A suspect posing as a delivery worker entered a Mission Dolores home near 18th and Dolores around 6:45 a.m. on Nov. 22, restrained the resident, and stole a phone, laptop, and about $11 million in cryptocurrency, according to the San Francisco Chronicle.
San Francisco police had not announced arrests or provided asset details as of Sunday, and no chain or token mix has been disclosed, Cryptoslate reports.
Physical attacks on crypto owners are far from isolated, with a concerning trend emerging.
Recent and past incidents we’ve covered include a $4.3 million UK home invasion; the SoHo kidnapping and torture to force access to a Bitcoin wallet; France’s rise in crypto-linked kidnappings and the state response; extreme OPSEC shifts by prominent holders like the Bitcoin Family distributing their seed phrase across continents; a broader move by high-net-worth investors hiring protection; and analysis of wrench-attack trends and self-custody trade-offs.
The theft shifts immediately to an on-chain chase.
Body of boy, 5, missing for three months recovered from fast-flowing river
Even when a robbery begins at a front door, the money often moves across public ledgers, where it can be traced, creating a race between laundering paths and the tightening freeze-and-trace tools that matured in 2025. USDT on TRON remains central to that calculus.
Industry-wide capacity to freeze capacity has expanded this year through cooperation among issuers, networks, and analytics firms, and the “T3” Financial Crime Unit has reported hundreds of millions of dollars in tainted tokens frozen since late 2024.
If any of the stolen value is in stablecoins, the odds of a near-term stop improve, as large issuers work with law enforcement and analytics partners to blacklist addresses on notice.
The broader data supports a stablecoin-first hypothesis for illicit flows. Chainalysis’s 2025 crime report shows that stablecoins accounted for about 63 percent of illegal transaction volume in 2024, a marked shift from prior years when BTC and ETH dominated laundering pipelines.
That change matters for recovery because centralized issuers can block spending at the token level, and centralized venues add additional choke points when deposits touch KYC infrastructure.
In parallel, Europol has warned that organized groups are scaling tactics with AI, which can compress laundering timelines and automate fragmentation across chains and services. The operational tempo favors early notification to issuers and exchanges if destination addresses surface.
The macro loss picture continues to move in the wrong direction for victims.
The FBI’s Internet Crime Complaint Center recorded $16.6 billion in cyber and scam losses in 2024, and reported crypto investment fraud rose 66 percent year over year. Physical coercion incidents against crypto holders, sometimes labeled wrench attacks, have drawn more attention across 2024 and 2025 as home invasions, SIM swaps, and social engineering converge, with TRM Labs documenting trends in coercion-linked thefts.
While the San Francisco case centers on a single residence, the mechanics mirror a pattern, a compromised device and forced transfers or key export, followed by rapid on-chain dispersion and pressure-tested cash-out routes.
California’s new regulatory baseline adds another layer. The state’s Digital Financial Assets Law took effect in July 2025, giving the Department of Financial Protection and Innovation licensing and enforcement authority over particular exchange and custody activities.
US brings wreckage of Chinese spy balloon to FBI lab as Beijing furious
If any off-ramp, OTC broker, or storage provider with California exposure intersects with the stolen funds, DFAL oversight could support coordination with law enforcement. That is not a direct recovery lever for self-custodied assets, but it affects counterparties that thieves often need to exit to fiat.
Policy changes elsewhere also factor into the next steps.
The U.S. Treasury removed Tornado Cash from the Specially Designated Nationals list on March 21, 2025, per this legal analysis from Venable, which alters the compliance posture around interacting with the codebase.
That change does not legalize laundering, nor does it remove analytics visibility.
It does, however, reduce the deterrent optics that had previously pushed some actors toward alternate mixers and bridges. If the stolen funds use classic mixers or peel chains through bridges into stablecoins before off-ramping, attribution work and first KYC touchpoints remain the critical moments.
With addresses not yet public, the desk can frame the next 14 to 90 days around three base paths. The table below presents first-hop models, indicators to watch, and probability bands for freeze and recovery based on the 2025 market structure and enforcement posture.
Timeline cues follow from this model.
In the first 24 to 72 hours, look for consolidation and early hops. If addresses emerge and stablecoins are present, the immediate step is issuer notification for blacklist review. If flows are in BTC or ETH, monitor for mixers or bridges and for any pivot into USDT before fiat exit.
Between seven and fourteen days, preservation letters and exchange freezes often surface if deposits probe KYC venues, per IC3 coordination practices.
Between 30 and 90 days, if a privacy-coin route appears, investigative weight shifts to off-chain leads, including device forensics, communications history, and the delivery ruse trail, with attribution work from TRM Labs and peers maturing on that horizon.
Wallet design continues to develop blunt physical coercion.
Multi-party computation and account-abstraction wallets have expanded in 2025, adding policy controls, seedless recovery, daily limits, and multi-factor approval paths that reduce single-point private key exposure during an in-person incident.
Contract-level time locks and spend caps can slow high-value transfers and create time windows to flag issuers or exchanges if an account is compromised.
These controls do not replace safe operational practices around devices and home security, but they modify the attack surface when a thief has access to a phone or laptop.
The San Francisco Chronicle report anchors the facts, though the San Francisco Police Department site shows no case-specific bulletin yet.
The next development hinges on whether destination addresses become public and whether stablecoin issuers or exchanges have been asked to review and act.
Read more similar news:
Comments:
comments powered by Disqus
