Elon Musk, the IRS, and Your Bank Account: Anatomy of a Multi-Stage Financial Scam
A sophisticated multi-stage phishing campaign is spoofing the IRS and Elon Musk to lure victims into a fraudulent cryptocurrency initiative. The attack chain begins with an email offering a fake $5,000 tax refund, which redirects to a credential harvesting site that steals extensive PII, including government IDs and bank routing numbers. Victims are then funneled into a fake trading dashboard designed to facilitate direct financial fraud and continuous Bitcoin theft.
- domaindogetaxcoin[.]comDomain associated with the fraudulent customer support email address.
- domainirsdogeelon[.]comPhishing domain hosting the fake cryptocurrency market and PII harvesting forms.
- email[email protected]Fraudulent customer support email address provided on the fake cryptocurrency platform.
- email[email protected]Sender email address used to deliver the initial IRS-spoofed phishing lure.
- urlhxxps://irsdogeelon[.]com/application.htmlInitial credential phishing page spoofing the IRS and Elon Musk.
Detection / HunterGoogle
What Happened
Scammers are sending fake emails pretending to be the IRS, offering a $5,000 tax refund tied to an Elon Musk cryptocurrency program. Anyone who clicks the link is taken to a fraudulent website that steals sensitive personal information, including bank account details and photos of government IDs. This stolen information can be used by the attackers to drain bank accounts or commit severe identity theft. Users should be highly suspicious of unsolicited emails offering unexpected money and should never provide banking details or ID photos to unverified websites.
Key Takeaways
- A multi-stage phishing campaign spoofs the IRS and Elon Musk to offer a fake $5,000 tax refund.
- The attack harvests extensive PII, including government ID scans and bank routing numbers, enabling severe identity theft and financial fraud.
- Victims are redirected to a fraudulent cryptocurrency dashboard ('ElonMusk Dogecoin Initiative') that encourages weekly Bitcoin deposits.
- The fake platform enforces a three-month dwell time for withdrawals, maximizing the window for threat actors to steal funds.
- Stolen credentials and PII are exfiltrated to a threat actor-controlled Telegram bot.
Affected Systems
- End-user email accounts
- Online banking accounts
- Cryptocurrency wallets
Attack Chain
The attack begins with an email spoofing the IRS, containing a link to a credential phishing site. Victims are lured with a fake $5,000 tax refund and prompted to enter extensive PII, which is exfiltrated to a Telegram bot. The victim is then redirected to a fraudulent cryptocurrency dashboard where they are socially engineered into providing government ID scans, bank routing numbers, and direct Bitcoin deposits under the guise of an 'ElonMusk Dogecoin Initiative'.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
The article does not provide specific detection rules or queries.
Detection Engineering Assessment
EDR Visibility: None — This is a web-based phishing and social engineering attack that does not involve dropping malware or executing malicious processes on the endpoint. Network Visibility: Medium — Network telemetry can capture DNS requests to the phishing domains and potential data exfiltration traffic to the Telegram API. Detection Difficulty: Moderate — Detecting this relies heavily on email security gateways catching the initial spoofed lure and web proxies blocking newly registered or uncategorized domains.
Required Log Sources
- Email Gateway Logs
- Web Proxy Logs
- DNS Logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for inbound emails originating from '[email protected]' or containing subjects related to a '$5000 Tax Benefit Refund'. | Email Gateway Logs | Initial Access | Low |
| If you have visibility into web proxy logs, consider hunting for outbound connections to 'irsdogeelon.com' or 'dogetaxcoin.com'. | Web Proxy Logs | Credential Access | Low |
| Consider hunting for unusual outbound network connections to the Telegram API from non-standard applications, which may indicate data exfiltration via a Telegram bot. | Network Flow Logs | Exfiltration | Medium |
Control Gaps
- Email Security Gateway (SEG) bypass
- Lack of web filtering for newly registered domains
Key Behavioral Indicators
- Emails spoofing government entities (IRS) but originating from non-government sender domains
- Web forms requesting bank routing numbers and government ID uploads simultaneously
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting.
- Block the identified domains (irsdogeelon.com, dogetaxcoin.com) on web proxies and DNS firewalls.
- Search email gateways for messages from [email protected] and purge them from user inboxes.
Infrastructure Hardening
- Implement strict DMARC, SPF, and DKIM verification to flag or block spoofed government emails.
- Evaluate whether newly registered domains can be isolated or blocked by default in your web proxy.
User Protection
- If supported by your tooling, implement browser-based phishing protections to block known malicious URLs.
Security Awareness
- Educate users on the dangers of unsolicited financial offers and the importance of verifying government communications through official channels.
- Train employees to never upload government IDs or provide bank routing numbers to unverified third-party websites.
MITRE ATT&CK Mapping
- T1566.002 - Phishing: Spearphishing Link
- T1036.008 - Masquerading: Masquerade Task or Service
- T1056.002 - Input Capture: GUI Input Capture
- T1567.002 - Exfiltration Over Web Service
Additional IOCs
- Domains:
irsdogeelon[.]com- Phishing domain hosting the fake cryptocurrency market.dogetaxcoin[.]com- Domain associated with the fraudulent customer support email address.
- Urls:
hxxps://irsdogeelon[.]com/application.html- Initial credential phishing page.
- Other:
bc1pfxf9e57tuptfme0gwhmnk2kuqdyl4r984knejymtv5dfdk7h5dcqet4796- Threat actor Bitcoin address provided for fraudulent deposits.
