EXECUTIVE SUMMARY
Attackers are leveraging fake communications from European tax authorities to deceive cryptocurrency holders into surrendering sensitive information. The campaign begins with phishing emails designed to appear as official notices, pressuring recipients to file a crypto asset declaration form under the guise of newly introduced regulations. These emails use fear tactics, such as warning of fines or penalties for noncompliance, to provoke immediate action. They exploit a common misunderstanding: while crypto holdings must be declared as part of regular tax filings, there is no special form required. The emails link to fraudulent websites that meticulously replicate the look and feel of legitimate government portals. These clones mirror official branding elements like logos, typography, layout, and even fake login mechanisms such as DigiD. This visual authenticity helps convince victims they are interacting with a real authority. Once on the phishing site, users are prompted to provide personal information, such as their full name, address, date of birth, bank details, and crypto wallet information, laying the groundwork for further exploitation.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
Attackers are leveraging fake communications from European tax authorities to deceive cryptocurrency holders into surrendering sensitive information. The campaign begins with phishing emails designed to appear as official notices, pressuring recipients to file a crypto asset declaration form under the guise of newly introduced regulations. These emails use fear tactics, such as warning of fines or penalties for noncompliance, to provoke immediate action. They exploit a common misunderstanding: while crypto holdings must be declared as part of regular tax filings, there is no special form required. The emails link to fraudulent websites that meticulously replicate the look and feel of legitimate government portals. These clones mirror official branding elements like logos, typography, layout, and even fake login mechanisms such as DigiD. This visual authenticity helps convince victims they are interacting with a real authority. Once on the phishing site, users are prompted to provide personal information, such as their full name, address, date of birth, bank details, and crypto wallet information, laying the groundwork for further exploitation.[emaillocker id="1283"]
The phishing operation proceeds via two primary techniques: seed phrase theft and malicious transaction signing. In the first method, victims are asked to submit their crypto wallet’s recovery phrase, misleadingly framed as a required step for connecting the wallet. Once submitted, the phrase is transmitted to the attacker’s infrastructure, enabling full control of the wallet and quick asset withdrawal. The phishing kits used in this method include anti-debugging scripts like check.js, which disables browser tools and navigation functions to avoid detection. In the second method, attackers target smart contract wallets by incorporating a WalletConnect interface into the phishing page. Victims are instructed to scan a QR code, which links their wallet to a rogue dApp. This connection allows scripts associated with known draining tools to push approval requests that appear routine but, when confirmed, transfer crypto assets to attacker-controlled wallets. The attack flow is further supported by scripts that validate form input and exfiltrate data, ensuring both financial and identity theft. Regardless of the method, the attackers collect personal details and present a fake success message before redirecting the victim to a legitimate website, further masking the deception.
This campaign marks a shift from lure-based scams to coercion-driven phishing attacks that weaponize urgency and fear. By posing as tax authorities, attackers exploit a sensitive topic to manipulate victims into acting without due diligence. The emotional stress of potential legal or financial consequences disrupts rational thinking, increasing the likelihood of success. The dual-threat model—using either seed phrase capture or smart contract wallet interaction—broadens the scope of affected users and reflects an adaptable attack infrastructure. Scripts used in the phishing kit are designed to evade analysis and make detection harder, adding a technical layer to the campaign’s deceptive social engineering. This attack highlights the importance of understanding how legitimate processes work, especially in regulatory contexts. Crypto users should be wary of any unsolicited request for wallet access or personal information and always verify URLs and communication sources independently. While defensive technologies remain important, awareness and user vigilance are equally critical in preventing such multifaceted threats from succeeding.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-Technique |
| Reconnaissance | T1589.002 | Gather Victim Identity Information | Email Addresses |
| Resource Development | T1583.006 | Establish Accounts | Web Services |
| Initial Access | T1566.002 | Phishing | Spearphishing via Service |
| Execution | T1204.001 | User Execution | Malicious Link |
| Persistence | T1556.001 | Modify Authentication Process | Credential Injection |
| Defense Evasion | T1027.002 | Obfuscated Files or Information | Obfuscated JavaScript |
| T1497.003 | Virtualization/Sandbox Evasion | Disable Dev Tools / Wipe on Resize | |
| Credential Access | T1555.003 | Credentials from Password Stores | Wallet Seed Phrase Theft |
| Collection | T1119 | Automated Collection | – |
| Command and Control | T1102.002 | Web Service | Exfiltration via Telegram |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | – |
| Impact | T1486 | Data Encrypted for Impact | – |
| T1499 | Endpoint Denial of Service | – |
REFERENCES:
https://www.group-ib.com/blog/declaration-trap/
[/emaillocker]