Tax Forms Fetch $20 on Dark Web Amid Surge in Identity Theft During Tax Season
As tax season unfolds, it becomes a prime opportunity for identity theft, with criminals leveraging stolen personal data to file fraudulent tax returns and claim refunds before legitimate taxpayers can. This alarming trend highlights the vulnerabilities within the tax system and the urgent need for individuals to safeguard their personal information.
Understanding Stolen Identity Refund Fraud (SIRF)
Stolen Identity Refund Fraud (SIRF) represents a significant form of tax fraud. Criminals obtain personal information, such as Social Security numbers and dates of birth, to file fake tax returns in the names of unsuspecting individuals. Typically, these fraudulent returns are submitted early in the tax season, allowing fraudsters to receive refunds before the legitimate taxpayer has the chance to file.
The funds from these fraudulent claims are often directed to bank accounts, debit cards, or addresses controlled by the criminals. Victims usually become aware of the fraud when their legitimate tax returns are rejected or when tax authorities, such as the U.S. Internal Revenue Service (IRS), inform them that a refund has already been issued in their name.
The Dark Web’s Role in Tax Fraud
As Americans rush to meet tax deadlines, a hidden ecosystem on the Dark Web becomes increasingly active, transforming tax season into a lucrative period for international cybercriminals. Shahak Shalev, Global Head of Scam and AI Research at Malwarebytes, notes that the expectation of tax-related communications makes phishing emails and fake IRS alerts more believable. He emphasizes that the personal data necessary for committing tax fraud is alarmingly inexpensive on the dark web, making tax season an annual opportunity for scammers.
The surge in fraudulent refund claims is supported by a sophisticated criminal supply chain rooted in Russian-language underground forums, which serve as key enablers of tax fraud. Instead of gathering data individually, fraudsters can purchase extensive datasets of stolen Personally Identifiable Information (PII), complete with ready-to-use W-2 and 1040 forms. More advanced operations involve Initial Access Brokers (IABs) who auction off direct access to compromised Certified Public Accountants (CPAs) and accounting firms.
This underground economy not only provides raw data and access but also a comprehensive suite of “fraud-as-a-service” tools, including on-demand services for forging financial documents and instructional resources that offer step-by-step guidance.
The Black Market for PII
At the center of this illicit commerce is a prominent Russian-language underground forum, which acts as a marketplace for fraudsters to buy and sell tax-related PII. The commoditization of this data is strikingly efficient, resembling a traditional e-commerce platform. Recent observations reveal a clear pricing structure based on the freshness of the data and the target demographic. For instance, a bulk package of 100 complete tax forms was advertised for $2,000, effectively pricing a fully documented stolen identity at just $20.
Conversely, older data dumps from previous tax years are heavily discounted. Sensitive records belonging to wealthy retirees and pensioners from earlier periods can be found for less than $4 per identity.
Access for Sale
The vast volume of tax-related data available on the dark web must originate from somewhere. Cybercriminals have identified U.S. companies involved in tax preparation and accounting as prime targets. Breaching these businesses, which serve as centralized repositories of sensitive information, proves to be far more efficient than attempting to deceive individual citizens into divulging their personal details.
Recent investigations have uncovered instances where threat actors have successfully infiltrated small tax service firms, auctioning off access to databases containing highly sensitive PII of numerous clients.
Additional Data for Sale
Even when cybercriminals face obstacles during the fraud process—such as missing pieces of PII or specific financial documents required for verification—the underground market offers a range of on-demand services to address these challenges. One such market, known as “Cypher – Fullz and Docs,” specializes in selling complete, ready-to-use sets of stolen U.S. identities, commonly referred to as “fullz,” for as little as $0.75 per set.
When additional paperwork is needed to legitimize a fraudulent claim, criminals can turn to specialized forgery services like “Fakelab.” For a nominal fee, these services provide meticulously forged tax-related documents, ensuring that scams can proceed without interruption.
Tutorials and Guidance for Criminals
The final phase of the tax fraud lifecycle—cashout—often poses the greatest risk for attackers. To successfully extract stolen funds, fraudsters require a robust financial infrastructure, typically relying on compromised “drop” bank accounts and tools designed to launder money and obscure their tracks. The Dark Web ecosystem offers not only the necessary tools but also detailed educational resources for executing these complex cashout schemes.
One such resource, known as “Flava,” serves as a centralized instructional hub with comprehensive tutorials specifically aimed at orchestrating these schemes against U.S. citizens and residents.
How to Stay Safe
Stolen Identity Refund Fraud serves as a stark reminder that identity theft can extend beyond fraudulent purchases to affect fundamental activities like tax filing. Cybercriminals exploit underground marketplaces that sell stolen personal data, compromised business access, and tools designed to facilitate fraud, enabling them to file fake tax returns swiftly and at scale.
To mitigate the risk of becoming a victim, taxpayers should take proactive measures to limit the availability of their personal data, file taxes early, and remain vigilant for signs of identity theft. Key steps include:
- File Taxes Early: Submitting legitimate tax returns promptly makes it more difficult for criminals to file fraudulent claims in your name.
- Protect Your Social Security Number: Share your Social Security number only when absolutely necessary.
- Be Wary of Phishing Attempts: Scammers often impersonate the IRS, banks, or tax services to trick individuals into revealing personal information.
- Use Strong, Unique Passwords: If criminals gain access to your email or financial accounts, they may collect the information needed to impersonate you.
- Monitor Accounts and Credit Reports: Unexpected tax notices, rejected returns, or unfamiliar financial activity can indicate identity theft.
- Consider an IRS Identity Protection PIN (IP PIN): This adds an extra verification step when filing tax returns, helping to prevent unauthorized filings.
For further insights on personal data exposure, individuals can utilize Malwarebytes’ free Digital Footprint scan to assess whether their information has been compromised online.
According to publicly available Malwarebytes reporting.
Follow the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
