The regulatory moment
Between 2025 and 2027, three global crypto-tax reporting regimes come online. Together with existing surveillance authorities, they create mandatory data pipelines that authoritarian regimes — and breach actors — will weaponize.
IRS Form 1099-DA
Crypto brokers must report every user's name, address, TIN, and transaction history to the IRS. Cost-basis reporting mandatory January 1, 2026.
irs.gov — Form 1099-DA final rule →DAC8 Directive
EU directive mandating automatic exchange of crypto-asset information between member-state tax authorities. Reporting Crypto-Asset Service Providers must collect and share user TINs, wallet addresses, and transaction data.
ec.europa.eu — DAC8 →CARF Framework
Global framework extending DAC8-style reporting across non-EU jurisdictions. Makes cross-border crypto transaction surveillance a default.
oecd.org/tax/crypto-asset-reporting-framework →These frameworks were designed for tax enforcement in democracies. In authoritarian regimes, the same data pipelines will be repurposed — not for taxes, but for dissident lists, asset freezes, and targeted retaliation. Software that collects this data at rest becomes the targeting database, whether its operators intend that or not.
The quieter problem: secret access
Most of these regimes share a feature people rarely talk about: gag orders. Under U.S. law (18 U.S.C. § 2705(b)) and equivalent provisions worldwide, governments can compel a cloud provider to hand over your data and order them not to tell you. Microsoft, Google, Apple, and Verizon all receive these orders routinely; companies usually publish only aggregate counts, never per-user notice. You may never learn that your records left the building.
The architectural answer
The only architecture that survives gag orders, dictator-co-opted compliance regimes, and breach actors at once is one where the operator has nothing to hand over — not “nothing worth hiding,” nothing at all. That's what zero-knowledge architecture delivers, and that's why we ship now. Every Bitcoin application built on these libraries is structurally subpoena-resistant before the first regime — or the first attacker — comes asking.