Posing as a delivery driver to rob $4.3 million worth of crypto right at a private residence

A simple yet effective attack scenario: impersonate a delivery person, knock on the door, break in with a gun, and force the homeowner to transfer the private key.

In June 2024, three men executed exactly this scenario at an apartment in the UK, seizing over $4.3 million in crypto.

Five months later, the Sheffield Crown Court convicted Faris Ali and two accomplices, after the Metropolitan Police recovered nearly all the stolen assets.

The case, documented by blockchain investigator ZachXBT, has become a notable example for a question the crypto industry still avoids: what level of operational security is needed when asset value lives in a browser, but home address is public information?

How did the robbery happen?

The timing of the attack fell into the gap between a data leak incident and the victim’s awareness of the risk.

Chats obtained by ZachXBT show the suspects discussing strategy hours before the attack, sharing images of the victim’s building, confirming their position at the door, and agreeing on a cover story. A photo captured all three in delivery uniforms. Minutes later, they knocked—the victim, expecting a package, opened the door.

The result was a forced transfer to two Ethereum addresses, carried out under gunpoint. Most of the stolen coins remained dormant in these wallets until law enforcement intervened.

ZachXBT traced the trail through on-chain analysis and leaked Telegram conversations. The chats revealed the criminal plan and prior offenses: weeks before the robbery, Faris Ali posted a bail document photo, exposing his real name to friends on Telegram.

After the incident, an unidentified person registered the ENS domain farisali.eth and sent an on-chain message, publicly accusing him on the Ethereum ledger. ZachXBT shared the findings with the victim, who relayed them to the authorities. On 10/10/2024, ZachXBT published a detailed investigation, and on 11/18, the Sheffield Crown Court delivered its verdict.

Broader trend

ZachXBT notes the case is part of a growing trend of home invasions targeting crypto holders in Western Europe, with a higher frequency than other regions.

Attack methods vary: SIM swaps leaking recovery phrases, phishing exposing wallet balances, social engineering to locate assets—but the common thread is, once attackers confirm a high-value victim and know their home address, they switch to physical coercion.

Why the delivery disguise is so effective

Impersonating a delivery person leverages trust in the logistics system. Opening the door for a courier is normal behavior, not a security flaw.

Attackers understand the hardest part of a home invasion is getting inside without raising suspicion. Uniforms and packages provide a plausible reason to be at the door. When the door opens, the element of surprise is triggered.

This method is hard to scale because it requires physical presence, leaves forensic evidence, and fails if the victim refuses to open the door. But it bypasses all digital security layers: multi-signature wallets, hardware devices, or cold storage are useless if the victim is forced to sign a transaction on the spot. The weak point is the human holding the key, living at a fixed address discoverable via data leaks or public records.

Lessons in protection and opsec costs

This case sets a requirement for large asset holders: reconsider how to manage and disclose assets.

The immediate lesson is prevention: segregate assets, remove personal information from public databases, avoid sharing wallet balances on social media, and treat any unusual visit as a potential threat.

But these measures “cost” convenience, transparency, and the ability to participate in the crypto community without becoming a target.

The long-term issue is the insurance market. Traditional custody providers have insurance and physical security, while self-custody does not—one of its rare disadvantages. If home invasions become a predictable threat, demand for insured storage services or personal protection will rise. Both are expensive and trade off the inherent control of self-custody.

Data leaks are the root risk: centralized exchanges, blockchain analytics platforms, tax reporting, and Web3 services requiring KYC all store information linking identity to wallets. When these databases leak, they become a “shopping list” for criminals, matching wallet balances to public addresses.

ZachXBT’s recommendation to “monitor personal information when leaked online” is accurate, but assumes the victim has the tools and vigilance to track leaks in real time—which most do not.

Enforcement capability is also limited: ZachXBT is an individual working pro bono. Law enforcement mostly lacks on-chain forensics skills to track stolen crypto without outside help. The Metropolitan Police succeeded because they were handed the entire investigation.

Implications for self-custody

The broader question: is self-custody still the default choice for large asset holders?

The crypto industry has argued for a decade that individuals should control private keys and that asset sovereignty is worth the operational cost. This argument holds when the threat is exchange collapse or government seizure, but weakens when the threat is a delivery uniform, a gun, and a list of addresses from leaked data.

If large holders realize self-custody poses unacceptable physical risks, they will move to insured institutional platforms, trading decentralization for safety. If they retain self-custody but heavily invest in security and privacy, crypto becomes an underground culture for the rich and paranoid.

The case at Sheffield Crown Court closes a chapter: the attackers were caught, the victim recovered their assets, ZachXBT gained another case study. But the systemic weakness remains: as long as large assets can be coerced away in under an hour and leaked data still links wallet balances to home addresses, no encryption can protect the human holding the keys.

Thach Sanh