The $5 wrench problem and what you can actually do about it

There's a famous XKCD comic about cryptography. The setup: two security experts marvel at a scheme with 4096-bit RSA keys, Twofish/Rijndael cascading encryption, and GPU-cluster-resistant hashing. The punchline: a stick figure with a $5 wrench beats the information out of someone.

It's funny because it's true. And if you hold crypto, it's not funny at all.

It's happening. Right now.

In 2025 alone, there were over 40 documented physical attacks on crypto holders. Home invasions targeting known Bitcoin owners. Kidnappings where the ransom was "transfer your wallet." Social engineering attacks where someone who knows you hold crypto shows up at your door.

The attacks are getting more sophisticated. Criminals are using blockchain analysis to identify high-value wallets, then tracing them to real-world identities through exchange KYC leaks, social media, and address correlation.

And the attackers aren't just criminals. Border agents. Customs officials. Law enforcement in jurisdictions where "hand over your crypto" is a legal order. Abusive partners who know you have a wallet somewhere. Corporate lawyers in an acrimonious divorce.

The common thread: they don't need to break your encryption. They need to break you.

Why "just use a hardware wallet" doesn't help

The standard security advice for crypto is:

1. Use a hardware wallet
2. Write your seed phrase on metal
3. Store it in a safe
4. Never store it digitally

This is good advice for protecting against remote attacks. It's terrible advice for protecting against physical attacks. Someone with a wrench can see the Ledger in your drawer, find the metal seed backup in your safe, and watch you unlock the hardware wallet.

You can't plausibly deny that you own crypto when there's a $150 hardware wallet sitting on your desk.

The actual solution

Deniable encryption. Specifically: encrypt your seed phrase so that it decrypts to a different seed phrase depending on which key you use.

Here's how it works with deny.sh:

1. Enter your real seed phrase (the one controlling your actual holdings)
2. Enter a decoy seed phrase (a wallet with a small, believable balance)
3. Set two passwords
4. Get one encrypted file and two control files

The real control file + your passwords = your real seed phrase. The decoy control file + your passwords = the decoy seed phrase.

Under duress, you hand over the decoy control file. They decrypt. They see a wallet with 0.02 ETH. They take it. They leave.

Your real seed phrase is behind the real control file, which is hidden somewhere else entirely. Maybe inside a photo (steganography). Maybe split across three people (Shamir secret splitting). Maybe in a secure vault that automatically releases if you don't check in (dead man's switch).

The point: no forensic analysis can prove the decoy isn't the real thing. The encrypted file is identical in both cases. The control files are statistically indistinguishable from random noise. There's no hidden partition to detect, no metadata to leak, no structural tell to find.

It's free. Right now. No signup.

Everything runs in your browser. No account. No server calls. Your seed phrase never leaves your device. The code is open source (AGPL-3.0). You can read every line.

You can run 22 cryptographic tests yourself to verify the maths works. Chi-squared analysis, entropy measurement, fuzz testing. Don't trust us. Verify.

The entire process takes about 60 seconds.

What to do right now

1. Go to deny.sh/protect
2. Click "Try with demo data first" to see how it works
3. Then do it for real with your actual seed phrase
4. Store the encrypted backup somewhere accessible
5. Hide the real control file somewhere only you know
6. Put the decoy control file somewhere an attacker would find it

That's it. The $5 wrench attack ends when the safe opens to a decoy.