Physical Risks
Physical violence and crypto
Why physical attacks against crypto holders make DAC8 and CARF data collection especially dangerous.
Updated
Short answer
Crypto holders face a physical-risk profile that is different from ordinary financial-account holders. Crypto assets can be transferred quickly, sometimes irreversibly, and public blockchain activity can reveal clues about value or counterparties. Under coercion, a victim can be forced to sign a transaction. A database that links identity to crypto activity can therefore become a targeting tool if leaked, abused or accessed by the wrong person.
Physical violence linked to crypto is no longer theoretical: assaults, kidnappings and extortion are documented. This is why Bull Bitcoin argues that DAC8 and CARF are not only tax-reporting measures. They can become personal-security risks.
Key figures
| Indicator | Value |
|---|---|
| Global crypto-related physical attacks that occur in Europe (Q1 2026) | 82% |
| Increase in “wrench attacks” in 2025 | +75% |
| Additional attacks in Q1 2026 vs Q1 2025 | +41% |
| Amount extorted in 4 months (January to April 2026) | $101M |
CertiK, Wrench Attacks Report Q1 2026, May 2026 (relayed by The Block and CoinAlertNews, 8 May 2026).
Why crypto creates a distinct physical-risk problem
| Risk factor | Why it matters |
|---|---|
| Fast transferability | Attackers may coerce a victim to move assets quickly |
| Irreversibility | Some crypto transfers cannot practically be recalled |
| Public ledgers | Address-linked activity may reveal more than a bank-account number |
| Family exposure | Attackers can target relatives, not only account holders |
| Insider or leak risk | A database does not need to be public to become dangerous |
The security problem is not only that crypto has value. The problem is that a person’s identity can be linked to an asset class where ownership, transfers or address clusters may be externally observable. If the wrong person obtains identity-linked crypto records, they may be able to select targets more efficiently.
Physical attacks against crypto holders are a documented category of crime. Chainalysis has reported on the relationship between crypto crime and physical attacks, and academic work on “wrench attacks” studies coercive attacks targeting cryptocurrency users (AFT 2024).
France, the global epicenter
France now concentrates a disproportionate share of attacks:
- 70% of global crypto-related physical attacks take place in France;
- 47 violent events recorded in France in 2026 as of 25 April (PNACO), or roughly one attack every 2.5 days;
- 88 people charged, including more than 10 minors;
- 75 suspects in pre-trial detention;
- a steady rise: 18 cases in 2024, then 67 in 2025, according to Vanessa Perrée, head of the PNACO.
Le Parisien, 25 April 2026. Bitcoin.com, France Charges 88 Over Crypto Kidnappings, 25 April 2026.
Mediatized cases confirm a European concentration of recent physical attacks, with France especially prominent. DAC8 must therefore be assessed in a concrete context: the data collected can feed a threat that is already active.
Notable cases 2025-2026
| Date | Case | Target | Consequences |
|---|---|---|---|
| Jan. 2025 | David Balland (Ledger co-founder) | Holder | Finger severed, ransom of about €10M |
| Jan. 2026 | Retired couple, Sallanches | Holder’s parents | 20h captivity, knife wounds, €8M ransom |
| Feb. 2026 | A magistrate and her mother, Saint-Martin-le-Vinoux | Executive’s family | 30h in a garage |
| Feb. 2026 | Family of a Binance France employee | Employee’s family | Attempted home intrusion |
| Mar. 2026 | Sillytuna (developer) | Holder | About $24M USDC extorted under threat |
| 2026 | 84-year-old mother (USA, by European operators) | Holder’s mother | $6M BTC ransom |
Fibo-crypto compilations, February-March 2026. CoinDesk, February 2026. CertiK, May 2026.
The shift: data-driven targeting
CertiK identifies a change in modus operandi: attackers no longer rely on random physical surveillance. They buy, cross-reference and enrich data: names, addresses, financial profiles, platform traces and previous leaks.
A data-driven targeting model is replacing physical surveillance: attackers buy personal information (full names, home addresses, financial profiles) from online brokers.
The typical modus operandi is now:
- acquisition of personal data (black markets, leaks);
- cross-referencing with leaked crypto-platform data (Waltio case);
- prior identification and surveillance of relatives;
- local recruitment of operatives via Telegram or Snapchat;
- orchestration from abroad (Morocco, Dubai, Eastern Europe);
- execution through “doorbell vectors” (fake delivery drivers, fake police officers).
Why DAC8 and CARF increase exposure
DAC8 links civil identities to crypto transaction data. If this information leaks, it can help a criminal network select a target, assess wealth, identify relatives and prepare an attack. Automatic collection changes the risk profile: it makes industrially available what attackers already try to obtain through leaks, data purchases or corruption.
DAC8 and CARF require reporting systems to collect and normalize data. That means more standardized records, more administrative access points and more cross-border data movement. Even if every official actor acts lawfully, every additional copy, interface and user account increases the number of places where failure can occur.
This is the core difference between targeted information requests and mass reporting. A targeted request limits exposure to a specific investigation. Mass reporting creates a standing database about broad populations.
Common misconception
The risk is not limited to “whales.” A criminal does not need exact net worth to decide that a target is worth pressuring. In some cases, the perception that a person owns crypto can be enough to create danger for the person and their family.
Bull Bitcoin position
Bull Bitcoin’s position is that tax enforcement must account for physical safety. A system that creates broad identity-linked crypto datasets should face a high proportionality burden. DAC8 and CARF fail that test because they normalize mass collection rather than targeted, justified requests.