A Bitcoin exchange is taking the French government to its own supreme court over a European data-sharing law — and the argument it’s making goes well beyond tax policy. Bull Bitcoin, the Montreal-founded, France-licensed exchange, has filed a formal legal challenge targeting DAC8 crypto surveillance rules that it says will get people killed.
- Bull Bitcoin has filed a legal challenge in France’s supreme court to annul DAC8 crypto surveillance rules introduced by Decree No. 2025-1276.
- DAC8 crypto surveillance creates centralised data honeypots that criminals could exploit, exposing holders to kidnapping and physical violence.
- France recorded the second-highest number of physical attacks on crypto users globally, with high-profile incidents involving Ledger co-founder David Balland.
- More than half of violent crypto incidents in 2026 targeted family members of holders, potentially placing 40–135 million Europeans at risk.
Table of Contents
What Bull Bitcoin Is Actually Challenging
The case centres on Decree No. 2025-1276, the French instrument that transposes the EU’s DAC8 directive into national law. Bull Bitcoin filed its challenge before the Conseil d’État — France’s highest administrative court — asking judges to annul the decree outright. That’s a significant move. You don’t walk into the Conseil d’État asking for a tweak to the wording; you’re asking the state to reverse course entirely.
The company has simultaneously launched dac8.com, which it describes as “a complete, fully sourced resource for citizens, journalists and policymakers.” That dual approach — courtroom plus public-facing information campaign — signals this is as much a political play as a legal one. Bull Bitcoin wants the conversation to shift from abstract DAC8 crypto surveillance compliance to something more visceral: personal safety.

The directive itself is part of the EU’s broader push to bring crypto into the same tax-reporting framework as traditional financial assets. Under DAC8 crypto surveillance requirements, crypto-asset service providers (CASPs) are required to collect and report detailed user data — names, addresses, transaction volumes, asset holdings — which is then shared across EU member-state tax administrations. The stated goal is to close tax-evasion loopholes. The unintended consequence, Bull Bitcoin argues, is a sprawling, multi-country database of people who own valuable, easily transferable, and completely irreversible digital assets.
The Honeypot Problem Nobody in Brussels Wants to Talk About
There’s a concept in cybersecurity called a honeypot — a concentration of valuable data so attractive that it draws attackers like moths to a flame. DAC8 crypto surveillance, in Bull Bitcoin’s analysis, turns a collection of well-incentivised private companies (who have real regulatory and reputational skin in the game when they suffer a breach) into a single, sprawling administrative network where accountability is diffuse and access is broad.
The company’s logic is straightforward: regulated CASPs operating under MiCA, DORA, and GDPR face financial penalties and reputational damage if they’re hacked. That creates a genuine incentive to invest in security. An inter-governmental DAC8 crypto surveillance data-sharing network doesn’t face the same market discipline. The security of the whole chain, Bull Bitcoin notes, is only as strong as its weakest link — and in a system spanning dozens of national tax administrations with varying IT infrastructure and staffing, that weakest link might be very weak indeed.
The recent breach history of French government systems alone makes the concern hard to dismiss. In April 2026, the French National Agency for Secure Credentials (ANTS, also known as France Titres) suffered a breach exposing data from up to 11.7–19 million accounts — including full names, dates of birth, email addresses, and postal information. Months earlier, the French National Bank account registry was compromised, leaking IBANs, account holder names, and tax identification numbers for approximately 1.2 million people. Neither of these databases was supposed to be a soft target, and yet here we are.
Zoom out to the US for broader context and the picture is grimmer still. The 2017 Equifax breach affected 147 million Americans. The 2024 National Public Data breach hit over 200 million. The 2015 Office of Personnel Management hack exposed social security numbers and medical records for a substantial chunk of the federal workforce. These aren’t edge cases — they’re the baseline expectation for large-scale data infrastructure over time. DAC8 crypto surveillance infrastructure would be subject to the same threat environment.

DAC8 Crypto Surveillance and the Very Real Violence Connection
This is where Bull Bitcoin’s legal challenge gets genuinely alarming. France isn’t just a regulatory battleground for crypto — it’s also, per the available data, one of the most dangerous places in the world to visibly own Bitcoin. According to Gart, a company that tracks physical attacks on crypto holders, France ranks second globally for such incidents behind only the United States, which has a population roughly five times larger. That’s a deeply unflattering per-capita figure.
The incidents aren’t hypothetical. Binance France CEO David Prinçay was targeted. Ledger co-founder David Balland was kidnapped — and lost a finger during the ordeal. These are high-profile cases that made headlines, but Jameson Lopp, co-founder of the high-security wallet company Casa, has been maintaining a GitHub database of so-called “wrench attacks” for years, and the trend line is pointing in one direction: up.
The connection to DAC8 crypto surveillance data exposure isn’t hard to trace. Crypto holders who dutifully report their assets to tax authorities are, in effect, notifying the state — and potentially, through any subsequent breach, criminal networks — that they own a significant store of value that can be transferred internationally within minutes and that no bank can reverse. Organised crime has noticed. Unlike a bank robbery, where the stolen funds can be frozen and potentially recovered, a forced crypto transfer is permanent. That asymmetry makes crypto holders uniquely attractive targets.
The Argument That DAC8 Undermines Its Own Goals
Bull Bitcoin also makes an argument that policymakers would do well to engage with seriously: DAC8 crypto surveillance may actually make tax collection harder, not easier. If users believe that registering with a regulated exchange exposes them and their families to physical harm, a rational response is to exit the regulated system entirely. That means peer-to-peer trading platforms, home mining, and offshore exchanges operating outside EU jurisdiction — all of which are harder to monitor and tax than a MiCA-licensed CASP filing regular reports.
It’s a classic regulatory overcorrection risk. Push too hard on compliance through data aggregation, and you drive the behaviour you’re trying to monitor underground. The EU has form here — overly punitive AML requirements on traditional banking pushed some customers toward less regulated fintech alternatives, and the same dynamic could play out in crypto at scale. Critics of DAC8 crypto surveillance point to exactly this perverse incentive structure.
The Family Risk Nobody Signed Up For
Perhaps the starkest element of Bull Bitcoin’s case is this: the people most at risk from DAC8 crypto surveillance may never have bought a single satoshi. Citing data from blockchain security firm Certik, Bull Bitcoin highlights that more than half of violent incidents recorded against crypto owners in 2026 targeted a family member — a spouse, child, or elderly parent — either as the direct victim or as leverage to coerce the actual key holder.

Bull Bitcoin estimates that between 40 and 135 million Europeans fall into this physical-risk zone purely by familial association with someone who holds crypto assets. None of those people consented to having their indirect connection to digital assets logged in a cross-border administrative database. That’s a civil liberties argument that goes far beyond the typical crypto-regulation debate, and it’s one that’s much harder for Brussels to brush off than the usual libertarian objections to financial oversight.
What Happens Next
The Conseil d’État will now have to decide whether to hear the case on its merits — and if it does, whether French administrative law provides grounds to annul a decree that implements an EU directive. That’s legally complex territory; French courts can’t simply override EU law, but they can examine whether the transposition itself is proportionate or introduces domestic harms beyond what the directive requires.
Bull Bitcoin’s timing is notable. The company was just licensed under MiCA by France’s financial markets regulator, the AMF. Filing a high-profile legal challenge against the government within months of receiving that licence takes a certain confidence. It also makes clear that compliance with one part of the EU’s crypto framework doesn’t mean blanket acceptance of every element of it.
Whether or not this challenge succeeds in court, it’s already framing a debate that the EU’s DAC8 crypto surveillance architects haven’t had to engage with directly: what happens when well-intentioned tax transparency policy creates a documented, traceable pipeline from government database to criminal target list? That question isn’t going away, and Bull Bitcoin has just made sure it’s very hard to ignore.
Source: Bitcoin Magazine
Frequently Asked Questions
What is DAC8 crypto surveillance and why is it controversial?
DAC8 is a European Union directive requiring crypto-asset service providers to report detailed user data to tax authorities across member states. Critics like Bull Bitcoin argue it creates centralised databases that are very difficult to fully secure, turning sensitive financial data into a target for hackers and organised criminals.
What legal action has Bull Bitcoin taken against DAC8?
Bull Bitcoin filed a challenge before the Conseil d’État, France’s supreme administrative court, seeking to annul Decree No. 2025-1276 — the French law that transposes DAC8 into national legislation. The company argues the decree creates a massive surveillance grid that puts civilians at risk of kidnapping and physical harm.
How do DAC8 data breaches connect to physical attacks on crypto holders?
When user data leaks from centralised government or financial databases, criminals can identify crypto holders and their approximate wealth. Because crypto transactions are irreversible, attackers use physical coercion — so-called wrench attacks — to force victims to transfer funds, a trend that is accelerating across Europe.
Does DAC8 crypto surveillance affect people who don’t own any cryptocurrency?
Yes. Bull Bitcoin cites Certik data showing that more than half of violent incidents against crypto owners in 2026 targeted a family member — spouse, child, or elderly parent — as a direct victim or as leverage. The company estimates 40 to 135 million Europeans fall into this risk zone.

