They have cheap BLE tags. If those cannot be reverse-engineered maybe you can record their beacons without the reach of any other device and then just replay them. Buying 256 tags may be worth it if the victim stores tens of millions satoshis. I'd be really surprised if there isn't any way to sneak out 256 bits of data. Or less if the attacker wants to do some brute forcing.