Crypto has already become part of everyday life for millions: the ecosystem keeps growing as more businesses are accepting these digital payments. Unfortunately, where there’s money, there’s a scam.
-
Scammers are using fake tax authority emails to deploy crypto drainers and attack asset holders in Europe.
-
According to Group-IB, scammers use pressure tactics by setting short deadlines and threatening victims with fines if they don’t comply.
-
The single most important recommendation is to never share your crypto wallet’s seed phrase – and to remember that no government agency will ever ask for it.
According to Group-IB, a cybersecurity company that builds tools to help fight digital crime, scammers are now using fake emails, allegedly from tax authorities, to fool European taxpayers – the ones who are holding crypto – and steal their assets with the help of crypto drainers.
These are designed to quickly empty crypto wallets automatically by siphoning off either all or the most valuable assets they contain.
Scammers “know the ecosystem is still full of confusion, especially around regulation and taxes. And they’ve found ways to use that to their advantage,” said Group-IB in a blog post.
Researchers say that in early 2025, they detected a large crypto drainer scam campaign in Europe that impersonates official tax authorities and tricks users into handing over access to their crypto wallets.
This threat primarily targets Dutch residents, impersonating Belastingdienst (the Dutch Tax Authority) and MijnOverheid, the official government portal that provides residents with access to personal records and emails from authorities.
To elaborate, an email, appearing to come from Belastingdienst or MinjOverheid, tells the recipient they need to complete a special declaration form for their crypto assets due to new tax regulations.
According to Group-IB, scammers use pressure tactics by setting short deadlines and threatening victims with fines if they don’t comply.
The tricky factor that might indeed confuse victims is the fact that in the Netherlands, you do actually need to declare your crypto assets. However, no special separate form is needed.
"Scammers know the ecosystem is still full of confusion, especially around regulation and taxes. And they’ve found ways to use that to their advantage,”
Group-IB
“Unfortunately, not everyone knows that and attackers are counting on the fact that people are not willing to risk a fine for getting it wrong and exploiting this fear,” said Group-IB.
The email contains a URL that leads the victim to the next chain of the attack – a phishing website mimicking the Dutch government portals.
The visitor is typically asked to enter a range of personal details such as their full name, home address, date of birth, email, phone number, bank account number, and, most importantly, their crypto wallet provider.
In some cases, the victim is also asked to indicate the amount of crypto assets in their wallet. There are two ways for the scammers to get these.
Under the first scenario, some phishing websites prompt the user to enter their wallet’s seed phrase, consisting of 12 or 24 words. The moment it’s submitted, it’s sent directly to a Telegram bot controlled by the attacker. The seed phrase may also be exfiltrated to the admin panel.
“With those 12 words, the attacker can restore access to the wallet – in cases where the wallet is based on a standard seed phrase model. From there, draining the victim’s assets takes only seconds,” explained Group-IB.
In another version of the phishing kit, the scammers go one step further by implementing the WalletConnect feature, specifically to interact not only with traditional wallets, but with smart contract wallets as well – which can’t be accessed through a seed phrase.
The victim scans a QR code to connect their wallet and “declare their assets”. If they do so, the connection between the victim’s wallet and a malicious website is established.
Then, an Inferno drainer (we analyze its activities here) script sends a transaction or approval request – often presented as something harmless, like verifying ownership or connecting the wallet. Once the victim approves it, it drains the account.
It’s safe to say that the single most important recommendation by the researchers is to never share your crypto wallet’s seed phrase – and to remember that no government agency will ever ask for it.
Besides, you should always pay attention to the sender of the email and double-check the URL of any website before entering any sensitive information there.
Your email address will not be published. Required fields are markedmarked