← Back to Blog

IRS Said I Owe Tax — Pay in Bitcoin? It's a Scam.

The IRS doesn't call. The FBI doesn't text. Social Security doesn't demand Bitcoin. If a confident voice on the phone says they do and points you at a Bitcoin ATM, you are inside the largest elder-targeting fraud channel in the country — and the next 30 minutes matter more than the next 30 days.

Editorial illustration of an IRS impersonation crypto scam: a spoofed caller ID showing IRS but the caller is a shadowy criminal silhouette, the victim walking toward a Bitcoin ATM with a bag of cash, and the on-chain trace path from kiosk to scammer collection wallet to an Asian off-ramp exchange
30-Second Answer

What it is: A caller posing as the IRS, Social Security, the FBI, the US Marshals, or another government agency invents an emergency — back taxes, an arrest warrant, a frozen account — and pressures the victim to withdraw cash and deposit it into a Bitcoin ATM, wire crypto from an exchange, or buy gift cards converted to crypto. The IRS does not call demanding Bitcoin. No real US agency does.

How big: The FBI's IC3 logged approximately $246.7 million in cryptocurrency kiosk losses in 2024, with government impersonation among the leading origination scripts. Roughly 85% of victims were aged 60 or older. Indiana enacted what is described as the first statewide kiosk ban in March 2026; roughly 29 states now have kiosk-specific consumer protection laws.

What is recoverable: Direct on-chain reversal is impossible once the kiosk's settlement transaction confirms. What is realistically achievable is forensic attribution — tracing the cash from the kiosk operator's settlement wallet through the scammer's collection address, the USDT-Tron fragmentation hops, and into the Asia-Pacific exchange deposit where account-holder identity can be subpoenaed.

If You're Reading This and You're On the Phone Right Now

Stop. Hang up. Read this.

If a person on the phone is claiming to be the IRS, the FBI, Social Security, a sheriff, a federal marshal, or any government agency, and they are telling you that you owe money and must pay in Bitcoin, cryptocurrency, gift cards, or by depositing cash into a kiosk — it is a scam. Every single time. There is no exception.

The IRS does not call. The FBI does not call. Social Security does not call. No real US government agency calls anyone to demand immediate payment in cryptocurrency. The caller ID showing a government number is spoofed; the badge number they read out is fake; the case file they reference does not exist.

Do this right now: hang up. Do not call the number back. Do not drive anywhere. Do not withdraw cash. Do not touch a Bitcoin ATM. Tell one family member or one friend what just happened. Then, only if you genuinely want to confirm, look up the real agency's phone number yourself at IRS.gov or SSA.gov and call that number from your own phone. Anything else the caller said can wait.


What the IRS Will Actually Do (And What It Will Never Do)

The single sentence on the official IRS scam alerts page is the foundation of this entire article: the IRS does not initiate contact with taxpayers by phone, email, text message, or social media to demand immediate payment using a specific payment method such as a prepaid debit card, a gift card, or cryptocurrency. That guidance is published, restated by the IRS every tax season, and printed in plain language on the agency's own website.

What the IRS will actually do is send you a letter. If you owe back taxes, the first contact is always a written notice mailed to the address the IRS has on file. The notice will include the tax year in question, the amount owed, an explanation of how it was calculated, and your right to dispute or appeal the assessment. There is no urgency, no countdown timer, and no specific payment method demanded. You can pay at IRS.gov, by check, by direct debit from a bank account, or through a documented installment agreement. You can call the IRS yourself at a number published on IRS.gov to discuss the notice. The agency is structurally bureaucratic and slow on purpose — due process is the point.

What the IRS will never do, in any circumstance:

  • Call demanding immediate payment with a specific deadline of hours or days.
  • Ask for payment in cryptocurrency, gift cards, prepaid debit cards, or by wire transfer to a third-party account.
  • Threaten to send local police, immigration officers, or other law enforcement to your home for non-payment of taxes.
  • Demand payment without giving you the opportunity to question or appeal the amount.
  • Refuse to identify themselves with a real employee number you can independently verify.
  • Tell you to stay on the phone, not to discuss the call with anyone, or that the matter is part of a secret federal investigation.

Every behavior on that list is, by itself, definitive proof that you are talking to a scammer. The combination of three or four of them — urgency, crypto demand, threat of arrest, isolation — is the unmistakable fingerprint of the impersonation script.

The same logic applies to the other commonly impersonated agencies. The Social Security Administration does not call to threaten that your Social Security number has been suspended or used in a crime, and does not direct anyone to move funds to a so-called federal safe account. The FBI does not call to demand bond payment in Bitcoin to clear a warrant. The US Marshals Service does not call about missed jury duty and accept payment via a kiosk. The Treasury Department and OFAC do not call individual citizens to warn that their accounts will be frozen unless funds are moved. Local police do not collect bond money over the phone in cryptocurrency, period.


By the Numbers: $246.7M, 85% Over 60, and the Cases Behind the Statistics

$246.7M
FBI IC3 reported crypto kiosk losses in 2024 (government impersonation a leading origin)
85%
Share of crypto kiosk fraud victims aged 60 or older
#1
Government impersonation rank as origination script for kiosk losses
~29
US states with crypto kiosk consumer-protection laws enacted or advanced (2026)
10x
Approximate growth in kiosk-related IC3 losses since 2020
$5K-$50K
Typical per-victim loss range in impersonation cases

The IC3 figures are the bedrock data set, and they understate the problem in three ways. First, only a fraction of victims file an IC3 report at all; shame is the single most consistent reason victims keep losses private. Second, IC3 categorizes losses by the on-ramp channel (kiosk, exchange wire, gift card) rather than by the originating social-engineering script, so government impersonation losses that route through a direct exchange wire or a gift-card-to-Bitcoin conversion are counted in different buckets but share the same origin call. Third, the data lags — 2024 numbers were published mid-2025, 2025 numbers will land mid-2026, and the trajectory is clearly upward.

The named cases behind the statistics make the harm concrete. In February 2026, a Virginia woman in her seventies lost approximately $16,000 to a caller posing as an IRS agent who walked her through three sequential Bitcoin kiosk deposits at a convenience store near her home over the course of a single afternoon. In 2025, a Spokane Valley case widely cited in legislative testimony involved an elderly man who died by suicide in the days after losing his retirement savings to a kiosk-funneled impersonation scam — a tragedy that figured into Indiana legislators' decision to enact what is described as the first statewide ban on cryptocurrency kiosks in March 2026. AARP's federal advocacy team has tracked impersonation-driven kiosk losses as one of its top three policy priorities for the 2025-2026 legislative cycle.

Two patterns matter most when you read these numbers. The dollar growth dramatically outpaces the growth of crypto adoption generally — this is not a "more crypto means more crypto crime" story, it is a targeted-channel story. And the demographic concentration is extreme. In a typical investment-platform pig butchering case the median victim is in their forties or fifties; in government impersonation crypto scams the curve is shifted hard to the right.


The Script: How the Call Actually Goes, End to End

Timeline ribbon of the five-stage impersonation scam script: hook, escalation, urgency, payment method, and control, with the red flag for each stage labeled and the typical multi-hour call duration shown at the bottom
The five-stage script: hook, escalation, urgency, payment method, control. Every impersonation call rides the same rails.

Every impersonation call I have reviewed in casework follows the same five-act structure. The variables are the agency impersonated and the cover story. The arc is identical because the arc is what works on a human nervous system, and the people running these call centers are running a script that has been refined through hundreds of thousands of calls.

Act 1: The hook

The phone rings. The caller ID is spoofed to display a recognizable government number — the IRS, SSA, FBI, the local sheriff's office, or sometimes the victim's own bank. The caller introduces themselves with a name, a badge number, and a department. The opening minute is calm and professional. The hook is a single sentence of bad news: "I am calling to inform you that there is a balance due on your federal tax filings," or "I am with the Social Security Administration regarding suspicious activity on your account," or "This is Deputy Marshal Reynolds calling about a federal subpoena issued in your name."

Act 2: The escalation

The tone hardens. The caller introduces a consequence: a warrant, a deportation order, a fraud freeze, a federal grand jury. They invent specific case numbers, court names, judge names. If the victim attempts to push back, the caller becomes condescending and clipped, often saying something like "this is a serious federal matter and your cooperation is required by law." If the victim wants to verify, the caller offers to transfer them to a "supervisor" or an FBI agent, which is just another script-reader at the same call center playing a different role.

Act 3: The urgency

A deadline appears. Ninety minutes. Two hours. By 5pm. The deadline is calibrated to the emotional state of the victim and the scammer's read of how much time they need to complete the cash withdrawal. The caller emphasizes that any delay will result in immediate arrest, accounts being frozen, family members being notified, or jail time. The deadline is the manufactured pressure cooker that prevents reflection.

Act 4: The payment method

Once the victim has internalized the urgency, the caller introduces the resolution. The phrasing is always cast as a process — "we can resolve this today," "there is a way to clear the warrant before the arrest is executed" — and the method is always crypto: drive to your bank, withdraw $X in cash, drive to a specific Bitcoin ATM at a specific gas station, follow the instructions I give you over the phone. Some variants instead direct the victim to a crypto exchange account they already hold, or to a sequence of gift card purchases that will be converted to crypto.

Act 5: The control

The most important act. The caller instructs the victim to stay on the phone for the entire process and not to mention the call to anyone. The reasons given are always plausible-sounding: it is an active federal investigation; mentioning it could constitute obstruction of justice; the bank tellers might be involved and cannot be trusted; family members might inadvertently leak the case. The function of the isolation is to prevent the single intervention that almost always stops the scam — a second pair of eyes. Tellers who recognize the warning signs and refuse to release the cash, family members who happen to be present, and convenience store clerks who notice an elderly customer making a large kiosk deposit while on the phone are the most common rescues in this scam category.

The 2-6 hour call

The typical impersonation call runs continuously for two to six hours — from the first ring through the bank withdrawal, the drive to the kiosk, the kiosk transaction, and sometimes a follow-up demand for a second deposit. If you walk in on a family member who has been on the phone with a stranger for hours and seems agitated or distracted, that is itself a red flag. The single most effective intervention is to physically take the phone and hang up.


Which Agencies Get Impersonated (And Their Specific Scripts)

Nine-card grid showing the most commonly impersonated US government agencies in crypto scam calls: IRS, Social Security, FBI, US Marshals, Treasury or OFAC, local police, DEA, ICE or US Customs, and utility companies, each labeled with the typical claim and the demanded payment method
The impersonation taxonomy. Nine agencies, nine cover stories, one common payment endpoint: crypto.

The list of impersonated agencies has grown over the last decade, but the top of the list has remained stable since the 2018 IRS-impersonation surge. The detail below is what I see most frequently in casework.

IRS — "You owe back taxes plus an arrest warrant"

The original modern impersonation script. The caller claims unfiled or underpaid taxes, often citing a specific year and a fabricated dollar amount in the high four or low five figures. The case is described as being referred to "IRS Criminal Investigation" or "the Tax Crimes Division," with the implication of immediate arrest unless the balance is wired or kiosk-deposited. TIGTA — the Treasury Inspector General for Tax Administration — runs the official intake channel for IRS impersonation reports and has documented the script in detail in its annual reports.

SSA — "Your number was used in drug trafficking"

The fastest-growing variant in the 60+ demographic. The caller claims the victim's Social Security number has been linked to a crime in another state — most often drug trafficking in Texas or a money-laundering investigation in New Mexico — and that the SSN will be "suspended" unless funds are immediately moved to a "federal safe account." The Social Security Office of the Inspector General runs the official reporting line and consistently flags this as the leading SSA-impersonation script.

FBI — "Your identity was used in a federal crime"

Higher-loss per case than IRS or SSA on average, because the caller fabricates a fact pattern that justifies a larger demanded "bond." Common cover stories include child sexual abuse material being routed through the victim's IP address, an offshore bank account opened in their name, or a money-laundering case in which they are listed as an unwitting mule. The FBI maintains a public statement that it does not contact citizens by phone to demand money.

US Marshals — "You missed jury duty, warrant issued"

A growing variant that exploits the universality of jury duty. The caller claims a federal court has issued a contempt warrant for missed service, with a fabricated court name and judge. The demanded payment is framed as a "bond" to clear the warrant before arrest. The actual US Marshals Service does not call about jury duty or accept payment over the phone.

Treasury / OFAC — "Your accounts will be frozen"

The "safe account" script. The caller claims the victim's bank accounts are about to be frozen as part of a Treasury sanctions investigation and that the only way to preserve the funds is to move them immediately into a federal safe account — which in practice is either a kiosk deposit or a wire to a "Treasury-controlled" wallet address the caller provides.

Local police / sheriff — "Outstanding bench warrant"

The most localized variant. The caller spoofs the victim's actual local sheriff or police non-emergency line, names a local judge, and references a real local court. The demanded payment is a kiosk-deposited "bond." Because the caller ID and names check out on a quick Google search, this variant defeats the simplest verification reflex.

DEA — "Package linked to your name"

The caller claims a package containing narcotics was intercepted with the victim's name on the shipping label, and that an "asset forfeiture" deposit is required to clear the victim's name from the investigation. Often paired with a fabricated case number and a follow-up call from a "supervisor."

ICE / CBP / US Customs — "Deportation, family at risk"

Disproportionately targets first-generation immigrants and visa holders. The script weaponizes immigration anxiety, often demanding payment in gift cards converted to crypto on the threat of immediate detention of the victim or family members.

Utility companies — "Power cut in 30 minutes"

Mostly targets small businesses. The caller claims the business's electric bill is overdue and that power will be cut in thirty minutes unless payment is made immediately, usually via gift cards or a kiosk deposit. Restaurants, hair salons, and small retailers are the most common targets.

Across all nine variants the structure is identical. Different uniform, same script, same payment endpoint.


Why Older People Are the Target (And Why It Is Not Their Fault)

The 85 percent figure is not random. Kiosk-funneled impersonation fraud is the cleanest example of a scam channel engineered around a specific demographic, and reading it as a story about elderly gullibility is both wrong and harmful.

Older Americans are statistically more likely to answer calls from unknown numbers, more likely to engage at length with a confident impersonator of authority, more likely to have substantial cash or near-cash savings available to withdraw the same day, less likely to have a workplace-cybersecurity background that would have inoculated them against social engineering, and less likely to have prior hands-on experience with cryptocurrency. The unfamiliarity is the active ingredient. A scammer cannot easily walk a thirty-year-old crypto user through depositing $15,000 into a kiosk because the thirty-year-old has a self-custody wallet and would ask "why don't I just send from my own wallet?" The seventy-five-year-old has no frame of reference at all, which means the scammer's narration of the kiosk interface ("press this button, scan this code") slots cleanly into the existing emotional state of fear and urgency.

There is also a generational respect for authority. Americans who came of age in the 1950s and 1960s internalized a default trust in federal agencies that does not survive much exposure to the modern internet. When a confident voice says "this is the IRS," the social conditioning to take that statement seriously is much stronger than for a twenty-five-year-old who has spent half their life ignoring scam-flagged calls. The scammers know this and select for it.

The combination — available cash, unfamiliarity with crypto mechanics, authority-trusting reflexes, isolation at home for many retirees — is what produces the demographic concentration. None of those traits are character flaws. They are features of a life that did not require constant vigilance against industrialized international fraud. When this scam hits a 75-year-old, what got them was a script written by professionals to exploit conditions the victim did not know they were inside. If you are reading this on behalf of a parent or grandparent who lost money: the shame they feel is not deserved. Help them past it.


The Payment Methods They Demand

Crypto kiosks are the dominant channel because they convert physical cash into irreversible crypto in a single short visit, but they are not the only payment method that government impersonation crews use. The full menu, in rough order of prevalence in current casework:

Cryptocurrency kiosks (Bitcoin ATMs)

The leading method. The victim is directed to a specific kiosk by name and address, often at a gas station or convenience store. The scammer maintains lists of kiosks by location, model, and per-transaction limit, and selects one with limits that accommodate the planned dollar amount. Detailed mechanics of this channel are covered in my dedicated piece on the Bitcoin ATM scam forensic trace.

Direct wire from an existing crypto exchange account

If the victim already has a Coinbase, Kraken, Gemini, or similar account, the scammer instructs them to log in, buy Bitcoin or USDT, and send it to a wallet address provided. This route bypasses the kiosk fee but loses the operator-side KYC evidence layer that kiosk fraud produces. The exchange that processed the outbound transfer is still subpoenable.

Bank wire to a third-party account, then converted to crypto

The victim wires fiat to a money mule's US bank account; the mule then buys crypto and forwards it to the scammer's wallet. This is the route that bridges traditional wire fraud and crypto fraud, and the bank wire layer adds another set of KYC records that may be retrievable through a bank investigation.

Gift cards converted to cryptocurrency

The victim is directed to buy thousands of dollars in Apple, Google Play, Steam, or Target gift cards and read the redemption codes over the phone. The scammer then sells the codes on a peer-to-peer gift-card-for-crypto exchange (Paxful historically, various successor platforms now) and receives Bitcoin or USDT in return. This is a common variant when the victim is unable or unwilling to operate a kiosk.

Zelle, Venmo, and Cash App routes

Less common in pure impersonation cases because most US banks now flag large peer-to-peer transfers to new recipients, but still used as a top-up method when the primary kiosk deposit is insufficient.

Mixed methods are common. A single scam call may direct the victim to make a kiosk deposit for an initial amount, then a gift card purchase for a top-up, then a wire from their brokerage account "to confirm the resolution." Each method changes the forensic surface area slightly but does not change the core fact: the funds end up on-chain and end up at a centralized exchange.


Where Your Money Actually Goes On-Chain

Sankey-style on-chain forensic trace showing victim cash flowing into the kiosk operator hot wallet, then to the scammer collection address, bridged to USDT-Tron and fragmented across many small wallets, before consolidating at an Asia-Pacific off-ramp exchange deposit, with KYC retention points labeled at the kiosk operator and the off-ramp exchange
Forensic trace path. Two endpoints (kiosk operator and off-ramp exchange) retain KYC records; the middle three hops are pseudonymous.

The on-chain path of impersonation funds is remarkably consistent across cases. Once the kiosk operator's hot wallet broadcasts the settlement transaction, the funds follow a predictable migration that an experienced investigator can map at every step.

Step 1: Kiosk operator settlement. Within minutes of the cash hitting the bill validator, the kiosk operator (Bitcoin Depot, CoinFlip, RockItCoin, Athena Bitcoin, CoinHub, and similar) broadcasts a Bitcoin transaction from its hot wallet to the destination address the victim entered via QR code at the scammer's direction. The exact timing depends on the operator and on network conditions, but the broadcast usually lands within 5 to 30 minutes. From that block confirmation forward, the funds are irreversible at the protocol level.

Step 2: Scammer primary collection wallet. The destination address is the scammer's primary collection wallet for the day or the week. Sophisticated operators rotate these frequently; cheaper operators reuse a small set of addresses across many victims, which is forensically convenient because it lets investigators cluster many cases into one wallet graph.

Step 3: Bridge into USDT-Tron. Bitcoin is a poor laundering layer because transactions are slow, expensive, and highly traceable. The scammer typically swaps the BTC into USDT on the Tron network, often through a centralized swap service or a low-friction bridge. USDT-Tron is the laundering layer of choice across most modern crypto scam categories because it offers near-zero transaction fees, fast confirmation, and a relatively permissive ecosystem of small exchanges and OTC desks willing to handle large flows without aggressive KYC. The forensic logic of this layer is discussed in detail in my piece on stolen USDT recovery on Tron.

Step 4: Fragmentation. The USDT is split across many smaller wallets in a tree structure, with each subsequent generation of addresses receiving a fraction of the parent's balance. Six to ten hops of fragmentation is common; the function is to defeat naive clustering tools and to slow down investigators. It does not defeat experienced forensic analysis — the timing patterns, the fan-out structure, and the consolidation points downstream are all signatures.

Step 5: Consolidation and off-ramp. After fragmentation, the funds reconverge at one or two collection wallets controlled by the cash-out operator (often a different individual from the call-center operator), and from there deposit at a centralized exchange. The most common off-ramp destinations are Binance, OKX, HTX, and Bybit, with smaller regional Asian exchanges as secondary venues. The exchange deposit is the second KYC retention point of the entire chain — the deposit address is tied to an account that, under the exchange's compliance framework, has KYC records (passport scan, selfie, source-of-funds attestation) that can be subpoenaed by law enforcement or by civil counsel through Mutual Legal Assistance Treaty channels or direct exchange compliance contact.

Step 6: Withdrawal to fiat. The scammer converts USDT to a local fiat currency on the exchange and withdraws through the exchange's local banking rails. From the moment of withdrawal, the funds have left the on-chain forensic surface entirely and exist as bank-level entries that follow whatever local AML regime governs that jurisdiction.

The window that closes the trace

From the moment the kiosk settlement transaction confirms, the scammer typically has 12 to 48 hours before the funds land at the off-ramp exchange — sometimes longer, sometimes much shorter. The first 24 hours are when fast law enforcement coordination can sometimes get a freeze placed on the eventual deposit before the scammer withdraws to fiat. After day three the practical window collapses sharply.

What to Do If You Already Paid

If the cash has already gone into the kiosk and the receipt is in your hand, the next 72 hours are the highest-leverage period of the entire response. Work the list below in order. None of these steps require legal expertise; all of them are things you can do tonight.

  1. Preserve every piece of evidence. Keep the kiosk receipt (it has the transaction hash and destination wallet address — this is the most important piece of paper in the case). Save the bank withdrawal slip. Take screenshots of the call log showing the scammer's number, every text message, and any caller ID screenshots. Photograph or scan the receipt itself in case the thermal paper fades.
  2. File a local police report immediately. You will need it for any insurance claim, bank dispute, or civil action downstream. Most police departments will take the report by phone or in person; ask for a case number in writing.
  3. File with the FBI Internet Crime Complaint Center at IC3.gov. Regardless of the dollar amount. Cumulative reports against the same wallet address eventually trigger federal aggregation, and the FBI's Virtual Assets Unit acts on patterns even when individual cases sit below the field office threshold. Detailed instructions are in my walkthrough on how to report a crypto scam to the FBI.
  4. Report to the agency-specific channel. For IRS impersonation, file with the Treasury Inspector General for Tax Administration (TIGTA) at tigta.gov. For SSA impersonation, file with the Social Security Office of the Inspector General at oig.ssa.gov. These channels feed into investigations the IC3 may not.
  5. Contact the kiosk operator's fraud line in writing. Bitcoin Depot, CoinFlip, RockItCoin, Athena, and CoinHub all have dedicated fraud channels. A written preservation request for the destination wallet address — before any subpoena issues — locks in the KYC and camera footage that supports later legal action. Some operators will additionally flag the destination address to prevent further victims from depositing to it.
  6. Notify the bank where the cash was withdrawn. Brief them on the scam and request a fraud flag on the account; depending on the bank, additional teller-level warnings may be added if the scammer attempts a follow-up.
  7. Freeze your credit at all three bureaus. The scammer may have collected enough personal information during the call to attempt identity theft as a secondary monetization.
  8. If the loss is material (typically $5,000+), engage a blockchain forensic investigator. The investigator's deliverable is the on-chain trace from the operator's settlement transaction forward and the evidence package needed to subpoena the off-ramp exchange. The walkthrough in my first-72-hours response guide outlines what to expect from this engagement. Do not engage any service that guarantees recovery — that is the secondary scam that specifically preys on people who just lost money.

What to Do If Your Parent or Loved One Was Targeted

Most of the calls I receive in this category come from adult children of victims, not from the victims themselves. The dynamics are tricky: shame, denial, in some cases ongoing scammer contact, and often the family member trying to help from another state. The instinct is to lead with the bad news ("you got scammed") and the lecture ("how did you fall for this"). Both make the next 24 hours harder.

The first principle is to suppress the shaming reflex completely. Government impersonation scams are designed by professionals to defeat normal vigilance, and they hit smart, accomplished people. Your parent was not careless; they were targeted. Open with that, mean it, and the rest of the conversation goes better. The companion to this article is the detailed family-side guide on how to help a parent who was scammed out of their crypto, which walks through the conversational and tactical steps in depth.

Practical priorities, in order:

  • If the call is ongoing or the scammer is still in contact, break the channel. Take the phone if you are physically present. Block the number if you are remote. Tell your parent in unambiguous terms that anyone who contacts them again about this matter is a scammer, including any "FBI follow-up," any "Department of Justice victim coordinator," and any "recovery specialist" — all of which are common second-wave attacks.
  • Run the evidence-preservation list above on their behalf if they are too overwhelmed to do it. With their consent, take possession of the receipt, the bank slip, and the phone logs. File the IC3 and police reports for them or alongside them.
  • Loop in Adult Protective Services. If the victim is 60 or older, APS in the relevant state is often a useful escalation path. Many jurisdictions are mandatory-report states, and APS can sometimes accelerate bank-level fraud response.
  • Watch for the secondary scam. Within days of the loss, the victim will often receive contact from a "recovery service" or a "law firm specializing in crypto fraud" claiming they can get the money back for an up-front fee. These are fully scripted secondary scams, often run by the same call center under a different brand. The pattern is detailed in my piece on how recovery scammers find victims.
  • Address the credit and account exposure. Change passwords on any account the scammer may have asked about during the call. Freeze credit. Run antivirus if the victim was directed to install any remote-access tool during the call.

How Forensic Investigators Trace These Cases

Forensic work on impersonation cases is straightforward in structure and labor-intensive in execution. The starting point is the kiosk receipt, which contains the transaction hash and destination wallet address. From there:

  1. Identify the kiosk operator's settlement wallet. The transaction on the receipt was broadcast by the operator, not the victim. Confirming which hot wallet the operator uses is the first labeling step.
  2. Follow the funds out of the scammer's primary collection wallet. The destination address typically holds funds for minutes to hours before forwarding. Map every outflow with timestamps.
  3. Cluster across multiple victim cases. If the scammer reuses the destination address across other IC3 reports (and many do), the wallet graph immediately ties multiple cases together. This is where investigation pays off most: a single $15K case scoped on its own has limited federal leverage, but a wallet linked to forty IC3 reports across twelve states is a different conversation.
  4. Trace through the USDT-Tron bridge. The BTC-to-USDT swap is usually identifiable from the transaction shape and the timing. The USDT side picks up at the bridge's payout address and from there is mappable through standard Tron-side cluster analysis.
  5. Map the fragmentation tree. Build the parent-child relationships across the fan-out, identify consolidation points, and follow to the eventual exchange deposit.
  6. Identify the off-ramp deposit. Match the consolidation wallet to known exchange deposit clusters using public attribution data and proprietary forensic tools. The deposit address belongs to a KYC'd exchange account; the account-holder identity is the endpoint of the on-chain trace.
  7. Produce the evidence package. A subpoena-ready report documents every hop with transaction hashes, timestamps, USD valuations, and the chain-of-custody methodology. That report is what civil counsel uses to file a John Doe action and serve the exchange, and what law enforcement uses to issue a freeze request and (eventually) a formal records subpoena.

The full investigative methodology is laid out in my deeper piece on crypto forensic investigation work, and the on-chain mechanics of the USDT-Tron layer specifically are covered in stolen USDT recovery on Tron. For the related pure-investment-scam pattern that uses some of the same off-ramp infrastructure, see my analysis of pig butchering scam recovery.


What State Laws (Like Indiana's Ban) Are Doing About It

The legislative response to kiosk-funneled impersonation fraud has accelerated sharply since 2023, and the 2025-2026 cycle has produced the most aggressive measures to date.

Indiana's statewide ban. In March 2026, Indiana enacted what is widely described as the first statewide ban on cryptocurrency kiosks, removing operators from the state entirely. The legislation followed sustained advocacy from AARP and from state Adult Protective Services, with elder-fraud case data presented to legislative committees during the session.

Restriction-and-disclosure statutes. Approximately 29 states have either enacted or are advancing kiosk-specific consumer protection laws. Common provisions include daily transaction limits for new customers (often $1,000 to $2,000 for the first thirty days), mandatory written warnings about impersonation fraud at the kiosk interface, mandatory refund windows for first-time users defrauded within a short period, registration and licensing of operators, and operator liability for inadequate fraud warnings. Vermont, Minnesota, California, Nebraska, Arizona, Rhode Island, and Washington are among the most active jurisdictions.

Federal enforcement. The Department of Justice has indicted multiple India-based call-center networks for impersonation fraud since 2016, with the largest of those prosecutions resulting in convictions of 24 defendants in 2018 connected to a nationwide IRS impersonation scheme. The DOJ's victim remission process has returned funds to a subset of victims in those cases; the mechanics of that channel are covered in my piece on the DOJ crypto victim remission program.

Industry-side response. The major kiosk operators have rolled out enhanced fraud warnings at the kiosk interface, voice-callback verification for first-time large transactions, and (in some operators' cases) refund windows for victims who report within 24-48 hours. The effectiveness varies. Operators with the strongest fraud teams (Bitcoin Depot's compliance unit is often cited as a leader) do flag destination addresses internally once a fraud report comes in, which can prevent additional victims from depositing to the same address.

None of this brings back money already lost. What it changes is the marginal economics for the scam operators: as states impose transaction limits and reduce kiosk density, the per-victim scam yield drops and the operational cost of running the calls rises. Combined with sustained law enforcement pressure on the call centers themselves, the trajectory of the channel may finally be bending.


Frequently Asked Questions

Does the IRS ever call demanding payment in Bitcoin?
No. The Internal Revenue Service does not call, email, or text taxpayers to demand immediate payment in cryptocurrency, gift cards, prepaid debit cards, or by wire transfer to a so-called safe account. The IRS communicates a balance due in writing by mail first, gives the taxpayer the right to question or appeal the amount owed, and accepts payment only through documented channels at IRS.gov. Any inbound phone call from a person identifying as the IRS who creates urgency, threatens arrest, or directs you to a Bitcoin ATM is a scam. Hang up.
How much money is lost to IRS and government impersonation crypto scams each year?
The FBI's IC3 documented approximately $246.7 million in cryptocurrency kiosk losses in 2024 alone, with government impersonation among the leading origination scripts. Roughly 85 percent of those kiosk victims were aged 60 or older, and the median loss per victim was in the five-figure range. Government impersonation losses extend beyond kiosks into direct crypto wires, gift-card-to-crypto conversions, and Zelle-to-exchange routes, which means the published kiosk figure is a floor, not a ceiling. AARP, FBI elder fraud units, and Adult Protective Services agencies across multiple states have flagged this as the fastest-growing channel of elder financial exploitation in the United States.
Why does the caller ID show a real government number?
Caller ID can be spoofed using readily available VoIP services. Scammers routinely display the actual published phone number of the IRS, the Social Security Administration, the FBI, the US Marshals Service, a local sheriff's department, or even the victim's own bank. The display number on your phone is not authentication. If you receive a call you cannot independently verify, hang up and call the agency back using a phone number you look up yourself from the agency's official website. Never trust a callback number provided by the caller.
I already drove to a Bitcoin ATM and deposited cash. Can the money be reversed?
Once the kiosk operator's settlement transaction is mined into a confirmed block on the Bitcoin network, the transfer is irreversible at the protocol level. The operator cannot reverse it, the blockchain cannot reverse it, and no third party can reverse it. What can happen is that the deposit at the scammer's eventual off-ramp exchange may be frozen if law enforcement moves quickly enough and the exchange honors the freeze request before the scammer withdraws to fiat. Within the first 24 to 48 hours, contact the kiosk operator's fraud line in writing, file an IC3 report, file a local police report, and if the loss is material, engage an independent blockchain forensic investigator to begin the on-chain trace from the operator's settlement wallet forward.
What agencies do scammers most commonly impersonate?
The most common impersonation scripts in 2025 and 2026 are the IRS, the Social Security Administration, the FBI, the US Marshals Service, the Treasury Department or OFAC, local police and sheriff's departments, the DEA, ICE or US Customs, and occasionally utility companies threatening to cut off power. Each has a tailored cover story but the structure is identical: fabricate a federal crisis, demand immediate payment in cryptocurrency or gift cards converted to cryptocurrency, instruct the victim to stay on the phone and not tell anyone. No real US government agency accepts payment in cryptocurrency, gift cards, or by wire transfer to a so-called safe account.
Why do these scams target older Americans so heavily?
FBI IC3 data shows roughly 85 percent of cryptocurrency kiosk fraud victims are aged 60 or older. The demographic concentration reflects three structural factors: older Americans are more likely to answer unknown calls and engage with a confident authority impersonator, more likely to have substantial cash or near-cash savings available to withdraw the same day, and less likely to have hands-on cryptocurrency experience — meaning the kiosk feels foreign and intimidating, which is exactly the disorientation the scammer's script depends on. The targeting is engineered, not coincidental. This is not a victim-blame story; it is a story about scammers selecting the channel where the social-engineering pressure script lands hardest.
My parent or grandparent was just on the phone with someone claiming to be the IRS. What do I do right now?
If you can intervene before they have driven to a bank or a kiosk, the priority is to break the call and create space. Take the phone, hang up, and do not call the number back. Do not let them call the number back. Sit with them and explain that the IRS does not call demanding Bitcoin and that no real federal agency will ever ask for cryptocurrency. If they have already withdrawn cash but not yet deposited it, the cash is recoverable — physically intercept the kiosk trip. If the cash is already in the kiosk, document everything: the call log, the receipt with the destination wallet address and transaction hash, the bank withdrawal slip, and any text messages. File a local police report, file with IC3.gov, and contact the kiosk operator's fraud line in writing requesting preservation of all KYC and camera records related to the destination wallet.
Are these scammers ever caught? Where does the money actually go?
The call centers are usually overseas — predominantly in India, with operations also identified in Pakistan, the Philippines, and parts of Southeast Asia. The on-chain flow typically routes the victim's Bitcoin from the kiosk operator's settlement wallet, into a scammer collection address, often bridged into USDT on the Tron network for low-fee fragmentation across multiple intermediate wallets, and ultimately deposited at an Asia-Pacific centralized exchange (commonly Binance, OKX, HTX, or Bybit) where the scammer converts to fiat and withdraws through local banking rails. Federal prosecutions of impersonation crews do happen — the Department of Justice has indicted multiple India-based call-center networks since 2016 — but they are slow, multi-year, and depend on cross-border cooperation. The realistic outcome for an individual victim is forensic attribution that supports an FBI IC3 aggregation and a civil subpoena to the exchange where the deposit landed, not direct restitution from the call center itself.

Lost money to an IRS or government impersonation scam? Start with a free scoping call.

If a family member deposited cash at a Bitcoin ATM or wired crypto to a scammer claiming to be a government agency, we will scope the trace from the kiosk settlement transaction or wire-out, through the USDT-Tron fragmentation layer, to the off-ramp exchange deposit. Initial assessments are free and we respond within 24 hours.

Start a Free Case Review

Zack Coffing

Founder of Wallet Witness. Independent blockchain forensic investigator specializing in crypto scam analysis, digital asset tracing, and litigation support. Based in the United States, serving victims and attorneys worldwide.