French Crypto Tax Platform Waltio Suffers Major 50,000-User Data Breach

Another day, another crypto platform breach—only this time, it's not your exchange or wallet getting hit, but the very service meant to keep your tax records secure. French crypto tax reporting platform Waltio just confirmed a massive data leak exposing sensitive information for tens of thousands of users.

What exactly got out?

The breach compromised user names, email addresses, hashed passwords, and—most critically—linked cryptocurrency exchange API keys. That last bit is the real kicker. While Waltio claims no funds were directly stolen, those API keys grant read-only access to transaction histories. For a tax platform, that's the crown jewels of user data.

Waltio's response? Standard breach protocol 101. They've notified France's data protection authority (CNIL), forced password resets, and revoked all compromised API keys. Users are advised to regenerate new keys on their linked exchanges. The platform insists the vulnerability has been patched.

Why this stings more

Crypto users already juggle security for wallets, exchanges, and seed phrases. Adding a 'trusted' third-party tax service to the threat model feels like a new low. It highlights the extended attack surface in decentralized finance—your data is only as safe as the weakest link in your service chain. And let's be honest, for a service built on tracking financial activity, a breach of this scale is a spectacular own-goal. It’s the kind of irony that would make a central banker smirk—crypto’s promise of self-sovereignty undone by a tax helper's database leak.

The takeaway? Your crypto security checklist just got longer. Vet your tax tools with the same paranoia you apply to your hot wallet. Because in the end, the taxman cometh—and sometimes, he leaves the back door open.

Authorities Link Waltio Breach to Shiny Hunters’ Extortion Attempt

In a statement released this week, French cybersecurity institutions confirmed that, via its cybercrime division, the Paris Public Prosecutor’s Office had issued an order to the National Cyber Unit of the Gendarmerie to establish the extent of the breach and identify exposed users.

Officials advised that users whose information might have been stolen should be wary of scammers who claim to be genuine service providers or other officials and force them to give up their digital assets using the stolen information.

The law enforcement agencies reported that some more recent fraudsters posed as crypto businesses, bank anti-fraud units, or even law enforcement officers and magistrates.

French newspaper Le Parisien stated that the attack at Waltio was associated with a ransom demand by a hacking organization called Shiny Hunters.

The group purportedly had obtained personal information of approximately 50,000 Waltio users, most of whom reside in France, and said it had samples of the stolen information as proof.

Waltio later filed a complaint of attempted extortion and unauthorized access to the automated data system.

Waltio said its initial internal assessment showed that the attackers accessed tax reports for the 2024 period. These documents included users’ email addresses, information on crypto profits or losses, and asset balances at the end of the year.

The company stated that banking details, administrative records, and tax identification data were not affected and that its Core infrastructure was not compromised.

Waltio added that its services remain operational and that client funds are not at risk.

France Tightens Oversight After Crypto Data Breach Amid Rise in Kidnapping Cases

Waltio was founded in France and is headquartered in Clermont-Ferrand. It serves roughly 150,000 users and focuses on simplifying crypto tax compliance for European investors, particularly in France, Spain, and Belgium.

The platform aggregates transaction data from more than 700 exchanges, wallets, and blockchains to calculate capital gains, losses, and staking income, and generates tax-compliant reports for local filings.

The investigation comes amid heightened scrutiny of crypto-related data leaks in France.

In the last year, police have attributed a number of home invasions, kidnappings, and attempted kidnappings to the criminals who intended to use the knowledge of the victims having digital assets.

Although the leakage of data has not been directly linked to these crimes, the investigation teams have not eliminated the chances of the data being used to establish potential targets.

Masked gunmen steal crypto USB in France as prosecutors reveal tax official sold government database access identifying crypto investors to criminal gangs for 800 euros per operation.#Crypto #Attack #Francehttps://t.co/GmfOkwsE6E

Fraud victims have been cautioned to keep evidence, report to the police, and address the data protection authority in France in instances where they feel that their personal data has not been sufficiently safeguarded.

The Waltio incident is not the first case of data exposure in the crypto industry in the past.

Hardware wallet manufacturer Ledger announced earlier this month that a breach of a third-party payment processor, Global-e, took place, exposing the data of its customers.

Last month, crypto tax software developer Koinly also notified users of a potential email data breach related to the use of a third-party analytics platform.