Crypto Tax Scam Sweeps Europe: Fake Government Sites Drain Wallets Via Seed Phrase Theft & Malicious Web3

Published 18 hours ago• 2 minute read

.

This psychological manipulation is designed to create urgency and exploit regulatory confusion around crypto taxation in the Netherlands.

Clicking the email link takes the victim to a phishing website that perfectly mirrors official Dutch portals, right down to the layout, fonts, logos, and colors. These spoofed pages prompt victims to provide personal details, including their name, address, date of birth, bank info, and wallet provider—even asking how much crypto they hold.

“The design matches the style of the Dutch government portals… and includes fake DigiD references to appear more authentic.”

But the real danger lies ahead. Based on the phishing kit used, the site proceeds down one of two malicious paths.

Some variants prompt users to enter their wallet’s seed phrase—a 12 or 24-word string—under the guise of a standard connection step. Once entered, the phrase is instantly exfiltrated via Telegram bot or to an attacker-controlled admin panel.

“With those 12 words, the attacker can restore access to the wallet… draining the victim’s assets takes only seconds.”

To further evade detection, these phishing kits use advanced scripts like check.js that block developer tools, disable the Backspace key, and prevent page inspection or saving—making analysis nearly impossible.

The second attack vector uses a malicious Web3 connection. Victims are asked to scan a QR code via WalletConnect, establishing a live session between their wallet and a malicious decentralized app (dApp).

Crypto Tax Scam, Phishing — The victim is asked to scan a QR code in order to connect the malicious dApp to the crypto wallet | Image: Group-IB

“Once the victim connects… a malicious script starts sending transaction requests to the victim’s wallet, allegedly needed to declare assets.”

These scripts—like wallet-connect-v4.js and onboard.js—are linked to the Inferno Drainer, a Drainer-as-a-Service platform. Once victims approve a seemingly harmless transaction, the wallet is emptied immediately.

In addition to draining funds, the campaign collects detailed personal data using scripts like globalScript.js and postman.js. Victims are shown a fake success screen and then redirected to Google, completely unaware of the theft.