Crypto phishing with alleged email from the Federal Central Tax Office

In a current phishing scam, the fraudulent emails pretend to be from the Federal Central Tax Office. They state that “discrepancies in crypto declarations have been identified.”

The letter attempts to create pressure on the recipients. “This letter serves to inform you about a mandatory measure in connection with your tax return and your crypto assets,” the phishers write in German that is not entirely flawless. According to the message, “crypto service providers are obliged to report tax-relevant data to the tax authorities. The reported information will be automatically compared with your declarations in the future.”

This is actually stated in the EU directive named DAC 8, the implementation of which was decided in Germany on December 19, 2025, and thus came into force on Christmas Eve last year. This has not yet attracted widespread attention but could now cause uncertainty among crypto asset holders.

According to the phishing email, the data to be reported includes “identity data of taxpayers, crypto holdings and wallets, transactions, transfers, and disposals.” The fraudsters continue: “To avoid tax discrepancies, audits, or sanctions, a review of your crypto accounts is required within 5 working days” – the very short timeframe is intended to increase pressure. Recipients must therefore log in to “Mein Elster” with their Elster certificate and link “crypto wallets or exchange accounts according to the instructions.” This is followed by a button “To data review,” which redirects to the actual phishing page – on mobile browsers, with a desktop browser identifier, it redirected to web.de. This is intended to make the work of malware analysts more difficult.

Social engineering is used to build pressure

The fraudsters try to build even more pressure and thus prompt potential victims to act: “Discrepancies between reported and declared data constitute an administrative offense that can be punished with a fine of up to 50,000 euros,” they further explain. “Tax evasion, on the other hand, is classified as a criminal offense and can be punished with a prison sentence,” the phishing email concludes.

There are several indications that this is not a genuine email from the tax administration. Although the sender displays a suitable name, the email address itself has nothing to do with taxes and is not even on a German domain. The action button redirects to a shortened, cryptic URL and not to domains connected to the Elster system. The minor spelling errors are another indicator. Recipients should therefore simply delete and ignore these emails.

The Federal Central Tax Office is often used as a front for such phishing attempts. Last May, for example, fraudsters allegedly demanded payment of late fees in the name of the authority for overdue tax returns.

(dmk)