Fake Delivery Crew Targeting Crypto Holders Busted for Bay Area Home Invasions

Near the corner of 18th and Dolores streets, a man answered his door at 6:45 on a November morning to someone claiming to have a package for "Joshua." By the time San Francisco police arrived, Joshua was face-down on his living room floor, wrists and ankles bound with duct tape, and roughly $11 million in Ethereum and Bitcoin was gone. Authorities announced this week that the man at the door was not working alone, and members of the crew responsible for that robbery and a string of similar attacks across the Bay Area and California are now in custody.

The bust, reported by the San Francisco Chronicle, centered on a coordinated organization that exploited one of the most trusted rituals of daily urban life: the doorstep delivery. The crew used both food and package delivery ruses to gain entry into the homes of known cryptocurrency holders. According to a police report, the robbery unfolded on the unit block of Dorland Street, only steps from Mission Dolores Park. The suspect approached in dark clothing, a hooded sweatshirt, gloves, and sunglasses, holding a white box and deliberately turning his face away from the doorbell camera.

A suspect posing as a delivery worker entered the Mission Dolores home near 18th and Dolores around 6:45 a.m. on Nov. 22, restrained the resident, and stole a phone, laptop, and about $11 million in cryptocurrency. Once inside, he asked to borrow a pen to sign for the package. Moments later, he pulled a gun. He ordered the victim to tie his own ankles with duct tape, then bound his wrists. As the victim lay face-down on the floor, the suspect got on what appeared to be a three-way call, with a man described as having a raspy voice relaying instructions on how to drain the accounts.

Doorbell footage from the attack was shared publicly by Y Combinator CEO Garry Tan, drawing wide attention to the Mission Dolores case and the crew's method. The property is linked to venture capitalist Lachy Groom.

The arrests came as physical attacks on cryptocurrency holders surged to levels that security researchers describe as an acute public safety crisis. Crypto wrench attacks increased 75% in 2025, with 72 confirmed incidents involving physical violence and losses exceeding $40 million. The pace continued accelerating into 2026, with 11 incidents recorded in January alone. Jameson Lopp, co-founder of crypto security firm Casa, who tracks these incidents publicly, documented 61 verified physical attacks on crypto holders in 2025, a sharp jump from 38 cases in 2024, with many involving disguises or forced entry tactics.

The crew's approach reflected a calculated pivot away from digital hacking. Since 2020, there have been more than 215 documented cases of physical crypto attacks around the globe, with 2025's tally almost doubling the previous year's total. Rather than breaking through encryption, the Bay Area operation targeted individuals whose public blockchain activity or social media presence made their holdings visible, then used the familiarity of a delivery uniform to get inside before any alarm could be raised.

Additional charges related to attacks outside San Francisco County are expected as the investigation continues across multiple Bay Area jurisdictions.