If the Trump administration wants to make the US the world’s crypto capital, France’s wave of crypto kidnappings and alleged tax data leaks should be taken as a warning. Congress should move deliberately and decide what information must be collected about crypto holders, how long that information will be retained, who gets to see it, and what the consequences should be when that access is abused.
Pro-crypto policy isn’t just about friendlier tax rules and less regulation. Without good data governance, compliance databases can become criminal target lists.
Making the US more “crypto-friendly” in practice likely means friendlier tax treatment, a light-touch regulatory state, and a pause on every crypto founder being treated as a criminal or a congressional witness.
This makes some policy sense. If digital assets are going to remain a long-term part of the financial system, it’s better to have coherent and administrable rules rather than pretending they’re weird one-offs.
But France’s experience shows that being crypto-friendly may encompass more than reducing compliance burdens—and becoming the crypto capital may necessitate a radical rethinking of tax privacy architecture. While France has also tried to position itself as a jurisdiction that’s friendly to digital assets, it has seen a plethora of crypto-related kidnappings, extortion attempts, and attacks on family members. For example, a French tax office employee allegedly used government systems to identify cryptocurrency holders and provided that information to criminal networks.
The risk isn’t limited to rogue government employees. Private-sector crypto compliance and service providers can pose the same leak or release danger when they collect identity-linked crypto data for compliance purposes. In France, hackers reportedly breached Waltio, a cryptocurrency tax platform, and exposed information tied to tens of thousands of users.
These incidents should get US lawmakers’ attention, because the underlying risk isn’t unique to France.
Crypto is different from most financial assets in its portability, irreversibility, and ability to be unlocked under duress. A brokerage account can’t just be emptied because someone in a ski mask wielding a machete demands a password in your kitchen. And a home equity stake can’t be irreversibly transferred to a wallet in another jurisdiction before the police arrive.
Traditional financial accounts, by and large, can have fraudulent transfers unwound—most crypto platforms provide no such safeguards.
Crypto’s structural changes shift the economics of coercion. If a criminal learns that someone owns shares of Apple Inc., the criminal still must deal with transfer rules, account controls, settlement timelines, and identity checks. If a criminal gets wind that someone holds a meaningful amount of crypto, the path from threat to transfer can be measured in minutes, if not seconds.
This doesn’t mean crypto is inherently illegitimate—at least not for bearer-risk reasons. Gold, jewelry, and even cash have risks. But crypto exists at the intersection of high value, recovery difficulty, high transferability, and accessibility.
Yet realistically, tax enforcement requires someone in authority knowing who owns crypto, how much they paid for it, and how much they own.
In ordinary tax administration, a data breach is bad enough. It can prompt identity theft and financial fraud. With crypto, the stakes can be much more immediate.
The US has been moving toward mandating more formal crypto tax reporting. That’s the right direction to be heading, for compliance purposes. One of crypto taxation’s persistent absurdities is that taxpayers are expected to report gains and losses by reconstructing basis across myriad exchanges, wallets, and transaction histories. Enhanced reporting by exchanges and other platforms can help taxpayers comply and help the IRS enforce tax law.
But more reporting also means more sensitive data sitting in different buckets held by different entities and actors. Exchanges will hold data, vendors will store it, and the IRS will collect it. Once information exists in a system, the relevant questions are: who has access; whether that access is necessary; what procedure is in place to log that access; and what happens when someone decides the data is worth more to them outside the system than inside it.
That’s the part Washington may be at risk of underbuilding. Policymakers love reporting rules because they’re measurable, enforceable, and easy to describe at a hearing. They also pave the way for future taxation without ruffling feathers the way a new levy might.
But privacy architecture is less glamorous. Data minimization, access and audit logs, breach notifications, and strict insider-misuse guardrails don’t make exciting campaign copy.
Reporting systems should still be designed around, and with, the risks of the asset. That includes fraud risk—but also taxpayer safety. For crypto, risks include underreporting and evasion, as well as the possibility that identity-linked balance information can be weaponized against the taxpayer.
That’s unfair to taxpayers and may increase the likelihood of underreporting. If crypto taxpayers must choose between rolling the dice on being audited and waking up to someone looming over them in the night looking for their Coinbase password, many will chance the former.
At a minimum, Congress should mandate role-based access controls, automated logging, regular security and privacy audits, and breach notifications for the private crypto sector. Current breach notification requirements are built around massive data leaks, not individual exposure.
The French experience suggests that the security risk isn’t only a giant database breach—but also the quiet lookup, copied address, balance screenshot, or the single taxpayer file sold to someone with the will and ability to do something nefarious with it.
And on the government side, there must be meaningful and clear penalties for government employees, contractors, brokers, and vendors that misuse or improperly disclose crypto-holder data.
Privacy protections can’t just be added as an afterthought, when the forms are already finalized and databases are populated. By then, it’s probably too late to stop fraud from happening.
Andrew Leahey is an assistant professor of law at Drexel Kline School of Law, where he teaches classes on tax, technology, and regulation. Follow him on Mastodon at @andrew@esq.social.
Read More Technically Speaking
To contact the editors responsible for this story:
Learn more about Bloomberg Law or Log In to keep reading:
See Breaking News in Context
Bloomberg Law provides trusted coverage of current events enhanced with legal analysis.
Already a subscriber?
Log in to keep reading or access research tools and resources.