Crypto hacking is no longer a fringe risk. Wallet compromises, exchange breaches, SIM swaps, phishing attacks, and protocol exploits have cost taxpayers billions of dollars. Yet for many victims, the financial damage does not stop when the assets are stolen. Under current tax rules, hacked taxpayers can face tax bills on income they never truly realized, with limited and inconsistent relief.
The law around deducting losses from hacking exists, but it is fragmented, unclear, and often applied unevenly. Understanding what the law allows, what it does not, and why clearer rules are urgently needed is critical for taxpayers caught in these situations.
The Basic Rule for Deducting Theft Losses
Under Internal Revenue Code Section 165, taxpayers may deduct losses arising from theft. Historically, theft losses included burglary, embezzlement, fraud, and similar criminal acts. In theory, hacking fits squarely within this framework. When assets are taken without authorization and with criminal intent, a theft has occurred.
In practice, however, crypto theft losses often fall into gray areas because the IRS has not issued comprehensive guidance tailored to digital assets. Victims are left navigating outdated rules that were never designed for blockchain-based property.
Why Crypto Theft Losses Are Often Denied
One major problem is that personal casualty and theft loss deductions were largely eliminated for individuals under the Tax Cuts and Jobs Act, except for losses attributable to federally declared disasters. The IRS has historically taken the position that many crypto theft losses are personal losses and therefore nondeductible.
This approach creates absurd outcomes. A taxpayer who loses crypto to a hack may be denied a deduction, even though the loss is real, involuntary, and often devastating. Meanwhile, the taxpayer may still owe tax on income tied to the stolen assets.
The IRS Memo That Opened the Door
In 2025, the IRS released internal guidance acknowledging that certain crypto scam and hacking losses may be deductible as ordinary losses when the assets were held in income-producing or investment contexts. While this guidance is not formal law or binding precedent, it signals an important shift.
The memo recognizes what taxpayers already know. When crypto is stolen, the loss is not a voluntary personal expense. It is a theft tied to an investment or business activity, and denying relief creates phantom income.
The problem is that a memo is not a statute or regulation. Relief remains uncertain, inconsistent, and highly fact-dependent.
Why the Tax Damage Often Goes Beyond the Stolen Crypto
Hacking losses rarely exist in isolation. In many cases, victims trigger additional taxable events while trying to respond to the theft.
Some taxpayers liquidate crypto positions to cover losses, creating capital gains they must still report. Others withdraw funds from retirement accounts, such as IRAs, to replace stolen assets or pay debts, triggering ordinary income tax and potential early withdrawal penalties.
In extreme cases, taxpayers take loans, unwind complex positions, or close businesses, each with its own tax consequences. The result is cascading tax exposure layered on top of an already devastating financial loss.
This is why hacking losses are not just about deducting stolen assets. They are about addressing a chain reaction of taxable events created by the theft.
The Enforcement Risk of Getting It Wrong
Taxpayers who attempt to deduct hacking losses without proper legal framing face audit risk. The IRS scrutinizes theft loss claims closely, especially in the crypto context. Poor documentation, incorrect characterization, or reliance on informal advice can result in denied deductions, penalties, and prolonged disputes.
At the same time, taxpayers who fail to claim available relief may overpay tax and lock themselves into unfavorable positions that are difficult to unwind later.
This is a legal issue as much as a tax one.
Why Clearer Rules Are Necessary
The current system discourages victims from coming forward. Many taxpayers fear that reporting hacking losses will invite audits or enforcement rather than relief. This fear undermines voluntary compliance and leaves significant amounts of taxable activity unresolved.
Clear statutory or regulatory guidance confirming when crypto hacking losses are deductible, and how they should be treated, would protect victims, reduce disputes, and improve overall compliance.
What Taxpayers Should Do After a Hack
Taxpayers should document the incident thoroughly, including evidence of unauthorized access, transaction records, and efforts to recover assets. They should carefully evaluate whether the crypto was held for investment, business, or income-producing purposes. Most importantly, they should seek legal guidance before filing or amending returns.
Early decisions often determine whether relief is available or foreclosed.
The Bottom Line
Crypto hacking victims should not be punished twice, first by criminals and then by the tax system. While existing law offers potential paths to deduct losses, the lack of clear rules leaves taxpayers exposed to uncertainty and enforcement risk.
At Gordon Law, we represent taxpayers dealing with crypto theft, scams, and the complex tax consequences that follow. We help clients evaluate deductibility, navigate audits, and pursue relief where the law allows. If you have suffered a crypto hacking loss or are unsure how it should be treated for tax purposes, now is the time to seek experienced legal guidance before the issue compounds.
Clear rules would benefit everyone. Until then, strategy matters.
