Darknet Diaries - Ep 26: IRS
Episode Date: November 15, 2018The IRS processes $3 trillion dollars a year. A lot of criminals want to get a piece of that. In 2015 the IRS had a large data breach. Hundreds of thousands of tax records were leaked. What h...appened and who was behind this? Listen to this episode to find out.For show notes visit https://darknetdiaries.com
Transcript
Discussion (0)
The Internal Revenue Service is the American tax collection agency.
And guess how much money they collect every year from American taxpayers?
We collect $3 trillion a year in a voluntary compliance system.
That's the IRS commissioner himself.
And $3 trillion is a lot of money that travels through the IRS's fingers.
And something I've learned over the years is that if that kind of money is going through an organization,
it's going to attract criminals and hackers like a hound dog attracts fleas.
So a lot has to be done to protect the IRS from attackers.
But there are problems.
First of all, the budget is shrinking.
Again, here's the commissioner from 2015.
The IRS is now at its lowest level of funding since 2008.
If you adjust for inflation,
our budget is now comparable to where we were in 1998.
While our budget has been shrinking, however, the taxpayer base has grown by millions. But after
five years of budget cuts and a hiring freeze that has lasted for four years, people need to
understand that the IRS is going to have to do less with less. It means that both enforcement and taxpayer service will suffer.
From 2010 to 2015, the budget had gone down by 20%.
You can already start to guess what kind of impact this may have on an organization.
Between 2010 and 2014, the IRS lost over 13,000 employees.
We expect to lose another 3,000 more or less through attrition by the end of this year.
We have only 650 employees out of 87,000 who are 25 or younger.
87,000 employees and only 650 of them are under 25?
That's like less than 1%.
Combine the dwindling staff and the budget cuts with aging equipment and computers,
and you can start to see that this could become a serious problem. And a problem for the IRS is a dream come true for hackers.
These are true stories from the dark side of the internet.
I'm Jack Recider. This is Darknet Diaries.
This episode is sponsored by Delete.me.
I know a bit too much about how scam callers work.
They'll use anything they can find about you online to try to get at your money.
And our personal information is all over the place online.
Phone numbers, addresses, family members, where you work, what kind of car you drive.
It's endless.
And it's not a fair fight.
But I realize I don't need to be fighting this alone anymore.
Now I use the help of Delete.me. Delete.me is a subscription service that finds and removes personal information from
hundreds of data brokers' websites and continuously works to keep it off. Data brokers hate them
because Delete.me makes sure your personal profile is no longer theirs to sell. I tried it and they
immediately got busy scouring the internet for my name and gave me reports on what they found.
And then they got busy deleting things. It was great to have someone on my team when it comes
to my privacy. Take control of your data and keep your private life private by signing up for
Delete Me. Now at a special discount for Darknet Diaries listeners. Today, get 20% off your Delete
Me plan when you go to joindeleteme.com slash darknetdiaries and use promo code darknet at checkout. The only way to get 20% off
is to go to joindeleteme.com slash darknetdiaries and enter code darknet at checkout. That's
joindeleteme.com slash darknetdiaries. Use code darknet.
Support for this show comes from Black Hills Information Security. This is a company that Thank you. call. I'm sure they can help. But the founder of the company, John Strand, is a teacher,
and he's made it a mission to make Black Hills Information Security world-class in security training. You can learn things like penetration testing, securing the cloud, breaching the cloud,
digital forensics, and so much more. But get this, the whole thing is pay what you can.
Black Hills believes that great intro security classes do not need to be expensive,
and they are trying to break down barriers to get more people into the security field.
And if you decide to pay over $195, you get six months access to the MetaCTF Cyber Range,
which is great for practicing your skills and showing them off to potential employers.
Head on over to BlackHillsInfosec.com to learn more about what services they offer and find links to their webcasts to get some world-class training.
That's BlackHillsInfosec.com.
BlackHillsInfosec.com.
2015 was a year full of data breaches.
Starting the year off were two big breaches from healthcare providers.
In February, Anthem announced that 80 million patient records were stolen. a year full of data breaches. Starting the year off were two big breaches from healthcare providers.
In February, Anthem announced that 80 million patient records were stolen.
Discovered around the same time was Primera Blue Cross,
and they found that possibly the same actors
were in their network and admitted to a breach
of 11 million patient records.
So just in the first quarter of 2015,
we saw almost 100 million patient records
get pinched by hackers.
And they didn't actually steal medical records.
Instead, they grabbed stuff like names, birthdays, medical IDs, social security numbers,
street addresses, email addresses, employee information, and income data.
People weren't sure what it could be used for.
Who's doing this and why?
Was it just being sold on the dark market for a quick bitcoin?
Or was this information collected as part of a multi-stage attack?
In what ways could this information be valuable to hackers?
And how can you make money if you know someone's name, address, social security number, and stuff like that?
I'll let you think about that for a minute.
Let's talk about the IRS.
For my non-American listeners, the Internal Revenue Service is the U.S. government agency that collects taxes. And most U.S. citizens and businesses have to report
their income to the IRS every year and pay taxes based on how much money they made. So the IRS has
to process hundreds of millions of tax forms a year. And it's an archaic and overly complicated
system. Basically, us Americans pay a percentage of the money we make to the
government, so they can pay off national debts for military, social security, medical care for
the elderly, and stuff like that. And the US government needs a lot of our money. On average,
they take about 14% of our paychecks. So if you made $67,000 a year, they want $9,000 of that.
But here's the thing, Americans don't save up $9,000 to give it to them every
year. We simply ask our employers to take out that money from our paycheck before we even get it.
That way it's all paid up and stuff. But we don't always know how much to pay, and sometimes we
underpay, and come tax time we have to pay a little bit more. But what a lot of people actually do is
overpay, and then the IRS gives us back the money we didn't need to pay. This can sometimes be a nice-sized tax return, thousands of dollars.
This process of tax filing is all super complicated,
and traditionally the IRS has handled all of this through paper forms.
If you wanted to see your old tax records, you had to fill out the IRS Form 4506 and pay $50,
and you can get your old tax records sent to you in the mail.
But in the last decade, they've been moving to electronic filings,
where you can do the whole thing through the website, irs.gov. In January 2014, they made a new feature to irs.gov website called Git Transcript. And this would allow you
to see your tax records from last year in case you wanted to use them to help submit for this year.
It was a fantastic feature, and right away millions of Americans were using it to look up their tax forms from last year.
Now normally when you sign up for a bank account
or medical provider,
you're put through a sign-up process,
which often includes setting up a password,
and then some account recovery questions,
such as where you met your spouse,
or what high school you went to.
But the IRS.gov website is different.
They use something called Instant KBA,
or Knowledge Base Authentication.
This is a series of questions they ask that only you would know the answer to,
like what your mortgage payment is and where you bought your car.
It's called Instant KBA because they already have the answers on their side.
This is a little different than a bank account, where when they ask you the question,
they don't know the answer, and you put the answer, and then they save that for next time.
With Instant KBA, they already know what high school you went to from your credit records.
The IRS partners with one of the big credit reporting companies like Equifax to learn more about you.
So through this, the IRS knows what streets you previously lived on and what credit cards you currently have and stuff like that.
So when you want to use the Get Transcript feature of the IRS.gov website, you're asked a series of questions like this. Questions only you would know
the answer to, which proves who you are and then they show you your old tax records. But can you
maybe guess and what a few problems are with this instant KBA? Well, first of all, the IRS says 22%
of people cannot answer the questions correctly themselves. I mean, do you remember
your phone number you had 10 years ago? Or the address you had in college? Maybe, but when you're
70, will you? And here's another problem with Instant KBA. You can't opt out of it. The IRS
and Equifax have collected and stored this information about you that you didn't give
them authorization to keep. So it can become a privacy issue. In fact, NIST, a government-ran
standards board, comments
on this specifically, saying, it is inappropriate to involuntarily expose the privacy of unknown
citizens of an instant KBA authentication scheme unless the risk is close to zero. Another big
issue with this knowledge-based authentication relies on knowing secret information about you.
And as our data becomes more exposed to the world through breaches,
this secret information is no longer secret. So let's go back to 2014 when this Git transcript service was first introduced to the irs.gov website. And let's say we wanted to get our
old transcripts. So first off, the site asks the following. Name, social security number, address.
Now historically, your social security number is private and only a few people would know it.
But as data breaches happen, it's becoming not as private anymore.
Name and address are not that hard to figure out, so these first questions could easily be defeated with anyone knowing this about you.
And at this point, they make you sign up with an email address, and they send you an email for next steps.
Then you're presented with four multiple-cho choice instant KBA questions. Here's a
few samples. Please select the county of the address you provided. Well, obviously you can
look that up on any map, so that's easy. Next question. According to our records, you previously
lived in, insert town, please select a street which you resided on in that town. Well, it's a
multiple choice question, so you can look at the answers and rule out any streets that don't exist in that town, and then you'd have a fairly high chance
of getting the answer right. Please select the city you previously resided in. Well,
if the hacker had any data on you from previous breaches, then this is probably included.
Or heck, the answer might even be in the previous question. According to our records,
you graduated from which of the following high schools? Well, have you been on Facebook lately?
Pretty much everyone is on there, and they all love to write what high school they went to.
So this is usually pretty easy to find.
And that's it.
If you answer those questions correctly, you get the historic tax records for that person.
And if you really look at it, because it's multiple choice questions,
we have a shot at getting all the questions right without even having breach data.
Just by googling a person and where they used to live and stuff. So this get transcript option at the irs.gov website was used
by millions of people in 2014, and then again in 2015. It's a great feature, but you may have
noticed by now that the authentication method maybe wasn't that secure. So let's go to February
2015, the same month that the Anthem breach was discovered.
A guy named Michael Casper goes to file his taxes.
He fills out all the forms electronically and hits submit.
But something's wrong.
The IRS's website is telling him he's already submitted his taxes.
But that's impossible. He hasn't submitted it yet.
He calls the helpline.
And you know what? I'll let him tell the story.
So on Monday morning, I called the IRS.
And they confirmed my identity by asking tax history-related questions
and showed me that a deposit was being made the same day that I was calling
into somebody's account, but that it was too late to stop it at that point.
The IRS just told him that someone else filed a tax return in his name,
and a check was sent to that person
and it had already been deposited. The IRS wasn't able to tell him anything else like how much the
check was worth, what bank was deposited, or anything like that. The IRS can't disclose this
because of privacy. So I was frustrated by that. That's when I tried the get transcript function
on the IRS website to see if I could get a transcript and found out someone else had already registered their email address with my social security number.
It appeared someone had already gone through the steps of doing a get transcript under Michael's tax records and made an account as him.
And at this point, Michael didn't know what to think.
He wondered if he got hacked or if someone stole his wallet or identity or what had happened.
Is it his fault this is happening? Over and over, Michael had asked for more information about who
filled out his taxes, but the IRS was refusing to give any information. The law clearly states the
IRS cannot share tax information with anyone. And he wasn't able to log into the IRS website and do
the get transcript function because someone else already registered as his name so he felt stuck but he came up with a new plan he figured out if you
fill out the IRS form 4506 and include $50 they'll send you a physical copy of
your tax return I found out I could get a photocopy for $50 they have been
telling I couldn't get the information but if I pay $50 I could get it so March
17th I got a photocopy of the return, which is when I found
out that whoever filed had seen my 2013 return because the information was almost identical.
This was freaky. He was starting to put the pieces together now. Someone definitely did
the get transcript process on irs.gov website, got a copy of his old tax return, and submitted
a new one for this year. He looked at the tax return someone else submitted and they got a refund for $8,936. This was money the IRS owed Michael, yet they sent
it to this other person. Michael looked closer at his tax return and saw the bank account number.
Michael is a smart guy, an engineer even, and wasn't getting any help from the IRS and he was
getting angry.
Angry that someone else stole his money from him.
So he decided to try to figure this out on his own.
But I contacted the bank in Pennsylvania.
They confirmed a deposit was made, and I guess the metadata in the deposit actually shows my name and my social security going into someone else's checking account.
So they told me the location, Williamsport, Pennsylvania,
where all the money was withdrawn, and I contacted the local police there.
The police called him back right away and wanted to know more.
They opened up a case and began investigating who deposited the check.
And on that same day, Michael got a letter.
I got a letter in the mail from the IRS that they had,
six weeks later, received my documentation and that they would get back to me in six months. It's kind of made
Michael mad. Almost immediately upon getting his tax records he was able to make a lot of progress
by opening a police investigation and here the IRS is saying it's going to take them six months
to investigate this. I also got a letter that week from Anthem Healthcare offering me free credit
monitoring. I don't really know if that is related to how my information was obtained.
Michael had his personal information stolen in the Anthem breach.
And remember the data stolen in the Anthem breach included his name,
social security number, and past addresses.
This would probably be enough to pass the KBA and do the get transcript.
The police went to the person's house in Pennsylvania,
and they found this person who deposited the check was a young female college student. She had responded to a Craigslist ad offering a job
opportunity. Ah, yeah, the old money mule scam. Okay, here's how this works. Criminals who need
to move money around will offer up jobs on Craigslist, saying something like an international
finance company needs assistance writing letters. Then they're given the job interview and get
hired. First, they're given the job interview and get hired.
First, they're given some basic tasks to do, like correct some English on some emails.
These basic tasks are just there to earn trust. Then the criminals will give some sad story about how they need to pay a client immediately, but funds are tied up. And they ask the victim,
hey, if we send money to you, could you then send the check to the client? And if they agree,
a money mule is born.
It's very illegal to be a money mule, and this young woman had no clue it was illegal.
She just needed some extra cash to get through college.
Money was deposited into her account, and then she wired large amounts of it to Nigeria through Western Union.
She sent $7,000 to Nigeria, and as a reward, she was able to keep the other $1,900,
which she used mostly on rent, leaving just $5 left in the account when the police caught her.
She was arrested for being a money mule, and later got out on bail, having to pay $8,500.
Michael was frustrated with this whole ordeal, so at the end of March,
he contacted the journalist Brian Krebs to share his story.
And right away, his story showed up on Krebs on Security, a blog about breaches and security.
The IRS noticed this blog post and eventually refunded the money back to him.
But this took months.
Michael wasn't the first to report this kind of fraud in 2015.
Many more people were having the same issue, thousands of others. So the IRS began looking into
it. The commissioner of the IRS, John Koskinen, called together a security summit to determine
what's going on. And they saw this post on Krebs on Security. And they were also told by the Utah
State Tax Commissioner that they were seeing 10 times as much tax fraud this year compared to last
year. The IRS was seeing that on a lot of these fraudulent tax returns,
the tax forms were filled out exactly the same as the previous year, complete with any typos that were on the year before. So this made it obvious that someone had gotten a bunch of people's tax
returns from last year and were submitting them fraudulently this year. So the IRS went and looked
at these fraudulent tax returns to see if there was a get transcript request on the website. And sure enough, there was. And a lot of them were using the same exact email address.
Hundreds, maybe thousands. This was obviously a flaw in the IRS's system to have thousands of
tax returns linked to the same email address. So the IRS conducted a deep dive investigation
to see what was going on.
This episode is sponsored by NetSuite.
What does the future hold for business?
You don't know?
Well, me neither.
But what I do know is that you don't have to be months ahead of your competitors to be more successful.
Just a few days or even a few hours can work wonders. So until someone brings you a crystal ball, NetSuite can give you an advantage.
More than 38,000 businesses have future-proofed their business with NetSuite by Oracle. It's a
cloud ERP service and one that I'd be using if I needed the help. NetSuite brings accounting,
financial management, inventory, and HR into one fluid platform. When you're closing the books in days, not weeks, you're spending less time looking backwards and more time on
what's next. Whether your company is earning millions or even hundreds of millions, NetSuite
helps you respond to immediate challenges and seize your biggest opportunities. And make use
of real-time insights and forecasting, allowing you the opportunity to look into the future with
actionable data. Speaking of opportunity, download the CFO's guide to AI and machine learning at Thank you. Two months after that Krebs article, the IRS had figured it out. Through commonalities and email addresses, they found out that this crew had issued 13,000 fraudulent tax returns.
And if you add up all 13,000 tax refund checks, this crew stole around $40 million from the U.S. Treasury.
I want to take a moment to reflect on this for a second.
When we hear about a breach of personal data stolen, like at Anthem,
we wonder how much this data can be worth.
And how could criminals use this to make money?
Of course, the obvious answer is that this information can be sold to others,
but using it to steal money from the IRS is not only more lucrative,
it's downright genius.
These criminals knew the tax system well enough
that they used data stolen from a breach to get old tax transcripts. And then they used those old tax filings to submit that person's taxes this
year. Then they had to set up a whole network of money mules. And keep in mind, this requires
Craigslist ads and job interviews and all this other stuff. And then they had to launder the
money all the way back to them. And they did this 13,000 times in about three months time.
Unbelievable. So by this point in May, IRS was
in really high alert for fraudsters and criminal activity. And this is when they noticed a really
large spike in people using the get transfer option on the irs.gov website. This get transfer
feature of the website was so popular that over 20 million requests were seen just in that year.
So during tax time, that's over 100,000 requests a day for the Git transcript.
But this spike was much more than that.
This was like hundreds of thousands more all in one day.
And in fact, it was so many requests that the system started getting backed up,
and the IRS thought they were under a denial of service attack.
But they were able to keep this side up and sustain the flood of usage, and things died down.
A week later, on May 21st,
a security center within the IRS had discovered something terrible.
It wasn't legitimate users trying to do the git transfer of tax records.
It was hackers.
Oh, fraudsters.
Thieves.
Over 200,000 suspicious attempts were made to git transcripts of taxpayers,
and half were successful.
The thieves successfully used the git transcript feature of taxpayers, and half were successful. The thieves successfully used the
git transcript feature of the irs.gov website to obtain the tax records of 100,000 people.
Now keep in mind, this isn't a hack. The thieves didn't use any trick or exploit or vulnerability.
They simply found a way to navigate through the authentication system, probably by using some
personal information they obtained from other breaches. But even though this isn't a hack,
it's certainly a breach of data,
and very personal data.
And it's super scary to think about what criminals like this will do with your past tax records.
These people have a lot of resources and time to move fast and steal a lot of money,
so this could possibly cause problems for those people for years, or even life.
Once the IRS detected that 100,000 tax records
were stolen from their website,
they immediately disabled the Get Transfer feature.
Five days later, they announced to the public
that there had been a breach
and 100,000 tax records were stolen.
The IRS made a bunch of corrective actions
after this breach.
Here's the IRS commissioner.
Letters have already gone out
to the approximately 100,000 taxpayers
whose tax information was successfully obtained by unauthorized third parties.
We are offering credit monitoring at our expense to this group of taxpayers.
We're also giving them the opportunity to obtain an Identity Protection Personal Identification Number, or IPPIN as it's known.
This will further safeguard their IRS accounts. The GetTranscript application has also been taken down while
we review options to make it more secure without rendering it inaccessible to legitimate taxpayers.
The IRS created this option to get an IP PIN, or Identity Protection Personal Information Number.
This is a six-digit code that the IRS can issue you, which would then be required to complete
your tax return. So this makes it harder for the criminals to submit taxes if they don't know this PIN. The news of the IRS being breached was the top story in almost all
news outlets in the U.S. Citizens were angry. Congress and senators had questions. A full
Senate committee hearing was held to have the IRS testify. This is the IRS Commissioner John
Koskinen's opening statements. The unauthorized attempts to access information using the Get
Transcript application were made on approximately 200,000 taxpayer accounts,
from questionable email domains, and the attempts were complex and sophisticated in nature.
These attempts were made using taxpayers' personal information already obtained from sources outside the IRS.
During the middle of May, our cybersecurity team noticed unusual activity on the GetTranscript application.
They ultimately uncovered questionable attempts to access the GetTranscript application.
Of the approximately 100,000 successful attempts to access the application, only 13,000 possibly fraudulent returns were filed for tax year 2014, for which the IRS issued refunds totaling about $39 million.
In this hearing, we also hear from Michael Kasper, that guy who tracked down who stole
his tax return himself. In fact, the clips you heard earlier from him are from this Senate hearing.
In fact, there were multiple hearings that went on for hours and hours.
And during the hearing, we hear a little bit about the types of computer problems the IRS faces.
We are running an antiquated system with some applications that are 50 years old.
As noted in some cases, we haven't even been able to provide patches for all of the upgrades.
Some of our systems don't have patches because they're no longer supported by the provider.
On one report after an inspection, they found that over 30% of the systems in the network weren't being monitored at all. And if you stop to think for a moment, the IRS has pretty much
every U.S. citizen as a customer or client. Compare that to Facebook, which only has about
68% of the U.S. population as users. The IRS has a lot of users. And with 87,000 people on the staff,
there are a lot of computers. At some point, the size of the network becomes so
big that it becomes a logistical nightmare to keep it secure. Both Democrats and Republicans
offered their support and assistance to help the IRS combat this problem. They seem to genuinely
want this problem fixed. Here's what one senator said to the IRS commissioner during the testimony.
I told you yesterday on the phone I'm here to help. How can I help you?
Senators seem to understand the enormous complexity that the IRS faces in this situation
and actually felt bad for the IRS commissioner. Mr. Kuskin and you have a tough job. There's no
question about it. I don't know anybody that approaches it with a smile like you do.
And I'd be upset every day. And I think there's something wrong with you that you're not upset every day.
At some point in the hearing, the senators wanted to know who was behind this attack.
News reports indicate that the recent IRS identity thieves may have been in Russia.
The IT inspector who conducted a security audit on the IRS commented on this.
Eventually, we're able to track them down,
but at this stage, when the report,
there was a report that it was solely Russia,
and I want to make it clear that's not the case.
It's beyond Russia.
So I just wanted to get that on the record.
When you say beyond Russia, what do you mean?
That there are other domains,
the domains are located in nations other than Russia,
in addition to Russia.
When the IRS became aware of this breach,
they immediately contacted Homeland Security
to help them investigate who was behind this.
Knowing that a lot of fraudulent uses of the Git transcript had occurred,
the IRS went back to look at the database.
Over 23 million times the Git transcript service was used that year.
The security team combed through those 23 million requests and found more fraudulent requests.
Three months after the initial discovery of the 100,000 stolen tax records,
the IRS announced there were another 220,000 tax records that were illegally accessed.
This raised the full number of stolen tax records to 334,000.
And looking at some numbers here, it looks like the thieves were able to access about 54% of the transcripts they attempted to get from the website.
Compare that to the 22% success rate for normal people.
It seems like criminals are better at knowing your personal information than you are.
And that's just fascinating.
And if you remember, the IRS started using this IP PIN thing
to add additional level of security to your taxes.
But this had a few problems of its own.
First of all, your PIN is issued through the website.
And compare that to where your bank sends you your PIN in the mail.
If you lost your IRS PIN and you wanted to recover it,
you had to go through the same IRS.gov website
to answer the same weak KBA questions
that the attackers defeated to get your transcripts.
And guess what? The criminals figured this out and began stealing pins. On February 2016,
the IRS issued a statement saying that there were over 464,000 unauthorized attempts to get the pin,
and the hackers successfully got 101,000 pins from taxpayers. Then the IRS discovered something else. They conducted another
audit on the people who did get transcript on the website, and they found the number was higher than
they initially thought. First, the IRS said it was 101,000 people, and then they discovered it was
334,000. But now the IRS is saying it's twice that. 724,000 people got their tax returns stolen by criminals through this Git transcript feature of the website.
More letters were sent, and more free credit monitoring was issued.
Within the IRS is a whole department called the IRS Criminal Investigation Division,
and the IRS itself has over 2,000 special agents that specifically investigate tax fraud.
These special agents will work with the FBI, Secret Service, Homeland Security,
and local police to track and catch these criminals.
But as budget cuts hits the IRS,
this means about 4% of the special agents
lose their job each year.
And when there's less investigations,
there's less arrests.
The IRS Criminal Investigation Division
opens about 3,500 cases a year,
and they actually catch and convict
about 3,000 people a year.
So did they find out who did this and bring them to justice? I'm not sure. Here's what I found though. The
Department of Justice issues a press release each time someone gets sentenced for stolen identity
refund fraud. It lists hundreds and hundreds of cases going all the way back to 2010. So I started
combing through it, looking at case notes and dates and crimes to
see if anything matched this. And stuff started showing up. Probably the biggest one I saw was a
Nigerian man who was caught and sentenced to 15 years in prison for running one of the biggest
tax fraud schemes ever. Here's what happened. A bunch of people in the state of Oregon were
reporting that someone had submitted their tax refund for them. The IRS criminal investigation
team looked into it and found that someone was fraudulently submitting tax refund for them. The IRS criminal investigation team looked into it
and found that someone was fraudulently submitting tax returns
for the people in Oregon and taking all their refunds.
They tracked this activity back to a Nigerian man named Kazim,
who was living in Maryland.
They arrested him and found in his house 150 prepaid credit cards,
$40,000 in money orders, and $14,000 in cash.
During trial, they learned what happened.
Kazim had purchased
personal identification information from a Vietnamese hacker, specifically 259,000 records
from a company in Oregon. Perhaps the Vietnamese hacker stole a database from a credit agency or a
medical facility in Oregon. Kazim then used this information to do get transcript on the irs.gov
website and also get the pins from
the website to submit tax returns for those people. And he submitted 10,000 tax returns,
which would have resulted in $91 million if he got all the returns, but a lot of them didn't
get accepted. So he was only successfully able to get $11 million back from fraudulent returns.
And to throw the police off, he funneled a lot of the money through Nigeria and then back to him. He had five other people working for him, all who were arrested and put
in prison. So maybe this guy, Kazim, was one of the bigger players in this breach. But I don't
think he was the only one. Looking through the other arrests on the DOJ's website, I see some
more, and this time even more close to home. There's a Texas guy that was caught and arrested
for fraudulently using the Get Transcript feature and getting people's information and submitting their
tax returns for them. He was sentenced to two years in prison. Then there was a Georgia couple
who were arrested for exploiting the GetTranscript feature and got over $1 million in tax refunds,
and they were both put in prison for years too. And then there was another guy in Texas who was
also caught using the GetTranscript feature and submitted false tax returns too.
And in fact, as I started looking who's been submitting fraudulent tax returns like this,
the bottom of this story began to fall out.
Take the case of Danielle, for example.
She's a 27-year-old exotic dancer in Tampa, Florida, but she was arrested for tax fraud.
She had stolen over $1 million in tax refunds from people she didn't know,
and she
continued to get away with it for four years. In fact, in some circles, she's known as the pioneer
of this stuff. She would organize something called drop parties. This is where you get together and
swap tactics, stolen personal information data, and teach others how to do it. And she was eventually
caught and put in prison. But this made me look up the term drop party. And this could have been
a term
she invented, but it's slang used in some circles specifically in Tampa, Florida. Because only in
Tampa have I found the term drop to mean tax fraud. Okay, okay, I'm going to play you something that
might blow your mind, but I want to warn you, it's not safe for work. If you have young kids or
something, you may want to skip ahead three minutes. So here's the thing. Gangster rappers
sometimes boast about the crimes they commit right in the lyrics.
They talk about shooting people, stealing stuff, and drug dealing.
But listen to this song.
What?
This song called Drop Ho is a ballad about a guy trying to find a girlfriend
who makes a living off of identity theft tax fraud.
It practically goes through step by step on how to do it.
Here's some more lyrics.
Homegirl came with a few names.
Told me all a nigga need is a laptop.
And she gonna show me what to do to make a tax drop.
Said her homegirl came with a few names
Told me all a guy needs is a laptop
And she's gonna show me what to do to make a tax drop
And I'ma steal your information on the W-2
Say she needs an address to get more cards
Wanna be a hood rich, honey, I'ma show you
Told me get a date of birth, don't forget the social
She got them stacks, then went tax on the Turbo.
Wow. Just wow.
He even said what tool to use, TurboTax.
I mean, how popular is this crime?
But you have to hand it to the gangster rap community.
They don't hoard their exploits.
They share them openly on the public stage.
It's kind of like they're saying, hey, this is what we do down in Tampa.
But seriously, has tax fraud gotten to the point where gangster rap is in on it?
Yeah, I guess so.
And it appears especially so in the southeast of the U.S.
Alabama, Georgia, Louisiana, and Florida top the charts for the most arrests made for stolen identity tax fraud.
Like these states are ridiculously higher than the others.
Now keep in mind, they're exploiting people from all around the country but for some reason in this region a skill is passed around on the streets and at drop parties. And in some arrests I've read it's
been an elaborate scheme where one member of the crew will go work at a company and steal all the
W-2s and then another will file the taxes and then someone else will work at a cash checking place
and knowingly cash fraudulent checks. This kind of stuff is seen over and over in these states. It's crazy.
So this is what I mean by the story becomes bottomless as I'm trying to figure out who is
behind this, because there's just so many of these cases, and it's a gray line between tax fraud and
git transcripts and stolen identities. But knowing this, we do get a glimpse on who's using your
information and how it's being used against you. And you may think we do get a glimpse on who's using your information and
how it's being used against you. And you may think this isn't your problem. It's the IRS's problem.
But if you rely on or expect a large tax return and someone else gets it instead of you, it's
your problem now. Sure, the IRS may spend six months investigating and pay it back to you,
but that delay can be a nightmare. So we need to protect ourselves. The IRS brought back the
get transcript feature on the website and now it requires additional information like you need to
know your mortgage account number and phone number to get your transcript. But you can see this KBA
authentication method is starting to show its age and may not be secure anymore because the
information that only you know is now known by hackers around the world. And who knows what was
stolen from that Equifax
breach? Maybe the entire KBA database. This could have exposed all of our secret information,
which would have completely nullified the KBA altogether. And the KBA system is not just used
at the IRS. You can also see it over at annualcreditreport.com. So it's possible these
thieves are targeting your credit records too. And maybe they already have, and nobody noticed
or disclosed of this breach. It's also possible that with enough information about you, someone can open a credit
card in your name and take loans out in your name. So not only does a breach with your data impact
your tax refunds, but it can now put you in a serious debt that you didn't actually spend.
The IRS faces thousands and thousands of people trying to conduct tax fraud every year. And
they're successful at stopping most of it and even putting thousands of fraudsters in jail. But the security they put in
place today may not work next year. The IRS doesn't have traditional security problems that take
traditional security solutions. They're developing extremely advanced filters and algorithms to
detect fraud and have done an amazing job at mitigating it. But it's one of those things that
will never get down to zero because fraudsters will continuously be looking for loopholes or
weak security measures and exploit them whenever they can. I can't imagine the nightmare of trying
to secure the IRS. And because it collects over $3 trillion in tax revenue a year,
it's a red hot target. So the IRS sees an endless amount of attacks, scams, frauds, and thieves, especially
during tax season when criminals can try to hide in the mass amounts of tax returns being sent.
One of the biggest problems with the IRS's website is that it has to be easy enough for the elderly
to use, but actually secure at the same time. So I'm not sure if forcing everyone to register with
an email or two-factor authentication is even doable. It's such a complex issue that it actually gave me a headache trying to figure out a solution to this
problem. This is the new threat landscape that governments have to face though, and these attacks
are getting bigger and more sophisticated. In 2016, we saw a rash of companies getting breached,
and what was stolen was simply their W-2 tax statements. Past and present employees from
Seagate and Snapchat had their W-2 stolen,
which was enough information for those street gangs to file returns and open credit cards up
in your name. I'll leave you with some recommendations on how to keep yourself safe
with the IRS. First, go to irs.gov and register at the site. Link your identity to your email
address. This will prevent criminals from registering for you. This is a simple thing
to do, so there's no excuse not doing it. If you want to take it a step further, register for the IP PIN.
This is a unique number that you must have to complete your taxes. But the problem is you can't
opt out of the IP PIN, and it changes every year. So if you take this path, you're taking it for
life. Third, freeze your credit at all three credit monitoring agencies. This way, nobody can take
loans out in your name or open new lines of credit. And lastly, file your taxes early before the bad guys can do it for you.
You've been listening to Darknet Diaries. This show is made by me, Mr. Ribbit, Jack Recyder.
And when I say it was made by me, I mean everything. The research, the writing,
the music design, the editing, and the narration. It takes a lot of work to make each episode, so I would really appreciate it if you show
support by going to patreon.com slash darknetdiaries and donate to the show.
Donations can only bring good things, like better audio, better stories, more stories,
and less ads.
The theme music for this show was created by the beatmaster, toe-tapper, breakmaster,
Cylinder.
Peace.