Security Notice – January 23rd

Dear users,

On the night of January 21, 2026, we were informed of a particularly sophisticated attack from a malicious actor claiming to hold data from our users and providing a sample to verify its authenticity. Upon receiving this message, we immediately triggered our incident management procedures, mobilized our technical team and legal counsel, and engaged external experts to analyze the situation with the highest level of scrutiny. We wish to be transparent about several points: what happened, which data is affected, which is not, and what this concretely changes for you.

What happened?

Our investigations show that this is not an active intrusion into our current production infrastructure. Waltio services are operating normally; user accounts and the production infrastructure are secure. Initial internal investigations indicate that the causes of this intrusion have been resolved.

Which data is affected?

Our analysis confirms that this volume is plausible. The exposed data concerns a limited scope related to the generation of 2024 tax reports, as of 12/31/2024. In cases where the tax report is complete, it may include:

• The user’s email address.
• Aggregated data from the 2024 tax report: gains and losses, balances as of 12/31/2024 according to the report structure.

A significant portion of the records corresponds to incomplete reports: for these users, the information present would be more limited (for example, counters such as the number of accounts and number of transactions), without complete tax results (no balance and no calculation of gains and losses).

Which data is NOT affected?

I want to be very clear: no data allowing access to your crypto-assets has been compromised. The following are not affected:

• Your passwords
• Exchange API keys
• Wallet addresses
• Detailed transaction history
• Any information allowing the movement of funds
• Banking data (IBAN, credit card)

As a reminder, Waltio does not possess any personal data other than your email. We do not ask for any information regarding your identity (first name, last name, postal address, phone number, date of birth).

How to protect yourself against social engineering?

The main risk following this incident is not a technical risk of fund theft. The primary risk is targeted scams: phishing, phone calls, SMS, and impersonation of customer services. Some attackers may use contextual elements (for example, the existence of a tax report or aggregated information) to appear credible. Please remember that:

• We will never ask you to perform a transfer “to secure” your funds.
• We will never ask for sensitive information via phone, SMS, or an unexpected link.
• Be particularly wary of incoming calls and messages urging you to act quickly.

As stated previously, Waltio does not hold your phone number or postal address. Therefore, we will never call you, nor will we send you SMS or physical mail.

If you doubt the authenticity of a Waltio email, we invite you to verify the security code at the bottom of each of our marketing emails. This series of words can be compared with those in your account, under the “Profile” tab then “Preferences.” As a precaution, we also recommend:

• Strengthening your email security (unique password and two-factor authentication).
• Using a dedicated email for your crypto services, separate from your personal identity.

What we are doing, starting now

Our priority is twofold: to precisely understand the scope of the attack and to protect you. We have initiated and are continuing the following actions:

• In-depth technical investigations.
• Full review of historical configurations.
• Mobilization of external cybersecurity experts to qualify the incident and assist us in the analysis.
• Continuous reinforcement of our security practices and controls.
• Sending direct communication to potentially affected users with clear and operational recommendations.
• Notification sent to the CNIL.
• Filing a complaint and active exchanges with investigators from the national cyber unit of the French Gendarmerie.

Following an investigation, we identified that the leak was caused by a database management tool. The issue has been resolved by permanently decommissioning this tool. Subsequent technical audits were conducted to confirm the application’s security.

Transparency and Responsibility

We fully understand the concern that this type of event can generate. We deeply regret this situation. We will provide a dedicated FAQ with answers to the most frequent questions as soon as possible. For any questions related to your data, our Data Protection Officer remains at your disposal via [email protected]. Our Support team is also available at [email protected].

Sincerely,
Pierre Morizot – CEO