The Birdling Rectangle Logo Dark

Operation Dragon's Toll: We've Uncovered a Global Phishing Campaign Targeting Foreign Nationals with Fake US W-8BEN Tax Forms

Our Threat Intelligence Unit, under a new initiative codenamed Operation Dragon's Toll, has identified a sophisticated, global phishing campaign originating from China. This campaign targets non-U.S. individuals living outside the United States who receive income from U.S. sources.

14th Command Team

December 4, 2025

Threat Intelligence & Attack ReportsPhishing & Social Engineering
A piece of paper with the words operation dragon's toll on it

Today, we are announcing the discovery of a sophisticated, global phishing campaign originating from China. Under a new internal initiative, Operation Dragon's Toll, we have been tracking a phising campaign targeting non-U.S. individuals living outside the United States that receive income from U.S. sources.

The campaign uses fraudulent W-8BEN tax form emails to create a powerful sense of urgency. What makes this campaign exceptionally deceptive is the "hit-and-run" tactic we've identified. The attackers send a massive wave of phishing emails from a domain and then immediately "park" it on a Chinese marketplace like juming.com. This makes the domain appear harmless to subsequent security checks, even while the malicious phishing link may remain active.

How We've Seen It Work

The campaign's effectiveness lies in its speed and deception, designed to erase its tracks almost immediately after the attack is launched.

  1. The attackers first acquire a domain. For a very short operational window, they configure it with active mail servers and send a high volume of phishing emails. These emails, with subject lines like "Action Required: Update Your Tax Certification," threaten a 30% tax withholding to create panic.

  2. Immediately after the email blast is sent, the attackers change the domain's DNS records. They repoint the mail (MX) records and web (A) records to a public domain parking service. When a security analyst or victim later investigates the sender's domain, it appears to be a harmless, inactive "For Sale" page. This is a deliberate tactic to thwart standard investigation procedures.

  3. The "Update Your Tax Form" button in the email links to a specific, long URL path (e.g., www.domain.com/w8-form-update/). Our analysis shows that even after the root domain is “parked”, this specific malicious link can remain active, leading to a convincing replica of a financial portal where victims' data is stolen.

  4. The phishing page is designed to steal the full range of a victim's personally identifiable information (PII) required for a real W-8BEN form, making the request seem legitimate. This includes full name, address, country of citizenship, Foreign Tax Identifying Number, and potentially, credentials for the platform that pays them.

Who Is the Primary Target?

From our analysis, this campaign is specifically tailored to any foreign individual (non-U.S. person) who receives income from a U.S. entity. This is a massive global pool of potential victims, including:

  • Freelancers and remote workers on platforms like Upwork or Toptal.

  • Content creators earning revenue from U.S. platforms like YouTube, Twitch, or Substack.

  • International investors receiving dividends or interest from U.S. stocks and bonds.

  • Digital entrepreneurs and small business owners with clients in the United States.

  • We believe individuals in Nigeria and across Africa who are deeply integrated into the global digital economy are at particularly high risk.

How to Protect Yourself

  1. Treat all unsolicited tax-related emails as potentially fraudulent. The W-8BEN is submitted to the payer (the company that pays you), not the IRS. If you receive such an email, do not click any links. Instead, log in directly to the official portal of the company that requested the form and check your account notifications there.

  2. Before clicking, hover your mouse over any button or link to preview the full destination URL. Be highly suspicious of unfamiliar domain names (especially .cn tlds) or those that don't perfectly match the official domain of the paying company.

  3. Use a free WHOIS lookup tool online to check the registration date of any suspicious domain. A domain created within the last few weeks or months is a major red flag.

  4. If you need to fill out a W-8BEN, download the official form directly from the IRS website (irs.gov) and submit it securely according to the instructions provided by your withholding agent (the payer).

The Mission of Operation Dragon's Toll

The discovery of this "hit-and-run" methodology is our first public announcement from Operation Dragon's Toll, our dedicated initiative to track and analyze threats that impact the global digital economy, with a special focus on Africa. This campaign's sophistication highlights the need for deep, behavioral analysis rather than relying on simple domain reputation. We will continue to monitor this threat actor and provide updates on their evolving tactics.

Get Our Intelligence Briefs

Get exclusive intelligence on African cyber trends, and expert security insights delivered directly to your inbox.