Europe’s new tax-transparency regime compiles meticulous registries of who owns cryptocurrency. The most attentive readers may not work for the government
In the small hours of January 21, 2025, armed men entered a house in Méreau, a village in central France, two hours south of Paris, and took David Balland and his partner. Balland had co-founded Ledger, the company whose pocket-size hardware wallets are, for millions of people, the physical location of their cryptocurrency: a private key sealed in plastic and secure silicon, immune, the marketing goes, to every hacker on earth. The kidnappers were not hackers. They separated the couple, demanded a ransom in crypto from one of Balland’s co-founders, and, to focus the negotiations, cut off one of Balland’s fingers and sent the footage along. Two days passed before G.I.G.N. commandos, France’s elite gendarmerie unit, recovered him; his partner was found the following day, in the trunk of a car. There was one consolation, and it was an irony: because crypto moves on a public ledger, prosecutors later said they had traced and frozen most of the ransom. The money was recoverable. The finger was not.
Six months later, and a world away in spirit, investigators arrested a thirty-two-year-old clerk at a tax office in Bobigny, a suburb northeast of Paris. Her troubles had begun with an unrelated brutality: three men had beaten a prison guard at his home, for eight hundred euros, and someone had supplied them with his address. The address, it turned out, had been looked up in Mira, the French tax administration’s internal search system. When investigators reconstructed the clerk’s activity, they found queries that had nothing to do with her caseload: a billionaire, health inspectors, a judge, and, again and again, people who figured in the system as cryptocurrency investors. Prosecutors allege she sold their data, home addresses included, to criminal networks. She has been in custody since June 30, 2025.
Hold those two scenes in mind, because on January 1st of this year the European Union began requiring, by statute, the creation of the most comprehensive registry of cryptocurrency holders ever assembled.
❖
The statute is the eighth revision of the E.U.’s directive on administrative coöperation in tax matters, which everyone calls DAC8. Adopted in October, 2023, it extends to crypto-assets the machinery of automatic information exchange that the O.E.C.D. built a decade ago for bank accounts, the Common Reporting Standard, the instrument that ended Swiss banking secrecy not with a raid but with a spreadsheet. Under DAC8, every “reporting crypto-asset service provider,” a category that sweeps in exchanges, brokers, kiosks, and even non-European platforms with European customers, must collect from each user a declaration of tax residency. Refuse to sign, and after sixty days the provider must block your transactions; the penalties for false statements are left to national law, and in Poland a false declaration is a criminal matter. Existing customers get transitional deadlines, and Poland’s runs to October 31st of this year. Once a year, the provider ships the file to the tax authority: name, address, taxpayer numbers, date and place of birth, and, for every crypto-asset, the aggregate value bought, sold, and swapped.
Two provisions deserve a second reading. The first covers transfers to addresses about which the provider knows nothing, which is to say withdrawals to a user’s own wallet. The state will learn not merely who trades but who appears to have taken custody into his own hands, a strong hint, though not proof, of who personally guards the keys. The second flags retail purchases made with crypto above the equivalent of fifty thousand dollars, identifying both buyer and seller. In Poland, where I practice law, the implementing act (Journal of Laws of 2026, item 347) was signed in March yet covers reportable transactions from New Year’s Day, with fines for providers who drag their feet. The first reports land in 2027; by the end of that September, the tax administrations of the member states will have exchanged them among themselves.
The fiscal logic is not mysterious, and honesty requires stating it at full strength. For the 2024 tax year, roughly twenty thousand Poles filed the capital-gains return for virtual currencies. Several million are estimated to have traded. A bank account has been reportable across borders for nearly a decade; an exchange account holding the same value was, until this year, invisible. DAC8 closes a real gap, and closing it is a defensible thing for a government to do.
What the drafters underweighted is a difference in the physics of money.
❖
A bank balance is a claim on an institution. Between a criminal’s knowledge of your account and the money itself stands the bank: authorization procedures, transfer limits, anti-money-laundering holds, the possibility of reversal, deposit insurance. Even a victim forced at gunpoint to order a transfer sets in motion a process that leaves a trail and can be stopped en route.
Crypto in self-custody is a bearer instrument in its purest form. A seed phrase is not the password to the money; it is the money. Whoever knows it owns the asset, and a transfer to a stranger’s address becomes irrevocable within minutes, with no intermediary anywhere who could pause it. Security researchers have a term for the consequence, the “wrench attack,” after a stick-figure Web comic in which a villain, contemplating a target’s military-grade encryption, skips the supercomputer and buys a five-dollar wrench. The blockchain-security firm CertiK put the same point in the bloodless language of a threat report this May: as wallets and protocols harden, the threat migrates to the human link, and physical coercion remains “the economically most rational attack path” so long as holdings can be tied to a findable person.
Hence an asymmetry that tax lawyers are only beginning to absorb. Knowing that a man keeps two million in a deposit account is useful to a fraudster. Knowing that he keeps the equivalent on a hardware wallet at home is useful to a kidnapper. The Common Reporting Standard told governments how much everyone held behind the teller’s glass. DAC8 adds a detail of a different kind: who carries the vault on his person.
❖
The numbers describe a market responding to incentives. Jameson Lopp, a security engineer who has kept a public registry of physical attacks on crypto holders since 2014, has logged roughly two hundred, and he cautions that the true count is higher, since many enter police statistics as ordinary robberies, no crypto mentioned. CertiK verified seventy-two incidents worldwide in 2025, a seventy-five-per-cent jump over 2024, with losses above forty million dollars. In the first four months of 2026 it counted thirty-four more, with losses around a hundred and one million dollars, and projected that the year would close near a hundred and thirty. The geography has inverted: Europe now accounts for more than four-fifths of cases, and France alone logged twenty-four verified attacks by the end of April. The French interior ministry’s own figure is forty-one, roughly one every two and a half days. In late April, prosecutors announced indictments of eighty-eight suspects across a dozen investigations. More than ten were minors, which CertiK’s analysts read as deliberate: criminal exposure outsourced to defendants young enough to face gentler procedures and reduced penalties.
Americans have their own entries in the registry. In August, 2024, a nineteen-year-old from Danbury, Connecticut, helped steal two hundred and forty-three million dollars in Bitcoin through a phone scam, then let the fact circulate among his online friends. A week later, six men who had driven up from Miami rammed his parents’ Lamborghini, dragged the couple into a van, and bound them with duct tape; an off-duty F.B.I. agent happened to witness the abduction and trailed the van until police caught it. The kidnappers had no database. They had gossip in the right group chats. In Manhattan last spring, prosecutors say, an investor was held in a SoHo town house for more than two weeks, shocked, beaten, and fitted with a tracking device, while his hosts worked on extracting a wallet password. And CertiK’s analysts noticed something new in the early months of this year: a shift to what they call data-driven targeting, in which physical surveillance of a victim becomes unnecessary, because the attackers already hold a file with the name, the home address, and the financial profile.
That sentence rewards a second reading. It describes, with some precision, the file that DAC8 now requires to exist.
❖
The rejoinder writes itself: reported data is not public data. Tax files are protected by fiscal secrecy, exchanged over hardened government channels, hedged with penalties. All true. Which is why the honest question is not whether the system is sealed on paper but how comparable troves have actually escaped. There are four ways to imagine such a leak. All four have already happened.
A private provider can be hacked. In 2020, Ledger’s marketing database spilled the names and home addresses of some two hundred and seventy thousand customers; the file still circulates, and the industry still connects it to years of threatening letters and doorstep visits. Lopp calls France “the canary in the coal mine,” his point being that financial-surveillance rules, not blockchains, are what put addresses next to balances. A private provider can be betrayed from inside. In 2025, criminals bribed customer-support contractors at an outsourcing center in India that served Coinbase; for payments that reportedly began at a few hundred dollars, the insiders copied records of nearly seventy thousand customers, home addresses and identity-document scans included. Coinbase refused a twenty-million-dollar extortion demand, posted a bounty of the same size instead, and told regulators the cleanup could cost as much as four hundred million dollars. A state can be betrayed from inside: that is Bobigny. And a tax dataset can be hacked directly. In January of this year, Waltio, a French platform that exists precisely to prepare crypto tax filings, confirmed a breach after its user data surfaced on a dark-web market; the sellers boasted that the file had already guided three kidnappings worth some seventeen million dollars. The boast comes from criminals and remains under investigation, but the sequence alone moved Pavel Durov, Telegram’s founder, to connect France’s kidnapping wave publicly to leaked tax data, with a warning of arithmetic simplicity: “more data equals more victims.” Nor is the nightmare of a national tax base in the open hypothetical. Bulgaria managed it in 2019, when hackers walked off with the tax records of nearly every adult in the country.
DAC8 does not create one copy of this knowledge. It creates many: at the provider, at the tax authority of the reporting state, at the tax authorities of every state where a user resides. The security of the whole will equal the vigilance of the weakest of twenty-seven links, and the Coinbase affair suggests the going rate for a weak link starts in the hundreds of dollars.
❖
European law has, in fact, already reasoned its way through this. In November, 2022, the Court of Justice of the E.U. struck down public access to registers of companies’ beneficial owners, in a judgment (joined cases C-37/20 and C-601/20) that said the quiet part in the operative text: publishing who owns what exposes people to fraud, kidnapping, blackmail, extortion, harassment, violence, and intimidation. DAC8’s registries are confidential, so the holding does not transfer mechanically. The principle does. The more precise the record of other people’s wealth, and the more widely it is copied, the heavier the safeguards owed to the people in it: data minimization, logged and audited access, real criminal exposure for insiders, independent security review of the exchange systems. A holder whose file leaks from a government system has remedies, damages under European data-protection law and state-liability claims under national codes. No one who has read the victims’ accounts will mistake damages for protection.
For the holder, meanwhile, the rational response is emphatically not evasion. The residency declarations carry criminal penalties, non-signers get frozen out, and a return that disagrees with an exchange’s report is a hand-delivered invitation to an audit; anyone with an untidy past would do well to review it before the first exchange of files, in 2027; whether a correction or a voluntary disclosure still helps is a case-by-case question, turning in part on how much the authority already knows. What a holder can control is everything else. Silence, first: no public arithmetic about the size of a portfolio, on social media or at conference bars, because the files that hurt people are assembled from exactly such crumbs. Then architecture, and here the industry’s stock answers, multi-signature wallets and dead-man’s switches, are only a beginning, because they answer whether a victim will pay, not whether she can. A century ago, banks facing the same problem invented the time-lock vault and the sign in the window: the teller does not know the combination. Crypto needs the cryptographic version of that sign, and it exists in pieces. Wallets that can send only to a whitelist the owner cannot expand for thirty days, so that coercion can move money nowhere but into the victim’s own accounts. Vaults whose every large withdrawal announces itself on-chain and can be clawed back, during the delay, by a designated guardian, a spouse, a lawyer, a service, whose entire contractual value is that he cannot be hurried. Seed phrases split so that no complete secret lives in any one head, leaving torture without an object. And a standing, published commitment that coerced coins will be flagged to every exchange before the attacker reaches a cash-out. The point is not to survive an attack; it is to fail the audition for victim, and to be able to prove it in the first five minutes. Then a family protocol, since spouses, parents, and children are now standard leverage, and every unexpected call from an “exchange” or a “tax office” gets verified through a separate channel. And then records, complete ones, especially from before 2026, because the same paperwork that proves your cost basis to an auditor is the paperwork that makes the automatic reports boring.
The directive’s drafters call all this transparency, and they are right; a ledger is a marvellous instrument of fairness. But somewhere in the logs of a tax office outside Paris sits a search history, queries for a billionaire, a judge, and a long list of cryptocurrency investors, that makes the counterpoint just as plainly. A list of who holds the keys is also a map. And a map is indifferent to who unfolds it.
Trump’s $10B IRS Lawsuit: Tax Data Breach & the Privacy Question

Robert Nogacki – licensed legal counsel (radca prawny, WA-9026), Founder of Kancelaria Prawna Skarbiec.
There are lawyers who practice law. And there are those who deal with problems for which the law has no ready answer. For over twenty years, Kancelaria Skarbiec has worked at the intersection of tax law, corporate structures, and the deeply human reluctance to give the state more than the state is owed. We advise entrepreneurs from over a dozen countries – from those on the Forbes list to those whose bank account was just seized by the tax authority and who do not know what to do tomorrow morning.
One of the most frequently cited experts on tax law in Polish media – he writes for Rzeczpospolita, Dziennik Gazeta Prawna, and Parkiet not because it looks good on a résumé, but because certain things cannot be explained in a court filing and someone needs to say them out loud. Author of AI Decoding Satoshi Nakamoto: Artificial Intelligence on the Trail of Bitcoin’s Creator. Co-author of the award-winning book Bezpieczeństwo współczesnej firmy (Security of a Modern Company).
Kancelaria Skarbiec holds top positions in the tax law firm rankings of Dziennik Gazeta Prawna. Four-time winner of the European Medal, recipient of the title International Tax Planning Law Firm of the Year in Poland.
He specializes in tax disputes with fiscal authorities, international tax planning, crypto-asset regulation, and asset protection. Since 2006, he has led the WGI case – one of the longest-running criminal proceedings in the history of the Polish financial market – because there are things you do not leave half-done, even if they take two decades. He believes the law is too serious to be treated only seriously – and that the best legal advice is the kind that ensures the client never has to stand before a court.














