Bitcoin May Be Secure – But Are You?
The kidnapping of Ledger co-founder David Balland illustrates a threat that most crypto security frameworks do not address: physical coercion. The technical security of your Bitcoin is only as strong as your personal security posture.

On 21 January 2025, David Balland — co-founder of Ledger, the hardware wallet manufacturer — and his wife were kidnapped from their home in France and taken to separate locations. The kidnappers demanded 100 BTC, approximately $10 million at the time, and provided proof of their intent through violence. France’s GIGN special operations unit conducted the rescue; the couple was recovered and much of the ransom recovered with them.
The incident is not an isolated data point. Physical attacks targeting individuals known or believed to hold significant cryptocurrency have increased as the asset class has grown. The pattern is consistent: public association with crypto wealth creates a target profile that operates independently of how well-secured the digital assets themselves are.
The Gap in Most Security Frameworks
Crypto security discourse is almost entirely focused on the digital attack surface: hardware wallets, multisig arrangements, seed phrase storage, phishing resistance, exchange security. These are genuine risks and the precautions are warranted.
Physical coercion is a different category of threat, and it defeats most digital security measures directly. A $5 wrench applied with sufficient determination will extract a seed phrase from most people regardless of how many layers of technical security protect the wallet. This is not a criticism of technical security measures — it is an observation that they address a different threat model than the one Balland faced.
The specific properties that make Bitcoin valuable from a custody perspective — self-sovereign control, no intermediary, irreversible transactions — also mean that coercion to transfer Bitcoin is immediately and permanently effective. There is no fraud reversal, no bank to call, no transaction to dispute.
The Threat Landscape
Three distinct risks characterise the physical threat environment for significant crypto holders:
Targeted kidnapping and extortion. The Balland case is the highest-profile recent example, but not the only one. Individuals publicly associated with crypto through media coverage, conference speaking, company founding, or social media have a measurable elevated risk profile relative to holders who maintain privacy about their holdings.
Home invasion and coerced transfer. A lower-sophistication version of the same threat: forced entry, physical duress, and demand for immediate transfer. The perpetrators do not need to know the exact value of holdings — the belief that significant holdings exist is sufficient motivation.
Social engineering leading to physical exposure. Building a profile of a target through open-source intelligence — social media, company registrations, conference attendance, media interviews — before making contact. The digital footprint that many crypto figures maintain makes this profile-building straightforward.
What Adequate Preparation Looks Like
The threat model determines the response. For individuals with significant holdings and any public profile in the crypto space, preparation operates across several dimensions simultaneously.
Privacy as a first line. The most effective protection against targeted physical attack is not being identified as a target. This means treating the size of holdings as genuinely confidential information, maintaining separation between public identity and custody arrangements, and being deliberate about what is disclosed in professional or social contexts. This is not paranoia — it is the same approach that wealth management professionals have always recommended for high-net-worth individuals in any asset class.
Duress protocols in custody design. A well-designed multisig or custody arrangement can incorporate duress provisions: a designated key or transaction pathway that, when used, signals coercion to a trusted third party and triggers a response protocol. This does not prevent the initial threat, but it changes the dynamic of coerced transfer in ways that may reduce the attacker’s confidence that the transfer will be permanent and undetected.
Physical security assessment. Home security, travel patterns, and the predictability of daily routine are all relevant. The specifics depend heavily on individual circumstances — location, family situation, degree of public profile — and do not lend themselves to generic prescriptions. The principle is that physical security should be evaluated with the same rigour applied to digital security, and by people with relevant expertise in physical threat assessment.
Compartmentalisation of information. Who knows what you hold, in what form, and where the keys are? The answer to that question defines the attack surface for social engineering and targeted coercion. Minimising that surface — without creating single points of failure in the custody arrangement itself — is the design challenge.
The Irreversibility Problem
Bitcoin’s permanence cuts both ways. It is the property that makes self-custody powerful — no intermediary can freeze, reverse, or confiscate a transaction. It is also the property that makes coerced transfer a particularly severe threat. There is no recovery mechanism once Bitcoin leaves a wallet under duress.
This asymmetry — permanent loss on the downside, no institutional backstop — is worth holding in mind when designing a custody arrangement. The question is not only how to protect the Bitcoin from remote attack. It is also how to design a custody structure that does not make the holder the single, coercible point of access to the entire holding.
This article is for informational purposes only and does not constitute legal or financial advice. Consult a qualified professional before making decisions about security arrangements.