A federal grand jury in the Northern District of California indicted Elijah Armstrong, Nino Chindavanh (21), and Jayden Rucker on charges including conspiracy to commit Hobbs Act robbery, conspiracy to commit kidnapping, attempted Hobbs Act robbery, and attempted kidnapping.

The alleged crimes took place between November 22 and December 31, 2025, across San Francisco, Sunnyvale, San Jose, and the Brentwood neighborhood of Los Angeles. In at least one case, a single victim lost $6.5 million in cryptocurrency. Earlier arrest reports cited approximately $13 million in total losses across the spree; the $6.5 million figure reflects the amount confirmed in the federal indictment.

---

How the Scheme Worked

Prosecutors allege the group compromised UberEats and DoorDash accounts to impersonate delivery drivers, using familiar, low-suspicion cover to approach targets at their homes. Once inside, they reportedly used firearms, duct tape, and zip ties to restrain victims, then forced them to hand over cryptocurrency seed phrases. A seed phrase is a string of words that unlocks a crypto wallet; anyone who has it can transfer all funds without needing a password or device. A remote handler, not yet identified by authorities, is believed to have directed the on-site team in real time, possibly using voice modulation technology.

The arrests unfolded separately. Chindavanh was caught mid-attempt in Sunnyvale. Armstrong and Rucker were apprehended in Los Angeles after a witness managed to hide in a pantry and call police. Chindavanh has a court date scheduled for June 26, 2026. Investigators are also pursuing a suspected ringleader based in Washington state with a prior criminal record.

Craig Missakian, US Attorney for the Northern District of California, called the operation "sophisticated, brazen, violent, and dangerous," adding that the defendants "terrorized victims hoping to steal vast sums of crypto."

---

A Worsening Global Pattern

This case is part of a documented surge in what security researchers call "wrench attacks," a term for crimes that use physical force rather than hacking to extract crypto credentials. The name is borrowed from internet security slang, referencing XKCD's "rubber-hose cryptanalysis" comic, which depicts an attacker wielding a $5 wrench as the literal tool of coercion against a person who holds a cryptographic key.

According to blockchain security firm CertiK, there were 72 confirmed wrench attack incidents worldwide in 2025, a 75 percent increase over the prior year, with physical assault cases up 250 percent compared to 2024. CertiK's records document 188 confirmed physical crypto attacks dating back to 2014, though researchers note actual figures are far higher due to underreporting. In just the first four months of 2026, 34 verified incidents caused approximately $101 million in losses, a 41 percent increase over the same period in 2025. Europe accounted for 82 percent of those incidents, with 28 of the 34 attacks occurring across the continent. If the pace holds through year-end, 2026 is on track for roughly 130 incidents globally.

Bitcoin security researcher Jameson Lopp, who maintains a public database of physical crypto attacks, put the incentive plainly: "Every time a wrench attack is successful, it tells the world that crypto owners are juicy targets."

CertiK noted in its 2026 report that criminals are adapting to improved wallet security by shifting focus to the human layer: "As the security of protocols and wallets tends to improve, the threat migrates toward the human link."

---

The Risk Beyond US Borders

The Tennessee case carries direct implications for crypto users outside the United States. The delivery driver impersonation method is not unique to a market with UberEats and DoorDash. Equivalent services like Zomato and Swiggy in South Asia, or Jumia Food across parts of Africa, operate in the same way and carry the same social trust. A courier at the door does not raise alarm bells in Lagos, Nairobi, or Mumbai any more than it does in San Francisco.

Nigeria and India rank among the world's largest peer-to-peer (P2P) crypto trading markets by volume. P2P trading, where individuals exchange crypto directly with each other rather than through a centralized exchange, is the primary access point for millions of users in markets with limited banking infrastructure or regulatory restrictions on formal exchanges. A KPMG Nigeria report from 2025 flagged over $3.2 billion in illicit cross-border crypto flows in 2024. In Kenya, the IMF found that 40 percent of crypto volume flows through unlicensed P2P platforms.

In these markets, the technical defenses available to wealthier users, including hardware wallets with duress PINs, multi-signature wallets (which require approval from multiple devices before a transfer goes through), and time-lock contracts (which delay withdrawals by a set period), are far less accessible. Most users rely on mobile apps and exchange-held custodial accounts, which create a single point of failure under coercion. That gap extends to insurance: Lloyd's of London and other major underwriters now offer specialized wrench attack insurance products priced for institutional Western clients, with no equivalent coverage available in South Asian or African markets.

Bitcoin and most major tokens operate on transparent public blockchains, meaning anyone with a wallet address can estimate its value in seconds. Criminals are increasingly cross-referencing this data with leaked exchange records, social media posts, and in some cases, purchased government crypto-holder data. France recorded 24 wrench attacks in just the first four months of 2026, already surpassing its full-year 2025 total of 20 attacks, partly because a tax official allegedly sold government crypto-holder data, including crypto capital gains declarations, to criminal networks. In April 2026, France's PNACO unit indicted 88 suspects across 12 investigations, including more than 10 minors. The scale of that enforcement effort followed several high-profile incidents, among them the kidnapping of Ledger co-founder David Balland, who had a finger severed before police secured his rescue.

---

What Comes Next

The Northern District of California will proceed with prosecution as Armstrong and Rucker face imminent court appearances. Investigators are still working to identify the remote coordinator and the suspected Washington state organizer.

The broader trajectory is harder to contain. CertiK projects approximately 130 physical crypto attacks globally in 2026. Notably, that growth is geographically concentrated: North American incidents fell from nine to three between January and April 2026 compared to the same period in 2025, while Europe surged to account for 82 percent of global cases.

The attack model used in California combines a small coordinated cell, remote direction, and social engineering at the door. It is scalable and adaptable. For retail crypto holders in high-adoption, lower-income markets, the warning is direct: visible wealth on a public blockchain, combined with weaker local security infrastructure and lower reporting rates, is a combination that organized criminal networks are increasingly positioned to exploit.