€1M Fine Threats: Tax Scams Target Crypto Wallets in 2026

- Phishing campaigns impersonate tax authorities to steal crypto wallet seed phrases - CrystalX malware enables remote takeover of devices and hijacking of digital funds On April 29, 2026 (UTC), Kaspersky reported that cybercriminals exploited the tax season with multinational phishing and malware campaigns aimed at crypto wallet holders and taxpayers in Germany, France, Austria, Switzerland, Brazil, Chile, and Colombia. The firm stated that attackers impersonated official tax authorities and cloned portals, including Germany’s ELSTER and France’s Ministry of Economy and Finance. They then used these fake sites to deceive users into revealing crypto wallet seed phrases during fraudulent “verification” processes. In addition, the attackers threatened victims with fictitious European Union regulations and fines of up to €1 million, creating pressure and urgency to surrender sensitive wallet data that enables full access to digital assets. According to Kaspersky, Latin American users faced particularly aggressive tactics as attackers deployed the “CrystalX” remote access Trojan (RAT) via ZIP files disguised as tax documents. This malware reportedly allows attackers to monitor clipboards, hijack crypto addresses, steal passwords, and remotely operate infected devices. Brazilian and Chilean taxpayers faced additional risks, as cybercriminals abused tax refund services to collect credit card numbers and taxpayer IDs, and they then directly debited accounts and set up long-term identity fraud. Kaspersky also highlighted a major breach in January 2026 that was linked to the Shiny Hunters group and targeted French crypto tax software Waltio, compromising approximately 50,000 users. The firm noted that stolen data was reportedly leveraged in physical crimes, including kidnappings targeting exposed crypto holders, which illustrates how digital breaches can escalate into real-world threats. Furthermore, attackers used sophisticated visual branding, persuasive language, and counterfeit security features on fake government sites, and they directly targeted wallet providers such as Ledger, Trezor, Trust Wallet, MetaMask, Phantom, Coinbase, Binance, and WalletConnect. Because a wallet’s seed phrase offers total asset control, victims who disclosed this information suffered irretrievable losses. Meanwhile, malware-as-a-service offerings such as CrystalX, which are sold on platforms like Telegram, have further increased the scale and sophistication of these scams. Kaspersky’s findings indicate that 2026 tax season scams are escalating threats, as these campaigns combine financial theft, identity fraud, and broader cybersecurity risks for both the crypto ecosystem and the general public. As a result, the attacks highlight the urgent need for vigilance and heightened user awareness during tax processing periods, particularly when interacting with supposed government platforms and tax-related communications.