Fake tax sites lure crypto users to hand over wallet seeds

Kaspersky researchers found phishing sites impersonating tax authorities in Germany, France, Austria, Switzerland, Brazil, Chile and Colombia that trick cryptocurrency holders into revealing wallet seed phrases.

The malicious sites, detected during tax season, copy the look of official tax portals and promise tax-free crypto earnings contingent on a verification step. At the end of that step the pages request the wallet seed phrase or ask users to connect wallets through interfaces that capture credentials.

Kaspersky’s analysis identified a consistent pattern across campaigns. Several German and French variants use legal threats and warnings of fines — in some cases up to €1 million — to pressure users into compliance. The fake German pages target users of Ledger, Trezor, Trust Wallet, MetaMask, Phantom and Coinbase. French variants aim to drain accounts on MetaMask, Binance, Coinbase, Trust Wallet and WalletConnect by asking users to paste seed phrases or approve transactions.

Kaspersky notes that legitimate tax authorities do not request seed phrases and that EU tax rules do not require wallet recovery keys.

The scams extend beyond crypto holders. In Chile, a fraudulent portal offered a tax refund of about $375 and then charged victims’ credit cards. In Colombia, spoofed government pages pushed password-protected ZIP files that installed malware when opened. A French campaign impersonated a tax auditor and distributed a PDF carrying malicious code. Brazilian sites offering paid tax-filing help collected names, phone numbers, addresses, birth dates, email addresses and taxpayer identification numbers.

Kaspersky warned that stolen taxpayer IDs can enable fake loan applications, unauthorized access to government accounts and further social engineering attacks.

Kaspersky’s Global Research and Analysis Team reported a remote access Trojan called CrystalX, sold via Telegram subscriptions, that monitors the clipboard to detect copied wallet addresses and replace them with attacker-controlled addresses. The malware can also harvest browser-stored passwords and credentials for services such as Steam, Discord and Telegram and grant remote control of infected devices.

Kaspersky cited a January 2026 incident in which attackers claimed to have obtained email addresses and information on crypto balances for about 50,000 users from a French crypto tax application. French law enforcement has reported a rise in robberies and kidnappings linked to leaked holder information.

Kaspersky recommends that users treat sites promising tax-free crypto earnings as suspicious, never share seed phrases, avoid downloading files from unexpected emails that appear to come from tax officials, use official government portals directly rather than following links, enable hardware-wallet protections and keep anti-malware software up to date.