French tax officials sell identity data, leading to an attack on the supervisor in Montreuil

A tax employee in Bobigny exploited internal software to compile profiles on crypto experts, billionaire Vincent Bolloré, prison guards, and a judge. This individual then sold the information to criminals, who paid 800 euros to organize an attack on a guard at his private residence in Montreuil.

The defendant’s appeal was rejected on January 6th, according to local media.

The case is notable not only for the criminal behavior but more importantly for how the targets were chosen. The new vector of attack is no longer doxxing on Telegram or compromised exchanges, but privileged access to the state’s identity system – where a single query can link a person’s name to their address, phone number, and family structure.

In 2024, the French National Police Inspectorate recorded 93 investigations related to breach of professional secrecy and 76 cases of unauthorized data redirection. The agency describes the phenomenon of buying and selling access to state databases via social media and the dark web as an “uberization” of record trading.

A separate investigation by TF1 uncovered a “service menu” operating on Snapchat: 30 euros for vehicle registration lookup, 150 euros for wanted list checks, and 250 euros for unblocking illegally seized vehicles. Bank transactions related to a suspect ranged from 15 to 5,000 euros.

Crypto security models rely on the immutability of transactions and self-custody to eliminate risks from intermediaries. However, once an attacker obtains real-world identity, the problem shifts from cryptography to coercion.

This can be seen as the “max extractable value” (MEV) in real life – IRL MEV. On the blockchain, MEV comes from seeing transaction flows in advance. In the physical space, value is exploited by observing identity graphs and choosing the cheapest coercion route.

Illegal database lookup services are sold at transparent prices: 30 euros for vehicle registration, 150 euros for wanted list checks, 250 euros for unlocking vehicles. The illegal data lookup market has established a transparent pricing structure. Le Parisien reported on December 18th that attacks targeting crypto investors in France have surged, prompting the government to issue a decree in August 2025 to remove the home addresses of crypto business leaders from the RCS commercial registry.

This measure helps reduce violence and harassment risks, although law enforcement, customs, and tax authorities still retain access.

Previously, the RCS publicly displayed business leaders’ home addresses in Kbis documents – public business records. The August decree only closed one loophole. Meanwhile, the tax database remains accessible to thousands of officials, and monitoring mainly relies on detecting anomalies after incidents occur.

The tax system contains highly detailed data: addresses updated via tax declarations, phone numbers appearing in correspondence, family structures shown through dependent claims, and capital gain records linking asset types to specific individuals. TF1 reports that French tax employees can access all this data.

From an “economic” perspective, this model favors attackers: a single lookup costs only a few tens to hundreds of euros, while a successful breach can yield five or six figures.

ENISA recorded 586 incidents affecting public authorities across the EU in 2024. The main threat does not stem from sophisticated technical attacks but from insiders with legitimate access who extract data to sell on secondary markets.

EU public authorities faced 586 security incidents in 2024, while France reported 93 breaches of professional secrecy and 76 data theft investigations. Ghalia C. admitted to providing information to three individuals involved in the guard attack. The 800-euro payment indicates a service transaction. Her lookup history includes crypto experts, billionaire Bolloré, health inspectors, and a judge – showing the behavior involves selling access rights, not a single personal vendetta.

Crypto holders with profiles are high-risk – especially profitable for violent criminals. Assets are self-custodied, so they cannot be frozen by banks or reversed by courts. Large values can be transferred immediately. Reporting incidents sometimes means putting oneself in the crosshairs of tax authorities.

Removing addresses from public registry records shows institutions have recognized that physical risks related to crypto differ fundamentally from traditional finance. Banks can freeze accounts, brokers can reverse transactions, but crypto transactions cannot.

This ultimate nature has shifted the threat landscape from technical security to identity security. When identity issues are solved, coercion becomes straightforward.

France’s response to the wave of crypto attacks includes hiding addresses from 2025, but proposals for asset disclosure in 2026 pose new risks. If identity data is a scarce resource, three trends can be predicted: expanding registry security, tightening control within the state system, and ongoing internal access sales driven by economic incentives.

The paradox is that Europe is expanding crypto transparency through mandatory KYC, wallet reporting, and DeFi transaction monitoring to combat money laundering and tax evasion. These requirements create centralized databases linking identities to assets. The more complete the database, the higher its value to attackers.

France’s 2026 draft budget proposes a 1% annual tax on crypto assets over 2 million euros, requiring disclosure of both self-custodied and foreign-held assets. This inadvertently creates a “honeypot”: a list managed by the state of individuals holding large crypto assets, including addresses.

The tech community often views crypto security as key management, which is correct for on-chain attacks. But the Bobigny case shows that key management becomes meaningless when physical coercion is introduced into the threat model. Hardware wallets do not protect when attackers know the address and show up armed. The vulnerability lies in the identity layer, not the blockchain layer.

This incident exposes a covert capital market structure. Targets are unaware they have been looked up until the attacker knocks on their door.

Thach Sanh