LONDON: New regulations threaten the security of the personal data of cryptocurrency users and may expose them to "physical danger", the platform at the centre of last week's Paris kidnapping attempt has claimed.

"A ticking time bomb," said Alexandre Stachtchenko, director of strategy at French platform Paymium, referring to the way information must now be collected during cryptocurrency transfers under EU rules.

He did not directly link this to a kidnapping attempt on Tuesday which, according to a police source, targeted the daughter and grandson of Paymium's chief executive.

"If there is a leak of one of these databases from which I can find out who has money and where they live, then the next day it is on the dark web, and the day after there is someone outside your home," Stachtchenko said.

Data theft is commonplace. On Thursday, the leading cryptocurrency exchange in the United States, Coinbase, said criminals had bribed and duped their way into stealing digital assets from its users, then tried to blackmail the exchange to keep the crime quiet.

Instead of paying up, Coinbase informed US regulators about the theft and made plans to spend between US$180mil (RM776mil) and US$400mil (RM1.7bil) to reimburse victims and handle the situation.

Name and address

Following the kidnapping attempt, Paymium issued a statement urging authorities to immediately reinforce the protection of companies within the sector, after other similar incidents this year.

Founded in 2011 and presenting itself as a European pioneer of bitcoin trading, Paymium also cited "the highly dangerous aspects of certain financial regulations, either recently adopted or in the making".

It added: "With the unprecedented organisation of massive and sometimes disproportionate collection of personal data, public authorities contribute to putting the physical safety of millions of cryptocurrency holders in France, and more widely in Europe, at risk."

In its sights are rules which came into force at the end of 2024 and which extended the Travel Rule in place for traditional finance transfers to include crypto assets.

The rules now require platforms to gather details about the beneficiary and, in return, transmit certain information about the customer to the receiving institution, including their name and postal address.

Also to be disclosed is the "address" of a customer's cryptocurrency wallet, which shows details of their account and transactions, said Stachtchenko.

Such sensitive data is sometimes exchanged and stored insecurely by certain players.

Regulatory changes to tighten the rules on the crypto sector aim to "prevent the financial system from being used for corruption, money laundering, drug trafficking" among other criminal activities, said Sarah Compani, a lawyer specialising in digital assets.

'Nouveau riche'

Data collection is carried out by parties including banks, insurance companies and crypto-service providers, which are "supervised" and subject to heavy "security obligations, particularly IT and cybersecurity", said William O'Rorke, a lawyer at cryptocurrency firm ORWL.

In 2027, European anti-money laundering regulations will restrict the use of wallets and cryptocurrencies that allow the holders to remain anonymous.

It follows a French law adopted last month to fight narcotrafficking, which targets anonymisation devices such as the cryptocurrency "mixers" used to render funds untraceable.

There are many "legitimate interests" in having such tools however, said cybersecurity expert Renaud Lifchitz.

He noted that they are sometimes used by journalists, or by activists opposed to an authoritarian regime which controls the traditional banking system.

The debate is more "political" than "security-related", argued O'Rorke.

The recent kidnappings and attempted kidnappings can be explained above all by a "somewhat nouveau riche" and "ill-prepared" cryptocurrency sector, he said.

Since 2014, software developer Jameson Lopp has recorded 219 physical attacks targeting cryptocurrency users. – AFP