Overview

David Balland, a 36-year-old co-founder of the French crypto company Ledger, was kidnapped with his wife from their home in Vierzon, central France, early in the morning January 21, 2025. The couple was forced into two separate cars and taken to separate locations. Mr. Balland was taken to Châteauroux, 30 miles southwest of Vierzon.

Following the abductions, the kidnappers contacted Eric Larchevêque. another founder at Ledger. Mr. Larchevêque received a video showing a severed finger belonging to Mr. Balland, along with a demand for 10 BTC, approximately $10 million. Mr. Larchevêque alerted the gendarmerie[1]. Following negotiations between law enforcement and the kidnappers, the ransom was partially paid in Tether’s USDT stablecoin[2].

[1] The gendarmerie is a police force with authorities like a cross between state police and the sheriff’s department in the United States

[2] Tether is a cryptocurrency stablecoin launched by Tether Limited Inc. in 2014.

The police rapidly located Mr. Balland, and he was released on January 22. Mr. Balland was hospitalized because of the severed finger. On January 23, by using surveillance of suspects, analyzing phone records and questioning several people who had already been arrested, investigators located Ms. Balland in Étampes, about 80 miles north of Vierzon. She was found tied up in a van, physically unharmed. She was treated for psychological trauma.

The investigation involved 230 officers and investigators to locate and rescue the couple. No shots were fired during the rescue operation.

In total, nine men and one woman, ages 20 to 40, were taken into custody for questioning. Five of the suspects were between 20 and 25 years old. The suspects were from multiple cities and had criminal records. However, none were known as being part of organized crime, nor were the suspects known to have been involved in gang-related crime. They are facing charges for gang-related kidnapping, acts of torture and armed extortion.

Ledger is a privately held startup worth more than $1 billion. Ledger is one of France’s top crypto companies, selling “hardware wallets,” physical devices used to safeguard crypto assets. Mr. Balland is one of eight co-founders. Ledger was founded in 2014, and has over 700 employees in Europe, Asia, and the United States.

Ransom Payment/Cryptocurrency Recovery

When Nicolas Bacca, another Ledger co-founder, was informed of the kidnapping, he wanted to ensure that once Mr. and Ms. Balland were freed, the kidnappers could not access the ransom funds. When dealing with crypto currency transactions, every minute counts. To provide a secure transaction, decentralized or centralized exchanges or mixers[1] are used to intentionally obscure the transaction. However, this security also makes it exponentially more difficult to trace each passing minute. Asking a platform in the transaction chain to freeze funds takes time, often days, and the money can functionally disappear from being traced after days. Mr. Bacca created a ready-to-activate process to simultaneously send freeze-requests to all possible platforms in minutes, not days, with each platform anticipating the request. He assembled a team that included legal support with specializations in crypto currency exchange platforms, as well as Security Alliance (SEAL) 911, a team of Whitehat operators[2]. He liaised these activities with law enforcement to coordinate actions, ensuring the funds could be frozen within minutes of the hostages being freed.

As soon as they had the information that the hostages had been freed, the cryptocurrency freeze plan was activated. 95% of the cryptocurrency ransom was tracked, frozen and seized. This model was an extremely precise coordination between Ledger employees, various police forces and investigators, and different experts and players, each with a well-defined role.

[1] Centralized exchanges provide a secure peer-to-peer transaction and are controlled by a single entity/authority; they manage the entire network, including user accounts, transactions, and data storage. Decentralized mixers are automated software or third-party services that do not have a central authority and use block-chain technology. Both “mix-up” cryptocurrency funds with other users’ funds to provide a more secure transaction.

[2] White hat operators are security experts who use their skills to improve cybersecurity. They are also known as ethical hackers.

Analysis

Cryptocurrency Attacks: A Rising Trend

Individuals with high-profile wealth face increased dangers, especially when this wealth is highlighted publicly on social media. Attacks like Mr. Balland’s indicate a rising trend in crypto-related crimes, where digital assets are central to ransom demands. Additionally, this attack may indicate a disturbing evolution and acceleration when utilizing violent attacks, specifically targeting cryptocurrency holders: Attackers are increasingly showing they are willing to escalate measures of violence to obtain their objectives. As a publicly well-known cryptocurrency holder, it is highly likely that Mr. Balland was targeted specifically because of and for his cryptocurrency assets.

This case is also similar to a case reported by French news media in early January 2025. A 56-year-old man was abducted from his home and held hostage by a group that attempted to blackmail the man’s son, a cryptocurrency influencer living in Dubai. Following an investigation, the man was found in the trunk of a car 500 kilometers from his home.

High-profile attacks against cryptocurrency holders is notably increasing to such a point that cybersecurity researchers are tracking incidents of kidnapping, robbery, and/or extortion involving cryptocurrency demands/ransoms: 203 incidents have been reported in the past 10 years where the perpetrators targeted cryptocurrency holders. 41 of these incidents were home invasions. These attacks are known as “wrench attacks;” no amount of computer security can protect against physical attacks targeting cryptocurrency wallet holders coupled with violence or the threat of violence.

Locating the Victims

Criminals are not always sophisticated. While geolocation and monitoring tools are restricted in France, they are permissible “when justified by the nature and seriousness of the crime.” French law enforcement also has the capacity to covertly access microphones and video (camera access). Because the gendarmes were able rapidly locate Mr. Balland, as well as the stated use of phone records to locate suspects, law enforcement likely utilized mobile device geolocation tools. Further, it is likely that the kidnappers were not technically sophisticated in these police capabilities. Mobile device SIM cards are required by law to be registered in France. The kidnappers likely used a device registered in the name of one of the kidnappers, enabling analysis to discover additional suspects.

The mobile device the kidnappers used to contact Mr. Larchevêque was likely the initial networking analysis point law enforcement used to determine the location of Mr. Balland and later Ms. Balland.

Cryptocurrency: It Is Traceable

There is a misconception that cryptocurrency is a more accessible, yet non-traceable form of currency. In addition to not being familiar with law enforcement geolocation capabilities, the kidnappers also likely lacked understanding that cryptocurrency can be frozen and tracked. While it is easier for criminals to obtain very large sums of money when compared traditional legal tender, these assets still must be converted to traditional currencies/legal tender for easy, less traceable utilization. This conversion process is also where funds become more traceable. Exit points—where cryptocurrencies are converted to legal tender—are a key to tracing.

Although 95% pf the ransom money was recovered, this is due to the involvement of high-profile individuals within the cryptocurrency community such as another co-founder of Ledger as well as the CEO of Tether. These individuals knew of each other at a minimum, and it is likely that they were personally acquainted. In short, the money was recovered due to Mr. Bacca’s connections within the cryptocurrency community, an advantage most cryptocurrency holders, irrespective of their net worth, could not utilize. Additionally, Tether is a centralized entity, so there was a point of contact to assist in freezing and seizing the funds; if a decentralized mixer had been utilized, tracing the funds would have been exponentially more difficult, if not impossible. No amount of cyber security can prevent a “wrench attack” targeting cryptocurrency wallets.

The Case for Executive Protection

While physically holding a considerable amount of money and being “your own bank” does provide freedom from traditional financial institutions, it also adds a considerable physical security burden the cryptocurrency holder must assume. These risks, as well as many others, can be mitigated with a professional executive security team.

While it is likely that Mr. Balland was targeted specifically for his cryptocurrency assets, he was also likely targeted following simple surveillance by his attackers, indicating to the attackers that he was an exposed target. Surveillance can be detected and mitigated through specialized executive protection services. There is no indication that a security team was located at Mr. Balland’s home during the attack.

High profile figures, as well as individuals with substantial amounts of cryptocurrency must harden not only their privacy, but their physical security: At home, while on travel for work or pleasure, and while performing daily routines. Incidents of kidnapping and extortion can occur anywhere: In homes, in public, at hotels, and while in transit from one location to another. There have even been incidents where “friends” targeted the victims for their cryptocurrency. As the phrase “wrench attack” implies, no one can withstand sustained physical violence; any individual can ultimately be physically compelled to provide access to a device, or associates/relatives will be extorted into providing the funds under the threat or actual violence to another. Physical security, through a well designed protection program, is the most expedient and effective way to mitigate this risk.