2026-05-134 minhigh

From Tax Refund to Total Compromise: IRS-Themed Phishing Email Drives Full-Stack Financial Fraud

A sophisticated, multi-stage phishing campaign is spoofing the IRS and Elon Musk to conduct full-stack financial fraud. The attack leverages promises of a $5000 tax refund to trick victims into surrendering extensive PII, government IDs, bank account details, and direct cryptocurrency transfers, with stolen data exfiltrated via Telegram.

Sens:■ ImmediateConf:highAnalyzed:2026-04-09reports

Authors: Intelligence Team, Kahng An

ActorsElonMusk Dogecoin Initiative

Identity Theft IRS Spoofing Cryptocurrency Scam Phishing Social Engineering

Source:Cofense

IOCs · 3

email
support@dogetaxcoin.comSupport email provided in the fake crypto portal for KYC document submission
email
support@solucioneshogar.comSender address used in the initial IRS-spoofed phishing email
url
hxxps://irsdogeelon[.]com/application.htmlCredential phishing and fake cryptocurrency portal landing page

Key Takeaways

Multi-stage phishing campaign spoofs the IRS and Elon Musk to steal PII and cryptocurrency.
Initial lure promises a $5000 tax refund, directing victims to a fake 'ElonMusk Dogecoin Initiative' portal.
Stolen data includes extensive PII, government IDs, and bank routing/account numbers, enabling severe identity theft.
Data exfiltration is handled via a Telegram bot using the sendMessage API.
Victims are tricked into sending Bitcoin to a threat actor-controlled wallet under the guise of an investment return.

Affected Systems

Email systems
End users

Attack Chain

The attack begins with an IRS-themed email promising a $5000 tax refund courtesy of Elon Musk. Clicking the link directs the victim to a phishing site detailing the fake 'ElonMusk Dogecoin Initiative' and requesting extensive PII, which is exfiltrated via a Telegram bot. The victim is then redirected to a fake cryptocurrency dashboard where they 'redeem' their refund, but are blocked from withdrawing it. To unlock withdrawals, the victim is coerced into uploading a government ID, providing bank routing details, and sending Bitcoin directly to the threat actor's wallet.

Detection Availability

YARA Rules: No
Sigma Rules: No
Snort/Suricata Rules: No
KQL Queries: No
Splunk SPL Queries: No
EQL Queries: No
Other Detection Logic: No

No specific detection rules (YARA, Sigma, etc.) are provided in the article.

Detection Engineering Assessment

EDR Visibility: None — This is a web-based phishing and social engineering attack; EDR on the endpoint will not have visibility into the web forms or external cryptocurrency transfers. Network Visibility: Medium — Network logs can capture DNS requests to the phishing domains or API calls to Telegram for exfiltration. Detection Difficulty: Moderate — Relies heavily on email security gateways and user reporting. Domain IOCs can be blocked easily once known, but the initial lure bypasses some SEGs.

Required Log Sources

Email Gateway Logs
DNS Logs
Web Proxy Logs

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Users are receiving emails containing links to newly registered domains containing keywords like 'irs', 'doge', or 'elon'.	Email Gateway Logs	Initial Access	Low
Endpoints are making outbound API calls to Telegram (api.telegram.org/bot*/sendMessage) immediately following web browsing to unknown or uncategorized domains.	Web Proxy/Firewall Logs	Exfiltration	Medium

Control Gaps

Traditional Email Security Gateways (SEG) bypassing
Lack of user awareness regarding official IRS communication methods

Key Behavioral Indicators

Emails spoofing the IRS but originating from unrelated domains (e.g., solucioneshogar.com)
Web traffic to irsdogeelon.com

False Positive Assessment

Recommendations

Immediate Mitigation

Block the domains irsdogeelon.com and dogetaxcoin.com on web proxies and DNS filters.
Search email gateways for messages originating from support@solucioneshogar.com or containing the subject 'Your $5000 Tax Benefit Refund' and purge them.

Infrastructure Hardening

Implement strict DMARC, SPF, and DKIM verification to flag and quarantine spoofed government emails.
Restrict access to Telegram API endpoints from corporate networks if not required for business operations.

User Protection

Deploy phishing-resistant MFA to protect corporate accounts in case users reuse passwords on the phishing forms.
Monitor for unusual outbound cryptocurrency-related web traffic from corporate assets.

Security Awareness

Educate employees that the IRS will never initiate contact via email, text, or social media to request personal or financial information.
Train users to identify mismatched sender addresses in official-looking emails.

MITRE ATT&CK Mapping

T1566.002 - Phishing: Spearphishing Link
T1056.002 - Input Capture: GUI Input Capture
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage

Additional IOCs

Domains:
- irsdogeelon[.]com - Phishing domain hosting the fake IRS/Elon Musk portal
- dogetaxcoin[.]com - Domain used for the fake support email address
- solucioneshogar[.]com - Domain used to send the initial phishing email
Other:
- ELON - Voucher code used by victims in the fake crypto portal
- Your $5000 Tax Benefit Refund - Subject line of the initial phishing email