French prosecutors and national cyber units have opened an investigation after crypto tax service Waltio identified a data breach on Jan. 21, 2026, following an extortion attempt. The incident, attributed to the Shiny Hunters group, is reported to have exposed email addresses and summary 2024 tax figures for roughly 50,000 users.
Waltio said it detected the intrusion on Jan. 21 and filed a criminal complaint on Jan. 23, 2026 for attempted extortion and unauthorized access. The company also notified France’s data protection authority, CNIL, and initiated an external security review while keeping services operational.
What data appears exposed
Waltio stated the leaked elements are limited to user email addresses and aggregated tax-report summaries, including gains, losses, and account balances as of Dec. 31, 2024. The company emphasized that passwords, exchange API keys, wallet addresses, transaction histories, and banking details were not compromised.
At the same time, attackers claimed access to balances and earlier chatter suggested some data could be offered for sale on dark-web forums. That discrepancy is now a key dependency for the investigation because it determines whether the exposure is primarily a phishing vector or a broader financial targeting risk.
Threat implications for users and institutions
The Paris Public Prosecutor’s cybercrime unit and France’s National Cyber Unit are leading the probe, and authorities have issued warnings about impersonation and phishing campaigns aimed at crypto holders. Law enforcement messaging has focused on criminals exploiting exposed contact data to mimic support teams or officials and pressure victims into disclosing credentials or sending funds.
Police also highlighted the risk of so-called “wrench attacks,” referring to violent extortion intended to force crypto transfers, and cited attempted kidnappings in France on Jan. 14, 2026 and Jan. 23, 2026. While no direct link to the Waltio incident has been confirmed, officials warned that exposed emails paired with summary balances can materially increase targeting probability.
Waltio advised users to harden their posture by enabling two-factor authentication, separating crypto-related email accounts, and verifying any outreach by cross-checking security codes in account profiles. In governance terms, the guidance is designed to reduce successful social-engineering conversion rather than mitigate a direct key-compromise scenario.
For traders and corporate treasuries, the immediate exposure is fraud and coercion risk rather than wallet theft via leaked keys, based on Waltio’s stated scope. Stakeholders will now monitor prosecutors’ findings and CNIL’s assessment because those outcomes will shape regulatory consequences, counterparty confidence, and how information-risk is priced across crypto service providers.