Full Report
Matthew Akande was living in Mexico when he and at least four co-conspirators broke into the networks of tax preparation firms and filed more than 1,000 fraudulent tax returns seeking tax refunds. The post Nigerian man sentenced to 8 years in prison for running phony tax refund scheme appeared first on CyberScoop.
Analysis Summary
# Incident Report: Multi-Year Tax Preparation Firm Compromise and Fraud Scheme
## Executive Summary
Matthew Akande and his co-conspirators executed a five-year cyber-enabled fraud campaign targeting U.S. tax preparation firms to file over 1,000 fraudulent tax returns. By deploying Remote Access Trojans (RATs) via phishing, the group stole client data and diverted over $1.3 million in federal refunds to controlled bank accounts. The incident concluded with Akande’s extradition and sentencing to eight years in federal prison.
## Incident Details
- **Discovery Date:** July 2022 (Indictment filed)
- **Incident Date:** June 2016 – June 2021
- **Affected Organization:** Multiple tax preparation firms (including five based in Massachusetts)
- **Sector:** Financial Services / Tax Preparation
- **Geography:** United States (Victims); Mexico, UK, Nigeria, and North Dakota (Attacker locations)
## Timeline of Events
### Initial Access
- **Date/Time:** Ongoing from 2016 through 2021.
- **Vector:** Phishing.
- **Details:** Attackers sent deceptive emails to employees at tax preparation firms designed to induce the download of malicious attachments or links.
### Lateral Movement
- **Details:** Upon successful phishing, the attackers deployed Warzone RAT and other malware to gain remote control over internal systems, allowing them to navigate the firms' networks and access client databases.
### Data Exfiltration/Impact
- **Details:** The group stole sensitive Personal Identifiable Information (PII) of firm clients. This data was used to file 1,000+ fraudulent tax returns seeking $8.1 million in refunds.
### Detection & Response
- **How it was discovered:** Investigation by federal authorities (DOJ/IRS) into fraudulent tax patterns and international money transfers.
- **Response actions taken:** Indictment filed in July 2022; Akande arrested at Heathrow Airport in October 2024; Extradited to the U.S. in March 2025.
## Attack Methodology
- **Initial Access:** Phishing emails targeting tax firm employees.
- **Persistence:** Remote Access Trojans (RATs) like "Warzone RAT" provided ongoing access to infected workstations.
- **Privilege Escalation:** Not explicitly detailed, but involved gaining sufficient rights to access client tax folders.
- **Defense Evasion:** Use of legitimate-looking phishing lures and off-the-shelf RATs to blend with network traffic.
- **Credential Access:** Stole client PII and likely employee credentials via keylogging or file scraping.
- **Discovery:** Reconnaissance of internal networks to identify tax software and client data repositories.
- **Lateral Movement:** Remote access tools used to pivot through the firms' infrastructure.
- **Collection:** Bulk theft of client PII required for tax filing.
- **Exfiltration:** Exfiltrated stolen client data to overseas servers managed by Akande.
- **Impact:** Fraudulent filing of returns and theft of $1.3M in government funds; reputational and operational damage to the victim firms.
## Impact Assessment
- **Financial:** $8.1 million attempted fraud; $1.3 million successfully stolen; $1.4 million ordered in restitution.
- **Data Breach:** Sensitive PII of over 1,000 taxpayers compromised.
- **Operational:** Disruption to tax filing processes and the need for firms to notify victims and regulatory bodies.
- **Reputational:** Significant damage to the "trusted" status of the affected tax preparation firms.
## Indicators of Compromise
- **Network indicators:** Connections to known Warzone RAT C2 (Command & Control) infrastructure [defanged: hxxp[://]warzonerat[.]com].
- **File indicators:** Malicious attachments in phishing emails (e.g., .exe or .zip files disguised as tax documents).
- **Behavioral indicators:** Unauthorized remote desktop activity and mass data transfers of client files during non-business hours.
## Response Actions
- **Containment:** Removal of RAT malware from affected endpoints.
- **Eradication:** Revocation of compromised credentials and decommissioning of C2 communication paths.
- **Recovery:** Assisting victims with IRS identity theft protection measures (e.g., Identity Protection PINs).
## Lessons Learned
- **Key takeaways:** Small to mid-sized tax firms are high-value targets due to the density of PII and their direct link to government financial systems.
- **What could have been done better:** Implementation of robust email filtering and multi-factor authentication (MFA) might have neutralized the initial phishing and credential theft.
## Recommendations
- **MFA Implementation:** Require multi-factor authentication for all remote access and sensitive data repositories.
- **Phishing Simulation:** Conduct regular training for employees focusing on the identification of "urgent" or "legal" themed phishing lures.
- **Endpoint Protection:** Deploy EDR (Endpoint Detection and Response) tools capable of identifying and blocking known RAT behaviors and Warzone signatures.
- **Network Segmentation:** Isolate client data environments from general employee workstations to prevent lateral movement.