Crypto Phishing Scam (2026): Claiming the Wallet-Drain Loss on Your Taxes
By Garrett Taylor, CPA
June 22, 2026 · 10 min read
Key Takeaways
- ✓✓A crypto phishing scam that drains your wallet is theft. If the crypto was held for investment, the loss is usually deductible under §165(c)(2), supported by IRS Chief Counsel Memo 202511015.
- ✓Approval phishing and wallet drainers are the dominant attack. You sign a malicious transaction or enter a seed phrase on a fake site, and the attacker sweeps the wallet.
- ✓Theft losses are deducted at cost basis in the year you discover the drain, reported on Form 4684 Section B, then carried to Schedule A.
- ✓✓A stolen-crypto theft loss is not the same as a market loss. A price drop is a capital loss, while a phishing drain is an ordinary theft loss with different and often better tax treatment.
- ✓Revoke token approvals immediately, document the malicious transaction hash, and file an IC3 report. The same records that help recovery also substantiate the deduction.
“A wallet drainer does not need your password. It needs one careless signature, and most victims never realize a deductible theft just occurred.”
A crypto phishing scam is fast and quiet. Unlike a slow-burn investment fraud, a crypto phishing scam can empty an account in a single transaction. There is no slow grooming and no fake relationship. You click a link, connect your wallet, approve a transaction that looks routine, and the wallet empties. By the time you notice, the crypto is several hops away.
Most people treat a drained wallet as a total write-off. In many cases it is not, at least not for tax purposes. If the stolen crypto was held for investment, a phishing loss can qualify as a deductible theft loss. This guide explains how the attack works and how the deduction works. For the full framework across all scam types, see our crypto scam tax deduction guide. A phishing drain is closely related to the fake crypto customer service scam, where a scammer talks you into moving funds rather than tricking you into a signature, and the same theft-loss rules apply.
What Is a Crypto Phishing Scam?
A crypto phishing scam tricks you into handing over access to your funds, either by entering your secret recovery phrase on a fake site or by signing a malicious transaction that grants the attacker control. Once they have access, a wallet drainer sweeps the assets automatically. The branding usually mimics a real exchange, wallet, or project to lower your guard.
Fake Login and Seed Phrase Pages
You get an email, text, or DM claiming your account or wallet is compromised. The link leads to a near-perfect clone of a real login page. You enter your credentials or your seed phrase, and the attacker uses them to drain the real account. Fake Ledger updates and fake MetaMask security alerts are common variants.
Approval Phishing and Wallet Drainers
The more modern version is approval phishing. Instead of stealing a password, the scammer gets you to sign a token approval or a malicious transaction. That signature authorizes their contract to move your tokens. Drainer-as-a-service kits make this point-and-click for criminals, which is why wallet drainer attacks scaled so quickly.
Pro Tip
**Treat every signature like a blank check.** Approval phishing works because a malicious approval looks almost identical to a normal one. If a site pushes you to connect and sign immediately, especially after an urgent alert, stop and verify the contract before you approve anything.
Why Crypto Phishing Scams Are So Effective
A crypto phishing scam succeeds because it hijacks tools you already trust. The email looks like it came from your exchange. The site looks like the wallet you use every day. The transaction prompt looks like dozens you have approved before. There is no obvious moment of danger, just a routine action that happens to be malicious.
Approval phishing made this worse. Older scams needed your seed phrase, which at least felt sensitive. A modern wallet drainer only needs a single approval signature, and approvals are something experienced users sign constantly. The criminal economy industrialized it with drainer-as-a-service kits, so the person targeting you may not even be technical. They rented the tool.
Because the theft is instant and irreversible on-chain, prevention is everything for protecting your assets, and documentation is everything for protecting the deduction. The two goals use the same evidence.
Red Flags of a Crypto Phishing Scam
- An urgent message claiming your wallet or exchange account is compromised, with a link to fix it.
- Any page or person asking for your seed phrase or secret recovery phrase. No legitimate service ever needs it.
- A fake airdrop or giveaway that requires you to connect and sign to claim.
- A transaction-approval prompt you did not initiate, or one with a vague or unlimited spending allowance.
- Lookalike domains with subtle misspellings or extra words in the URL.
Is a Crypto Phishing Loss Tax Deductible?
Usually, yes, if the drained crypto was held for investment. A phishing drain is unambiguous theft, and under §165(c)(2) a theft loss from a profit-motivated holding is deductible. IRS Chief Counsel Memo 202511015, released in Q1 2025, supports treating crypto scam losses this way and confirms they sit under §165(c)(2) rather than the personal theft-loss rules the Tax Cuts and Jobs Act suspended through 2025.
Because almost everyone holds their wallet crypto as an investment, the profit-motive test is rarely a problem for phishing victims. The crypto was an investment asset before the theft, so the loss of it is an investment-related theft loss.
The Three Tests, Applied to Phishing
Test 1: Theft Under State Law
Tricking someone into signing away their assets is fraud and unlawful taking under any state's definition of theft. A wallet drainer clears this test cleanly.
Test 2: Profit Motive
The drained crypto must have been held for investment. For nearly all phishing victims it was. You were holding ETH, BTC, or tokens as an investment when the attacker took them, so the loss is profit-motivated.
Test 3: Year of Discovery
You claim the loss in the year you discovered the drain with no reasonable prospect of recovery. For a phishing attack, discovery is usually immediate, the moment you see the wallet emptied. Because stolen crypto moved through anonymous wallets is almost never recoverable, the year of discovery and the year of the loss are typically the same.
Phishing Theft Loss vs. a Market Loss
This distinction trips up a lot of taxpayers. If your crypto simply dropped in price, that is a capital loss you realize when you sell. If your crypto was stolen in a phishing attack, that is a theft loss under §165(c)(2), an ordinary deduction reported on Form 4684 Section B. They are different rules with different forms and often different value to you.
Stolen vs. fell in value
| What happened | Tax treatment |
|---|---|
| Wallet drained by a phishing scam | Theft loss, Form 4684 Section B, ordinary deduction at cost basis |
| Token lost value but you still hold it | No deduction until you sell, then a capital loss |
| You sold at a loss after the scam scare | Capital loss on Schedule D, not a theft loss |
How to Report a Phishing Wallet-Drain Loss
- Establish your cost basis in the drained crypto using your purchase records and exchange history.
- Report the theft on Form 4684 Section B, with basis in, fair market value after the theft of zero, and any recovery.
- Carry the loss to Schedule A as an itemized deduction, which then reduces AGI on Form 1040.
- If the loss exceeds income, track the §172 carryforward so future years benefit.
The detailed Form 4684 walkthrough in the pillar guide applies directly to phishing losses.
A Worked Example
Suppose you held 3 ETH that you bought across 2023 for a total of $5,400. You receive a fake security alert, connect your wallet to a lookalike site, and sign what you think is a verification step. It is an approval that lets a drainer move your tokens, and within minutes all 3 ETH are gone. Even if ETH is worth $12,000 on the day of the theft, your theft-loss deduction is your cost basis of $5,400. You report that on Form 4684 Section B in the year of the drain. If you had no realistic chance of recovery, that is also the year you claim it.
If your total income that year was lower than the loss, the unused portion does not vanish. It becomes a net operating loss under §172 and carries forward to offset future income.
What to Do Right After a Wallet Drain
- Move any remaining assets to a fresh, secure wallet immediately.
- Revoke active token approvals using a tool like revoke.cash so the drainer cannot keep pulling funds.
- Record the malicious transaction hash, the attacker's address, and screenshots of the drained balance.
- File an IC3 report at ic3.gov and a local police report to anchor the theft and the discovery date.
- Save your cost-basis records, since the deduction is measured at basis.
- Keep a short written timeline of the crypto phishing scam so your discovery date is documented in your own words.
Pro Tip
**Revoking approvals is both security and tax hygiene.** The revoke transaction, the malicious approval, and the drain all live on-chain. Capturing those hashes now gives you a permanent, timestamped record that substantiates the theft if the IRS ever asks.
Wallet Drained by a Phishing Scam? Let's Talk.
If a crypto phishing scam drained an investment wallet in 2024, 2025, or 2026, you may have a deductible theft loss under §165(c)(2) and IRS Chief Counsel Memo 202511015. I can review the on-chain facts and build a defensible position. Bring me the details and I will tell you straight whether the deduction works.
Talk to GarrettFrequently Asked Questions
Frequently Asked Questions
Can I write off crypto stolen in a phishing scam on my taxes?
In most cases, yes. If the stolen crypto was held for investment, a phishing wallet-drain is a theft loss deductible under §165(c)(2), reported on Form 4684 Section B. IRS Chief Counsel Memo 202511015 supports the position. You deduct your cost basis in the year you discovered the theft.
Is a phishing loss a capital loss or a theft loss?
It is a theft loss, not a capital loss. A capital loss comes from selling an asset for less than you paid. A phishing drain is an involuntary theft, so it is reported as an ordinary theft loss on Form 4684 Section B.
What documentation do I need to deduct a wallet-drain loss?
Keep the malicious transaction hash and the attacker's wallet address, screenshots of the drained balance, your cost-basis records, and an IC3 plus police report filed soon after discovery.
What year do I claim a phishing theft loss?
You claim it in the year you discovered the loss with no reasonable prospect of recovery. For most phishing attacks that is the same year, because crypto moved through anonymous wallets is rarely recoverable.
Does revoking approvals affect my deduction?
No, revoking approvals is a security step to stop further theft. It does not reduce your deduction, and the revoke transaction actually helps document the timeline of the attack.
About the author
Garrett Taylor, CPA
Former Big Four CPA. CPA #133092. Garrett answers his phone. Led by expertise. Powered by precision.
Related Articles
Crypto Scam Tax Deduction (2026): A CPA's Guide to Writing It Off
If you lost crypto to a pig butchering scam, phishing attack, or rug pull, you probably have a deductible loss. IRS Chief Counsel Memo 202511015 made the rules clear in 2025. Most CPAs still won't file it. Here's the framework that works.
Fake Crypto Customer Service Scam (2026): How to Deduct the Loss
A fake crypto customer service rep convinces you to move your funds to a 'safe' wallet, then takes them. That loss is often a deductible theft loss. Here is how the tax rules apply.
Fake NFT Minting Scam (2026): How to Write Off the Loss
A fake NFT minting platform charges fake gas fees and shows fake sales you can never withdraw. If you minted as an investment, that loss is often deductible. Here is how the rules apply.