Can You Claim a Tax Deduction for Crypto Lost to a Phishing Attack?
Losing crypto to a phishing scam is disorienting enough on its own, and the question of whether it can at least be written off on taxes often follows soon after. The honest answer involves a federal rule that changed the landscape for personal theft losses significantly.
The short answer
Under current federal tax law, personal theft losses — including crypto lost to phishing — are generally not deductible unless the loss is connected to a federally declared disaster. This restriction has applied to individual, non-business theft losses for recent tax years. Because the rules are technical and subject to change, anyone in this situation should consult a qualified tax professional about their specific facts.
Why the general theft-loss deduction is so limited now
Personal casualty and theft losses used to be more broadly deductible, subject to certain thresholds. That changed under a major overhaul of federal tax law that suspended the deduction for personal theft losses except when tied to a federally declared disaster, for a set range of tax years. A phishing scam, however devastating, does not meet that disaster standard, since it’s a criminal act against an individual rather than an event like a hurricane or wildfire affecting a whole region. This distinction is a large part of why so many crypto theft victims are surprised to learn there’s no straightforward deduction available.
Where the rules get more nuanced
- Investment versus personal-use property. Some tax professionals draw a distinction between crypto held as a personal asset and crypto connected to a trade or business or an income-producing activity, since different loss categories can be treated differently under the tax code.
- Documentation still matters. Even where a deduction isn’t available, keeping records of the loss — transaction records, wallet addresses, and any report filed with authorities — is worth doing in case rules change or a professional identifies an applicable exception.
- State tax treatment can differ. Some states follow federal rules closely while others have their own provisions, so the answer isn’t uniform everywhere, similar to how California’s approach to crypto capital gains follows its own state-specific framework layered on top of federal rules.
The bigger picture around crypto theft
Because phishing losses are usually not deductible in the way many people assume, the practical emphasis tends to shift toward prevention. That means understanding common warning signs before a transfer happens in adjacent scam categories, verifying links and requests independently rather than trusting an urgent message, and treating any request to move funds quickly as a signal to slow down. Crypto’s irreversibility is central to why phishing is so damaging in this space specifically — once a transaction confirms, there is typically no institution that can reverse it the way a bank might reverse a fraudulent charge.
What to weigh
- The default rule is no deduction, absent a connection to a federally declared disaster, for personal-use crypto lost to phishing.
- Facts matter enormously. Whether the crypto was investment property, business property, or personal-use property can change the analysis, and only a qualified preparer familiar with the details can say for certain.
- Tax law changes. Provisions that suspend or limit deductions are often tied to specific tax years, so what’s true this year may not be true in a future year.
The bottom line
For most individuals, crypto stolen through a phishing attack cannot simply be deducted as a straightforward loss on a federal return, because the law currently limits personal theft loss deductions to federally declared disasters. Rules around exceptions, business use, and state treatment vary and change, so anyone facing this situation should talk to a tax professional before assuming either that a deduction exists or that it doesn’t.