com / resources / blog / the-rise-of-wrench-attacksand-crypto-related-violent-crime
2
Ransom kidnapping is a form of criminal-forprofit kidnapping which consists of forcibly taking away a person and holding the victim hostage until a monetary ransom is paid, typically by relatives or colleagues of the victim.
3
Express kidnapping typically happens in urban areas and consists in forcibly taking away a person with immediate access to cash or valuables within a short period of time( e. g., a person is kidnapped and forced to hand over or withdraw cash at ATMs or valuables such as jewelry, electronic devices, etc.).
4
“ Twelve Defendants Sentenced for Violent Home Invasion Robberies to Steal Cryptocurrency,” U. S. Department of Justice, September 13, 2024, https:// www. justice. gov / usao-mdnc / pr / twelve-defendantssentenced-violent-home-invasionrobberies-steal-cryptocurrency
ACAMS Today | September – November 2025 81