Elon Musk '$5,000 IRS Refund' Scam Could Drain Your Bank Account And Steal Your Identity — How The Scam Works
A phishing campaign using IRS branding and Elon Musk imagery is luring victims into a multi-stage identity theft and crypto fraud
For many people, the promise of a tax refund can feel like an unexpected piece of good news. Cyber criminals are now exploiting that expectation through a sophisticated phishing campaign that claims victims are eligible for a $5,000 tax refund linked to Elon Musk.
Security researchers at Cofense uncovered the operation in early April. In an analysis published on April 9, the company said the campaign begins with a deceptive email that appears to come from the Internal Revenue Service. What initially looks like a routine tax message can quickly lead victims into a wider fraud operation designed to collect personal information, banking details and cryptocurrency payments.
The Email That Starts the Trap
The campaign begins with a carefully crafted phishing email claiming recipients qualify for a $5,000 tax refund allegedly provided by billionaire Elon Musk.
The message includes familiar IRS branding and design elements that mimic official communications. Notably, the email also contains a legitimate IRS phone number in the footer. The number belongs to the agency's Practitioner Priority Service and appears to have been included to make the message seem authentic.
Recipients are instructed to click a link to access the refund. Instead of leading to an official IRS website, the link redirects users to a fraudulent page designed to steal personal information. At first glance, the website appears convincing. It continues to use IRS logos and images of Musk to suggest the programme is connected to both the government and the billionaire entrepreneur.
A Fake Initiative Built Around Cryptocurrency
The phishing site shows visitors a lengthy message describing what is called the ElonMusk Dogecoin Initiative. The explanation claims the programme was created in response to geopolitical tensions involving Iran and is designed to distribute cryptocurrency benefits to taxpayers.
According to the narrative presented on the site, participants will receive a one-time payment of $5,000 and possible recurring deposits of $10,000. However, the offer includes an unusual condition.
Users are told they must participate in a cryptocurrency programme that requires returning $9,500 in Bitcoin as part of the initiative. The story appears designed to create urgency while still maintaining the illusion that victims are about to receive money.
Harvesting Personal Information
Before users can move further into the process, they are asked to complete a form requesting personal details. According to the Cofense analysis, the phishing form typically asks for:
• Full name
• Email address
• Phone number
• Date of birth
• Home address
Once submitted, the information is automatically sent to a Telegram channel controlled by the attackers. The transfer occurs through a bot using Telegram's sendMessage function. This allows criminals to receive victims' personal information almost immediately. But the campaign continues beyond this first stage.
The Fake Cryptocurrency Platform
After submitting the form, victims are directed to another website that resembles a cryptocurrency trading platform. Users are instructed to redeem their supposed refund by entering a voucher code. The code displayed on the platform is ELON.
When entered, the platform shows that a balance of $5,000 has been added to the user's account. At this point, the scam becomes more convincing. Victims can see the balance and are told they can withdraw the funds. However, when they attempt to withdraw the money, the site displays another requirement. The platform claims withdrawals are only processed after three months of activity.
The Real Objective: Identity Theft
To join the withdrawal queue, users must submit additional verification information. This includes uploading a government-issued photo ID and entering a bank account and routing numbers for an alleged transfer. In its April 9 report, Cofense said the combination of personal and financial data collected during this process could enable attackers to carry out more advanced fraud schemes.
With access to identification documents and banking details, criminals could attempt identity theft, social engineering attacks or direct financial withdrawals. Victims may also be encouraged to send cryptocurrency payments to a Bitcoin wallet listed on the platform. The site claims these payments are required as part of the programme's weekly deposit system.
A Multi-Stage Fraud Operation
In its analysis, Cofense described the campaign as an example of how phishing attacks are increasingly designed as multi-stage fraud operations rather than simple email scams.
Instead of collecting credentials in a single step, the attackers guide victims through several stages that appear legitimate. Each step gathers more personal information or encourages further financial participation. What begins with a simple email can eventually lead to a full identity compromise. For many victims, the deception may only become clear after weeks or months.
How To Spot Red Flags
Authorities repeatedly warn that the IRS does not send unsolicited emails offering tax refunds or cryptocurrency programmes. Any message claiming to provide a government refund linked to a public figure should be treated with caution.
Cybersecurity researchers advise users to avoid clicking links in unexpected emails and to verify tax-related communications through official government websites. As phishing campaigns become more elaborate, even a convincing message can be part of a carefully planned fraud operation.
© Copyright IBTimes 2025. All rights reserved.
- Recommended For You
