Key Highlights
- Two California teenagers, aged 16 and 17, are facing nine felony charges after allegedly carrying out a violent home invasion in Scottsdale targeting $66 million in Bitcoin.
- The attack was reportedly orchestrated through Signal by anonymous handlers known as “Red” and “8,” who provided $1,000 and the victim’s home address.
- The case is being identified as the first recorded U.S. “wrench attack” of 2026, highlighting a growing trend of physical crypto crimes linked to the Coinbase data breach affecting nearly 70,000 users.
Two high school students from San Luis Obispo County, California, are facing nine felony charges each after allegedly driving more than 600 miles to carry out a violent home invasion in Scottsdale, Arizona, all to steal what they believed was $66 million in cryptocurrency.
Court documents obtained by AZFamily detail how Jackson Sullivan, 17, a junior at San Luis Obispo High School, and Skylar LaPaille, 16, of Morro Bay, showed up at a home near 98th Street on Windrose Drive on the morning of January 31, dressed in actual FedEx uniforms they had purchased from Amazon. They carried a box and a dolly to look convincing.
When the homeowner opened the door around 10:30 a.m., the two teens allegedly forced their way inside, hit him, threw him to the ground, and restrained both the man and his wife with duct tape. They demanded access to his Bitcoin. He denied having any.
An adult son, who was in another part of the house, managed to call 911. When officers arrived, they found the woman screaming and the man struggling with one of the suspects. Both teens fled through the back door, got into a blue Subaru, and were eventually caught at a dead end a short distance away.
The robbery “kit” and the Signal connection
According to the court paperwork, Sullivan and LaPaille had met only about a month before the incident. LaPaille told investigators he had been contacted by someone going by the alias “Red” on the Signal encrypted messaging app, who told him about the target and claimed the victims held $66 million in cryptocurrency.
The handlers, identified only as “Red” and “8,” allegedly provided the teens with $1,000 to purchase supplies. The pair reportedly used the money to buy their “robbery kit” at Target and Home Depot, which included zip ties, duct tape, a screwdriver, a box, and a dolly. They also brought along a Tracfone, apparently intended to facilitate the cryptocurrency transfer.
Before reaching the home, the teens stole a license plate from a similar vehicle in Scottsdale to conceal their identity.
Police who searched the scene and the vehicle also recovered a 3D-printed firearm, though it contained no ammunition. It remains unclear whether the weapon was even functional.
During a court hearing earlier this month, Sullivan’s attorney claimed his client had been manipulated by someone online and that his parents were unaware of the plan. The attorney also stated that the two suspects were on the phone with a third person, likely “Red,” during the entire robbery.
A mother’s warning that came too late
One of the most striking details in this case is the fact that Sullivan’s mother tried to stop the crime before it happened.
Court records show she found text messages on her son’s phone describing plans to dress up as UPS workers, commit a burglary, split the money, and use a Scottsdale address. She contacted California law enforcement, who relayed the tip to the Scottsdale Police Department.
But the Scottsdale police received the information only after the home invasion had already taken place.
First U.S. “wrench attack” of 2026
The Scottsdale home invasion has been logged as the first “wrench attack” in the United States in 2026 on the public database maintained by Jameson Lopp, co-founder and CTO of Bitcoin self-custody platform Casa. Lopp has been tracking physical attacks on crypto holders for over a decade.
All ten prior entries on the database for 2026 had occurred outside the U.S., in France, Belgium, and the Philippines.
To put the trend in context: Lopp’s tracker logged roughly 70 wrench attacks globally in 2025, nearly double the approximately 41 recorded in 2024. Ari Redbord, global head of policy at blockchain analytics firm TRM Labs, said in January that the real number is likely much higher, since many such incidents get classified as ordinary robberies by local police.
At the Litecoin Summit 2025, Lopp himself had warned that roughly 25% of all documented wrench attacks are home invasions, and urged crypto holders to improve residential security and exercise caution when answering doors. The Crypto Times had previously reported on that presentation, where Lopp estimated that attackers succeed in two-thirds of documented cases.
The Coinbase breach connection
Security professionals have consistently pointed to corporate data breaches as a key factor behind the spike in physical attacks on crypto holders.
The 2025 Coinbase breach is a case in point. Rogue customer service representatives at a third-party vendor were bribed to access and leak the KYC data of nearly 70,000 users. The compromised information included names, phone numbers, email addresses, mailing addresses, masked Social Security numbers, government-issued IDs, and account balance snapshots.
While Coinbase refused a $20 million ransom demand and instead offered a $20 million bounty for information leading to arrests, the damage was done. That data, once in criminal hands, essentially created a target list of high-value crypto holders complete with home addresses.
Nick Bax, founder of Ump.eth and member of the crypto security alliance SEAL, attributed many of 2025’s wrench attacks to poor personal privacy and corporate data breaches. Then came a second Coinbase insider breach in December 2025, where a contractor improperly accessed data on approximately 30 customers. While smaller in scale, it confirmed that the insider threat problem at crypto platforms was far from resolved.
For the Scottsdale case specifically, investigators have not disclosed how the anonymous Signal handlers obtained the victims’ home address or identified their crypto holdings. But the pattern fits what security researchers have been warning about: leaked exchange data making its way to criminal networks who then recruit expendable young people to do the physical dirty work.
The growing playbook: Encrypted apps, young recruits, and targeted violence
What makes the Scottsdale incident particularly concerning is the operational structure behind it.
The teens were not acting independently. They were recruited, funded, equipped, and guided through the entire operation by anonymous individuals who remain unidentified. The use of Signal, an end-to-end encrypted messaging platform, makes it significantly harder for law enforcement to trace the handlers.
This matches a broader pattern that organized crime networks are increasingly using encrypted platforms to recruit young individuals for high-stakes cryptocurrency robberies, specifically because minors and young adults are seen as more expendable and harder to trace back to the network.
Just weeks before the Scottsdale incident, three teenagers disguised as Amazon couriers entered a man’s house in England and threatened him with knives until he handed over his crypto.
In France, a couple and their two children were beaten and tied up by three individuals in January in what was the third major wrench attack in the country that week alone.
The Crypto Times has also reported on how French attackers were found to have purchased target lists containing the names, addresses, and capital gains of crypto investors for as little as €800 each.
Where the case stands now
Sullivan and LaPaille have been charged with nine felonies, including aggravated assault, kidnapping, and second-degree burglary. Sullivan also faces an unlawful flight charge. Prosecutors intend to try both teenagers as adults.
Sullivan was released on a $50,000 cash-only bond and is currently wearing an electronic monitor. LaPaille also had a $50,000 secured bond, though it is unclear whether he has posted it.
The identity of “Red” and “8” remains unknown. Investigators have not publicly stated whether the FBI is involved in tracking the Signal handlers, though the cross-state nature of the crime and the use of encrypted communications would typically bring federal agencies into the picture.
What this means for crypto holders
The Scottsdale case is a stark reminder that for crypto holders, especially those with significant on-chain wealth, the biggest security threat may not be a smart contract exploit or a phishing email. It might be someone knocking on the front door.
Security researcher Lopp has repeatedly emphasized that the most effective way to reduce wrench attack risk is also the most difficult: do not talk about Bitcoin while using your real name or face. Do not flaunt holdings. Do not trust anyone with financial details unless you trust them, as he puts it, with your life.
For those who do hold substantial amounts in self-custody, multi-signature setups with geographic separation of keys, time-locked vaults, and “panic wallets” that can display decoy balances under duress are among the strategies that firms like Casa now recommend.
But as this case shows, even people who denied having cryptocurrency were not spared the violence. The attackers came prepared, funded, and informed. And the people who sent them are still out there.
Also Read: US Senate Pushes Crypto ATM Crackdown After $333M Lost to Scams