Skip to content

DAC8

DAC8: Stop mass surveillance of crypto holders

We are at a crossroads.

The safety of millions of Europeans is at stake: a dangerous and unjustified mass-surveillance and data-collection program is under way.

DAC8 is the greatest threat to date to the survival of fundamental rights and Bitcoin's cypherpunk principles.

Bull Bitcoin stands as a bulwark: we refuse to be accomplices to this abuse by governments. We refuse to submit without a fight.

That is why we have launched a legal action to strike down this law.

Bull Bitcoin's legal battle to cancel DAC8 and CARF

Read the manifesto →

01

What is DAC8?

The crypto tax-surveillance directive, in force since 1 January 2026.

The DAC8 directive, in force since 1 January 2026, requires every EU crypto-asset service provider (CASP) to report annual information about their clients’ reportable crypto-asset transactions to the tax authorities. That information is then exchanged automatically between the 27 Member States.

Each CASP must report, every year:

  • full customer identity (name, home address, birth date, tax identification number) and tax residence;
  • crypto-asset types and transaction categories;
  • values, units, dates, transaction counts and annual aggregates;
  • transfer information, including aggregate transfers to non-VASP distributed-ledger addresses where applicable.

The first reporting period covers the 2026 calendar year, and the first exchange between tax authorities is due in September 2027. In France, DAC8 was transposed by Decree No. 2025-1276 of 19 December 2025.

Council of the EU, 17 October 2023 press release · European Commission DAC8 page · Decree No. 2025-1276 of 19 December 2025 · ADAN / Deloitte / Ipsos 2026 barometer.

Contribute to the fight

The fight against DAC8 is financed by BULLBITCOIN.COM and another French crypto exchange that prefers to remain anonymous for now. To contribute, use BULLBITCOIN.COM as your exchange. The profits generated by your business help finance legal action against DAC8 and CARF wherever useful.

Spread the word

Warn the people around you

Share the site to reach as many people as possible, or download the infographic to spread it around you.

Infographic explaining how DAC8 collects crypto user and transaction data and shares it between tax authorities.

03

Why it concerns you

The first duty of the State is to protect its citizens.

DAC8 does not only concern crypto-asset holders. By bringing together identities, home addresses and crypto transaction and transfer data in a database shared by 27 tax administrations, the directive creates a very high-value target, at the exact moment when criminals are prioritising the relatives of holders.

40-135 M

Europeans in a physical-risk zone (holders and their relatives)

>50%

of attack victims in 2026 hold no crypto at all: spouses, children, elderly parents

Crypto-assets are liquid, transferable and sometimes visible on public blockchains. Once civil identity and home address are linked to crypto activity and value signals, the data no longer serves tax administration alone: it can be used to target people.

More than half of the people attacked in 2026 own no cryptocurrency. Never bought bitcoin? A single relative who holds it is enough to make you a target, and you never consented to appearing in this database.

Bull Bitcoin’s position is simple: tax authorities should be able to investigate specific taxpayers through targeted, motivated requests. They should not create a mass database of crypto users, home addresses, transactions and transfers.

CertiK, Wrench Attacks Report Q1 2026 · ADAN, 2026 barometer · Eurostat EU-SILC 2023.

04

Why it's unreasonable

A blockchain address is not an account number. It's an entire financial life laid bare.

01

Blockchain transparency makes mass collection disproportionate

A blockchain address is not a bank account number. It can be an entry point into a public, persistent financial graph. DAC8 can therefore expose much more than a taxable event.

Learn more ↓

A blockchain address is not a bank account number: it is an access key to an entire financial life that is public and permanent. On Bitcoin, Ethereum and nearly all public chains, every transaction is public, verifiable and permanent. When reported crypto activity links a civil identity to public-ledger activity, the exposure therefore goes far beyond a single taxable event.

  • Total exposure. Where DAC2 transmits balances, DAC8 links identity and home address to crypto transaction and transfer data; on public ledgers, that can become an entry point into a broader history.
  • Everything, including the non-fiscal. Transfers between your own wallets, gifts to family, payments to merchants, P2P operations: DAC8 captures movements with no tax relevance at all.
  • A leak that never closes. Unlike a frozen balance, the on-chain history updates itself, in perpetuity, in full view of any attacker.
  • A breach of proportionality. Article 52 of the Charter of Fundamental Rights requires that any limitation of a right be necessary and proportionate; the CJEU recalled this in its case law on FATCA and the GDPR.
Read the full analysis
02

No proven effectiveness justifies this level of risk

A measure that exposes millions of people should require strong evidence of necessity and effectiveness. The case for mass crypto reporting remains weak compared with its security cost.

Learn more ↓

No public data shows that mass automatic exchange delivers a tax return that matches its cost. Seven years after its first evaluation, the European Commission admits that “the assessment of benefits is extremely limited.” It is extending this same framework to crypto-assets anyway.

  • The Commission (SWD 2019, then SWD 2025) concedes it cannot quantify the additional revenue generated by automatic exchange.
  • The European Court of Auditors (report 03/2021) found that only one of the five audited Member States checks data quality, and that between 2015 and 2017 only 2% of the taxpayers covered were linked to a tax number.
  • The comparable AML/KYC regime intercepts just 0.1% of criminal funds for 136.5 billion USD in annual costs in Europe.
  • The CRS precedent mainly shows displacement toward non-participating jurisdictions, not a net drop in evasion.
Read the full analysis
03

DAC8 can produce the opposite of its stated objective

By making regulated CASP use synonymous with automatic exposure, DAC8 can push prudent users toward peer-to-peer markets, offshore platforms, mining or non-custodial workflows.

Learn more ↓

The informed holder is not asking whether to declare: the moment they use a CASP, their data goes to the tax authority regardless. Their real question becomes “Should I keep using a regulated CASP at all?” For a growing number of holders, the answer will be no.

  • The workarounds are lawful. Non-custodial wallets, DEXs, P2P, mining, non-custodial staking: all out of DAC8 scope and perfectly legal. The directive does not push people toward fraud, but toward leaving regulated CASPs.
  • The contradiction with MiCA is head-on. The EU spent nearly five years (2019-2024) building MiCA to bring Europeans back to regulated, safe, supervised platforms. Six months before the 1 July 2026 deadline, DAC8 turns those same platforms into the most exposed place to transact.
  • Effectiveness reverses. Sophisticated holders leave; only ordinary users stay inside the perimeter, bearing the physical risk alone. Less identified taxable base, at the cost of jobs and digital sovereignty.
Read the full analysis
04

A less intrusive alternative already exists

French law already gives tax authorities targeted information-request powers. A motivated request concerning an identified taxpayer is safer and more proportionate than mass collection.

Learn more ↓

The right of communication (Articles L. 81 and following of the French Tax Procedure Code) already lets the administration access data held by third parties (banks, service providers, and now CASPs) in a targeted and motivated way, for an identified taxpayer under investigation. When a less intrusive measure achieves the same objective, mass collection is, by construction, disproportionate.

Key points:

  • A less intrusive alternative exists. DAC8 fails the proportionality test of Article 52 of the Charter: not necessary, not adequate, not proportionate.
  • The right of communication is targeted. It concerns taxpayers under investigation, with strictly necessary data, instead of ~54 M holders across 27 centralized databases.
  • It is already the standard. Art, bullion, foreign real estate (form 3916), securities accounts: the administration obtains them on a motivated request, never through permanent access. Crypto-assets justify no exception.
Read the full analysis

05

Why it must be stopped

A centralized file is a target.

01

An epidemic of physical violence targets holders

Crypto-related physical violence has exploded: 82% of global attacks occur in Europe and 70% in France (January to April 2026), and the French Interior Ministry records about one attack every 2.5 days. $101M extorted in four months. Criminals no longer act at random: they buy their targets' personal data.

Learn more ↓

Physical violence linked to crypto has exploded and is concentrated in Europe, with France in the lead. Criminals no longer act at random: they buy their targets’ personal data to select, locate and pressure holders and their relatives.

  • 82% of global crypto-related physical attacks occur in Europe and 70% in France (January to April 2026); $101M extorted in four months (CertiK, 2026). The French Interior Ministry records about one attack every 2.5 days.
  • France documents a steady rise: 18 cases in 2024, 67 in 2025, 47 in 2026 as of 25 April; 88 people charged, including more than 10 minors (PNACO).
  • The modus operandi has shifted: buying data, cross-referencing platform leaks (Waltio case), surveilling relatives, operatives recruited via Telegram, orchestration from abroad.
  • DAC8 and CARF would add a structured database linking civil identities to crypto data: exactly what attackers already seek to obtain.
Read the full analysis
02

Families are on the front line

More than half of 2026 victims are not holders: they are their spouses, children or elderly parents. DAC8 therefore exposes not only holders but their entire family circle, between 40 and 135 million Europeans in a physical-risk zone, none of whom ever consented.

Learn more ↓

More than half of the violent incidents recorded in 2026 do not target holders: they target their spouses, children or elderly parents, as direct victims or pressure levers (CertiK, Q1 2026). DAC8 therefore exposes not only crypto-asset holders, but their entire close family circle.

  • A mass-scale risk. Multiplying each holder by their close family (× 2.5, consistent with the average EU household size) yields between 40 and 135 million Europeans in a physical-risk zone.
  • An asymmetric risk. A leak of 50,000 holders becomes a leak of 125,000 people actually exposed; a DAC8 leak (54M) would become a leak of 135M.
  • No consent. Relatives never used a crypto platform, never accepted any terms of service, and have no way to opt out.
Read the full analysis
03

DAC8 adds a database to already contaminated ground

In 18 months, more than 100 million records of French citizens were compromised from databases run by the State or its contractors. The link between leaks and violence is now asserted by the authorities: the Waltio breach directly served at least three kidnappings. DAC8 adds to this ground a database of holders of an asset transferable under coercion.

Learn more ↓

No public database can be considered permanently safe. In 12 months, the CNIL received 8,613 breach notifications (+45%), about one leak per hour, affecting 12.2 million people. DAC8 adds to this ground a database that crosses civil identity with crypto activity.

Key points:

  • Security depends on the weakest link: one of the 27 administrations is enough. The precedents exist (NRA Bulgaria 2019: up to 7M taxpayers; Equalize in Italy; DGFiP agent Ghalia C. targeting crypto investors).
  • The risk is not only external hacking: abusive insider access, misconfigurations and compromised contractors matter just as much.
  • Leaked crypto data stays exploitable for a long time and can create permanent surveillance, even physical targeting.
Read the full analysis
04

A centralized database is a target by design

Concentrating sensitive data creates a honeypot: a high-value target. Regulated CASPs (MiCA, DORA, GDPR) are supervised, sanctionable professionals with incentives to protect their customers. DAC8 does the opposite: 27 shared databases, whose overall security is only as strong as the weakest link.

Learn more ↓

Concentrating sensitive crypto data in a shared database creates a honeypot: a very high-value target. The larger and more valuable the database, the greater the effort attackers spend and the more devastating a single leak. The DAC8 target will be one of the most valuable in Europe.

Regulated CASPs (MiCA since 30 December 2024, DORA since January 2025, GDPR) are supervised and incentivized professionals: a leak costs them their license, customers and reputation, with penalties up to 4 % of worldwide turnover. An administration that loses taxpayer data, by contrast, keeps existing and at worst incurs a symbolic fine (Bulgaria 2019: 2.9 M€ paid by the Bulgarian taxpayer to the Bulgarian State).

DAC8 does the opposite of the sound security reflex:

  • Current model: roughly 100 to 200 independent CASPs; a leak stays contained (Waltio: 50,000 customers).
  • DAC8 model: 1 database × 27 administrations = 27 equivalent targets, with millions of agents exposed (DGFiP: roughly 100,000).
  • The security of the whole is only as strong as its weakest link.
Read the full analysis

Resources

The reference dossier, in readable pages

Analysis, figures, sources and global CARF context without overloading the homepage.

Manifesto

Why we refuse DAC8 and the mass surveillance of crypto holders.

Francis Pouliot, founder of Bull Bitcoin

Read the manifesto →

Support the fight against DAC8