Skip to content
Resources

Physical Risks

Physical violence and crypto

Why physical attacks against crypto holders make DAC8 and CARF data collection especially dangerous.

Updated

Short answer

Crypto holders face a physical-risk profile that is different from ordinary financial-account holders. Crypto assets can be transferred quickly, sometimes irreversibly, and public blockchain activity can reveal clues about value or counterparties. Under coercion, a victim can be forced to sign a transaction. A database that links identity to crypto activity can therefore become a targeting tool if leaked, abused or accessed by the wrong person.

Physical violence linked to crypto is no longer theoretical: assaults, kidnappings and extortion are documented. This is why Bull Bitcoin argues that DAC8 and CARF are not only tax-reporting measures. They can become personal-security risks.

Key figures

IndicatorValue
Global crypto-related physical attacks that occur in Europe (Q1 2026)82%
Increase in “wrench attacks” in 2025+75%
Additional attacks in Q1 2026 vs Q1 2025+41%
Amount extorted in 4 months (January to April 2026)$101M

CertiK, Wrench Attacks Report Q1 2026, May 2026 (relayed by The Block and CoinAlertNews, 8 May 2026).

Why crypto creates a distinct physical-risk problem

Risk factorWhy it matters
Fast transferabilityAttackers may coerce a victim to move assets quickly
IrreversibilitySome crypto transfers cannot practically be recalled
Public ledgersAddress-linked activity may reveal more than a bank-account number
Family exposureAttackers can target relatives, not only account holders
Insider or leak riskA database does not need to be public to become dangerous

The security problem is not only that crypto has value. The problem is that a person’s identity can be linked to an asset class where ownership, transfers or address clusters may be externally observable. If the wrong person obtains identity-linked crypto records, they may be able to select targets more efficiently.

Physical attacks against crypto holders are a documented category of crime. Chainalysis has reported on the relationship between crypto crime and physical attacks, and academic work on “wrench attacks” studies coercive attacks targeting cryptocurrency users (AFT 2024).

France, the global epicenter

France now concentrates a disproportionate share of attacks:

  • 70% of global crypto-related physical attacks take place in France;
  • 47 violent events recorded in France in 2026 as of 25 April (PNACO), or roughly one attack every 2.5 days;
  • 88 people charged, including more than 10 minors;
  • 75 suspects in pre-trial detention;
  • a steady rise: 18 cases in 2024, then 67 in 2025, according to Vanessa Perrée, head of the PNACO.

Le Parisien, 25 April 2026. Bitcoin.com, France Charges 88 Over Crypto Kidnappings, 25 April 2026.

Mediatized cases confirm a European concentration of recent physical attacks, with France especially prominent. DAC8 must therefore be assessed in a concrete context: the data collected can feed a threat that is already active.

Notable cases 2025-2026

DateCaseTargetConsequences
Jan. 2025David Balland (Ledger co-founder)HolderFinger severed, ransom of about €10M
Jan. 2026Retired couple, SallanchesHolder’s parents20h captivity, knife wounds, €8M ransom
Feb. 2026A magistrate and her mother, Saint-Martin-le-VinouxExecutive’s family30h in a garage
Feb. 2026Family of a Binance France employeeEmployee’s familyAttempted home intrusion
Mar. 2026Sillytuna (developer)HolderAbout $24M USDC extorted under threat
202684-year-old mother (USA, by European operators)Holder’s mother$6M BTC ransom

Fibo-crypto compilations, February-March 2026. CoinDesk, February 2026. CertiK, May 2026.

The shift: data-driven targeting

CertiK identifies a change in modus operandi: attackers no longer rely on random physical surveillance. They buy, cross-reference and enrich data: names, addresses, financial profiles, platform traces and previous leaks.

A data-driven targeting model is replacing physical surveillance: attackers buy personal information (full names, home addresses, financial profiles) from online brokers.

CertiK, Wrench Attacks Report Q1 2026

The typical modus operandi is now:

  • acquisition of personal data (black markets, leaks);
  • cross-referencing with leaked crypto-platform data (Waltio case);
  • prior identification and surveillance of relatives;
  • local recruitment of operatives via Telegram or Snapchat;
  • orchestration from abroad (Morocco, Dubai, Eastern Europe);
  • execution through “doorbell vectors” (fake delivery drivers, fake police officers).

Why DAC8 and CARF increase exposure

DAC8 links civil identities to crypto transaction data. If this information leaks, it can help a criminal network select a target, assess wealth, identify relatives and prepare an attack. Automatic collection changes the risk profile: it makes industrially available what attackers already try to obtain through leaks, data purchases or corruption.

DAC8 and CARF require reporting systems to collect and normalize data. That means more standardized records, more administrative access points and more cross-border data movement. Even if every official actor acts lawfully, every additional copy, interface and user account increases the number of places where failure can occur.

This is the core difference between targeted information requests and mass reporting. A targeted request limits exposure to a specific investigation. Mass reporting creates a standing database about broad populations.

Common misconception

The risk is not limited to “whales.” A criminal does not need exact net worth to decide that a target is worth pressuring. In some cases, the perception that a person owns crypto can be enough to create danger for the person and their family.

Bull Bitcoin position

Bull Bitcoin’s position is that tax enforcement must account for physical safety. A system that creates broad identity-linked crypto datasets should face a high proportionality burden. DAC8 and CARF fail that test because they normalize mass collection rather than targeted, justified requests.