Exclusive. Waltio: behind the scenes of a hidden security flaw

In the world of digital assets, the inviolability of blockchain and the robustness of cryptographic protocols are often touted. Yet for companies operating in this sector, the most critical risk lies not in the blockchain itself, but in the traditional infrastructure layers.

A series of major flaws at Waltio, which The Big Whale is able to reveal, is a stark reminder: the security of customer data remains neglected by many services, turning poorly protected databases into veritable directories for organised crime.

The French start-up, founded in 2019, provides a tax return assistance tool for taxpayers holding digital assets. It claims 80,000 customers, some of whom have very large assets.

According to our information, it was the victim of an intrusion into its systems in the first quarter of 2025.

Unlike another event on 21 January 2026, this one was never communicated.

$550,000 stolen from Waltio's treasury

During this attack, crypto-assets belonging to the company were stolen via the recovery of a "seed" stored in Waltio's online tools (a kind of password allowing access to funds).

6.18 bitcoins were stolen from the treasury, equivalent to almost $550,000 at the current price. "We can neither confirm nor deny this information," Pierre Morizot, the start-up's boss, replied to us in an email.

In addition, it is highly likely that the hackers also gained access to customer data: Waltio's system did not provide for segregation between company and customer data (mainly email addresses linked to crypto wealth balances).

We are able to state that the company called in a cybersecurity firm, again in the first quarter of 2025, with the aim of getting to the bottom of this matter.

The latter's investigation could not get very far because of one major problem: Waltio had not put in place a procedure for analysing the digital traces left by the platform's administrators.

As a recommendation, the audit firm suggested changing the entire system because Waltio was "blind" to everything that could be happening.

"The BA-BA of IT security and segregation needed to be installed, including log feedback and a compliant access policy for a company that manages such sensitive data," a source who witnessed the situation tells The Big Whale.

But the most important question is: what data was stolen?

For its boss Pierre Morizot: "There is absolutely no link between the company's funds and the product. These are two totally decorrelated technological infrastructures that don't communicate."

"It was Waltio's global infrastructure that was at risk. Admittedly, the company's CRM and its wallet are decorrelated, but a vulnerability in the company's global access allowed the hackers broad access to its various tools," insists our source.

"The only thing we know for sure is that there was a compromise due to the theft of the cryptos," stresses this witness. "But given that nothing was segregated in the overall infrastructure, this implies that the customer file was highly at risk at the time of the attack."

Under the European RGPD regulation, a company has an obligation to report the situation to the CNIL and to warn its customers if personal data is affected and especially if there is a risk to individuals.

When asked about this, Waltio was unable to provide evidence that this incident had been reported.

"This hacking is in a grey area: the absence of logs makes it impossible to establish with certainty what happened, which could explain why they consider there is nothing to communicate," an expert points out.

Paris public prosecutor's office investigates new attack

After rumours spread on social networks at the end of December 2025, claiming that its customer file was on hacker forums (denied by the company), Waltio was the subject of a communication on 22 January 2026 from the Paris Public Prosecutor's Office.

This states that crypto-asset operators have "recently been victims of personal data leaks".

There is mention of "an ongoing investigation concerning the company Waltio".

This is confirmed by the company on 23 January 2026, which refers to an intrusion that occurred in its systems on the night of 21 January 2026:

"The data exposed concerns a limited scope linked to the generation of 2024 tax reports, closed on 31/12/2024. In cases where the tax report is complete, the following can be found: the user's email address, aggregated data from the 2024 tax report: gains and losses, balances at 31/12/2024 depending on the structure of the report," it explains in a statement.

No reference is ever made to the incident in the first quarter of 2025.

These episodes come against a searing backdrop, at a time when a wave of attacks on crypto-asset holders is sweeping across France. Since 1 January 2025, nearly 30 cases have been reported by the media, some of them particularly violent (all counted here).

There have been at least seven since the start of 2026, to which we must add the aborted attack targeting a Parisian couple working in the sector.

Tax declaration assistance tools at the centre of covetousness

For criminal networks seeking to accumulate private data on crypto-asset holders, companies such as Waltio are certainly prime targets.

According to sources close to the investigation, its competitors Koinly and BlockPit have been suffering waves of computer and phishing attacks for several months.

But Waltio appears to be the most affected.

A flaw via Google registration on the platform has also reportedly been exploited.

In plain English, if a hacker knew the email address of a Waltio customer who had signed up via their Gmail account, it was possible to easily access their Waltio interface and therefore all their information.

When asked about this, Pierre Morizot said, "As we have already communicated on two occasions (in October 2025 to the users concerned and then on 24 December 2025 publicly on X), we can confirm that Waltio experienced a security incident in October 2025 involving 216 accounts, or less than 0.2% of our user base. On the day it was discovered, all affected users were informed and the CNIL was notified."

According to him, the flaw was resolved "immediately in October 2025", also specifying that the company "does not manage its users' funds".

Waltio does not store names or physical addresses either, only emails and information about its customers' crypto assets. But this information is particularly critical and can be easily cross-checked with other recent data leaks (telephone operators, France Travail, e-commerce sites, sports federations, etc.).

At the end of the day, hackers are able to compile complete directories of crypto-asset holders (name, physical address, telephone number, etc.) to which they can link an amount of wealth in digital assets and in some cases details of their transactions.

These people are then the subject of telephone calls during which the criminals attempt to scam them.

A process confirmed by the Paris Public Prosecutor's Office, which also mentions calls from bogus law enforcement officials (police officers, gendarmes, customs officers, magistrates), whose aim is to obtain additional information about the holders or even sensitive documents or objects (means of payment, recovery keys ("seeds"), valuable goods, etc.).

The Paris Public Prosecutor's Office also mentions calls from bogus law enforcement officials (police officers, gendarmes, customs officers, magistrates), whose aim is to obtain additional information about the holders or even sensitive documents or objects (means of payment, recovery keys ("seeds"), valuable goods, etc.).

For the very wealthy, this information can even be the source of particularly violent attacks on their homes. This is particularly true for the customers of Waltio (and similar companies) whose financial lives are now exposed.

By handling highly critical data without the proper encryption or segmentation protocols, these companies will continue to be subject to recurring and increasingly sophisticated attacks.

"In order to protect this data as effectively as possible, we have implemented strict security controls, which are regularly audited by a leading firm as part of our SOC 2 certification," says the head of a similar company approached as part of our survey.

Before adding, "In addition to these audits, these controls are also subject to regular security tests, including internal (2 per year) and external (1 per year) penetration tests."

Waltio assures us that it is in the process of implementing this type of security, after an initial reinforcement carried out during 2025.

At a time when leaked data is making it possible to locate and identify precisely the wallets with the most money, the line between cyber risk and physical security is blurring. The upsurge in targeted attacks shows that data has become the most toxic asset if poorly curated.

For targeted companies, these cases reinforce the fact that technical due diligence on data curation is now as crucial as auditing smart contracts.

‍