Full Report
Defendant conspired to use stolen taxpayer information to file over 1,000 fraudulent tax returns seeking millions of dollars in tax refunds BOSTON – A Nigerian national living in Mexico, who was extradited to the United States, was sentenced yesterday in federal court in Boston for his role in a scheme to break into Massachusetts tax... Source
Analysis Summary
# Incident Report: Multi-Year Tax Preparation Firm Intrusions and Fraudulent Filings
## Executive Summary
From 2016 to 2021, a Nigerian national, Matthew A. Akande, and his co-conspirators executed a sophisticated scheme targeting Massachusetts-based tax preparation firms. Using phishing emails and "Warzone RAT" malware, the group stole taxpayer Personally Identifiable Information (PII) to file over 1,000 fraudulent returns, successfully stealing $1.3 million from the U.S. government. The incident concluded with the defendant being sentenced to eight years in federal prison and ordered to pay full restitution.
## Incident Details
- **Discovery Date:** July 2022 (Indictment unsealed)
- **Incident Date:** June 2016 – June 2021
- **Affected Organization:** Five Massachusetts-based tax preparation firms
- **Sector:** Financial / Tax Services
- **Geography:** United States (Massachusetts); Mexico; United Kingdom; Nigeria
## Timeline of Events
### Initial Access
- **Date/Time:** Commencing June 2016
- **Vector:** Phishing via Email
- **Details:** Attackers sent fraudulent emails to tax firms posing as prospective clients seeking services. These emails contained malicious attachments or links.
### Lateral Movement
- **Details:** Upon successful execution of the phishing attachment, "Warzone RAT" and other Remote Access Trojans were deployed to gain persistent control over the victims' workstations and explore the internal networks of the tax firms.
### Data Exfiltration/Impact
- **Details:** The attackers accessed and exfiltrated PII and prior-year tax records belonging to the firms' clients. This data was used to file more than 1,000 fraudulent tax returns seeking $8.1 million in refunds.
### Detection & Response
- **How it was discovered:** Investigations by the FBI, IRS Criminal Investigation (IRS-CI), and the Justice Department after fraudulent refunds were flagged.
- **Response Actions:** Akande was indicted in July 2022, arrested at Heathrow Airport (UK) in October 2024, and extradited to the U.S. on March 5, 2025.
## Attack Methodology
- **Initial Access:** Phishing (Spear-phishing posing as a prospective client).
- **Persistence:** Remote Access Trojans (RATs) allowing long-term remote control.
- **Defense Evasion:** Use of legitimate-looking business inquiries to bypass basic email filtering/human scrutiny.
- **Credential Access:** Likely harvested via the RAT's keylogging or browser credential extraction capabilities.
- **Discovery:** Scanning local systems for tax-related databases and documents (PDFs, tax software files).
- **Collection:** Gathering historical tax data and personal identifiers (SSNs, names, addresses).
- **Exfiltration:** Data sent to off-site servers controlled by Akande.
- **Impact:** Financial fraud and identity theft; $1.3 million in actual losses.
## Impact Assessment
- **Financial:** $1,393,230 in successful fraudulent refunds; $8.1 million in attempted fraud.
- **Data Breach:** Compromise of PII and sensitive financial records for over 1,000 taxpayers.
- **Operational:** Disruption to five tax preparation firms and their clients' legal tax standings.
- **Reputational:** Significant damage to the trust between the tax preparation firms and their clients.
## Indicators of Compromise
- **Network indicators:** Traffic to C2 (Command & Control) servers associated with Warzone RAT (domains/IPs not specified but would be defanged in a live environment, e.g., `warzonrat[.]com`).
- **File indicators:** Malicious email attachments disguised as "New Client Documents" or "Tax Records."
- **Behavioral indicators:** Unauthorized remote logins to tax preparation workstations outside of business hours.
## Response Actions
- **Containment:** Federal indictment and international law enforcement cooperation.
- **Eradication:** Extradition and prosecution of the primary threat actor.
- **Recovery:** Court-ordered restitution of $1,393,230.
## Lessons Learned
- **Phishing Vulnerability:** Small-to-medium-sized financial firms remain high-value targets for identity theft due to the density of PII they manage.
- **Malware Sophistication:** Even "off-the-shelf" RATs (Warzone) are highly effective when combined with convincing social engineering.
- **Long-term Persistence:** The attackers operated for five years, indicating a significant gap in proactive threat hunting or anomaly detection within the affected firms.
## Recommendations
- **Email Security:** Implement advanced email filtering that sandboxes attachments and flags external emails without established sender reputation.
- **Endpoint Protection:** Deploy EDR (Endpoint Detection and Response) solutions to identify and block RAT-like behavior (e.g., unauthorized remote desktop protocols).
- **Security Awareness:** Conduct regular phishing simulations focused on "New Business" lures specifically for staff in client-facing roles.
- **Multi-Factor Authentication (MFA):** Ensure all systems containing taxpayer data require MFA to prevent credentials stolen via RATs from being used on other services.
- **Reporting:** Immediately report suspicious activity to hxxps://www[.]ic3[.]gov and hxxps://www[.]irs[.]gov.