cryptopolitan.com
Cybercriminals are taking advantage of tax season to trick people who own cryptocurrency into giving them their wallet seed phrases by making fake government websites.
There are phishing campaigns going on in many countries. Kaspersky researchers found fake sites that were copying tax offices in Germany, France, Austria, Switzerland, Brazil, Chile, and Colombia.
The German and French schemes are aggressive. Hackers tell crypto holders that EU rules require them to “verify” their holdings or risk fines of up to €1 million.
Fake tax portals demand crypto wallet seed phrases
There is a consistent pattern to the attacks that target cryptocurrencies. Victims end up on sites that look like real tax sites, like Germany’s ELSTER portal or a fake “Crypto Tax Compliance Portal” that looks like France’s Ministry of Economy and Finance.
The sites tell users that their crypto earnings are tax-free, but only after they go through a “verification” process.
At the end of that process, the victim is asked for their seed phrase, which is the recovery key that gives them full control over a cryptocurrency wallet.
Kaspersky says that the fake German site is aimed at users of Ledger, Trezor, Trust Wallet, MetaMask, Phantom, Coinbase, and other well-known wallet services.
The French version also tries to empty accounts on MetaMask, Binance, Coinbase, Trust Wallet, and WalletConnect.
The sites use threats of legal action if people don’t comply with the request. This is a way to get around the basic security instinct that tells people never to share a seed phrase.
Crypto holders are not the only targets.
Kaspersky found a larger number of phishing sites in the same countries that were stealing personal information from regular taxpayers. One fake site in Chile promised a tax refund of about $375, but then took money directly from the victim’s credit card.
In Colombia, fake government websites tricked people into downloading ZIP files that were password-protected and installed malware on their devices.
A French campaign pretended to be a tax auditor and sent out a PDF with malware instead of an official document, warning people about incomplete income filings.
In Brazil, scammers set up websites that claim to help people file their taxes for a fee. They then collect names, phone numbers, addresses, birth dates, email addresses, and taxpayer identification numbers (TINs).
Kaspersky said that giving out a TIN makes victims vulnerable to fake loan applications, hacked government accounts, and more social engineering attacks.
A growing threat environment for crypto holders
Tax phishing schemes expose crypto holders to danger from multiple sides.
In January 2026, French crypto tax application Waltio disclosed that hackers from the group “Shiny Hunters” claimed to have stolen personal data from ~50,000 users, according to Cryptopolitan’s reporting at the time.
Waltio, which helps users calculate capital gains for tax filings, said the stolen information included email addresses and data about crypto balances. France has seen a string of crypto-related kidnappings and home invasions in recent months, partially driven by leaked holder information.
In April 2026, Kaspersky’s Global Research and Analysis Team (GReAT) said that a new remote access Trojan called CrystalX, which is sold as a subscription service on Telegram, has clipboard-monitoring features. Hackers use such features to catch copied wallet addresses and replace them with addresses controlled by the attacker.
The malware also takes passwords from browsers, Steam, Discord, and Telegram, and lets hackers control infected devices from anywhere.
A real tax authority will never ask for a cryptocurrency seed phrase. There are no “wallet verification” portals for government agencies, and EU rules don’t require crypto seed phrases for any reason.
People shouldn’t download files from emails that claim to be from tax officials. They should also, by default, consider any site that promises tax-free crypto earnings to be a scam.