Tax Season Heist: Nigerian Hacker Nets 8 Years for $1.3M Tax Refund Fraud Scheme

A Nigerian national has been sentenced to eight years in federal prison for orchestrating a multi-year tax refund fraud operation that targeted tax preparation firms, stole sensitive client data, and siphoned over $1.3 million in fraudulent tax refunds from the U.S. government. The case, detailed in a February 19, 2026, BleepingComputer report and the U.S. Department of Justice announcement, serves as a stark reminder of how persistent phishing and commodity malware continue to enable large-scale tax refund fraud—even years after the scheme’s peak.

Matthew Abiodun Akande, 37, from Nigeria, was extradited from the UK to the U.S. in March 2025 after his arrest at London’s Heathrow Airport in October 2024. He had been indicted in July 2022 while living in Mexico. Between June 2016 and June 2021, Akande and co-conspirators (including U.S.-based accomplices who handled bank accounts and cash withdrawals) compromised the networks of four tax preparation firms in Massachusetts. This tax refund fraud scheme demonstrates the long-term viability of relatively straightforward attack methods when combined with effective evasion techniques.

The attack chain was classic but effective:

• Phishing emails impersonated the CEO of a Massachusetts architectural engineering firm, using lookalike domains and email accounts.
• Attachments included legitimate-looking 2019 tax documents (W-2 and 1099 forms) for credibility.
• Recipients were directed to Dropbox links containing disguised executables.
• Clicking installed Warzone RAT (a remote-access trojan), which Akande purchased licenses for, along with crypters to evade antivirus detection.
• Once inside, the malware harvested clients’ Social Security numbers, prior-year tax returns, and other PII.
• Akande’s group filed over 1,000 fraudulent tax returns claiming refunds totaling more than $8.1 million, successfully collecting $1.3 million+.

U.S. District Judge Indira Talwani in Boston sentenced Akande to eight years imprisonment plus three years supervised release, and ordered him to pay nearly $1.4 million in restitution. The Warzone RAT infrastructure was later disrupted by the FBI in February 2024, leading to related arrests. Cases like this highlight how tax refund fraud operations can persist for years, exploiting seasonal vulnerabilities.

This operation highlights enduring risks in the cybercrime ecosystem:

• Commodity malware’s staying power — Tools like Warzone RAT remain accessible on underground markets, enabling low-to-medium skill actors to conduct sophisticated intrusions in tax refund fraud schemes.
• Phishing’s high ROI during tax season — Impersonation and credentialed lures exploit urgency around filing deadlines, making tax firms and their clients prime targets.
• Supply-chain-like exposure — Small-to-medium tax preparers often lack enterprise-grade defenses, turning them into gateways for mass identity theft and government fraud.
• Cross-border coordination — Nigerian operators directing U.S.-based money mules demonstrates how global networks sustain these schemes long-term.
• Lingering tax-season threats — Even post-scheme, similar fraud spikes annually; 2026 filings remain vulnerable without hardened controls, as attackers adapt tactics to new tools and awareness gaps.

For accounting firms, tax preparers, and any business handling sensitive PII (especially during peak seasons), the fallout can include regulatory scrutiny, client lawsuits, reputational damage, and direct financial hits. Tax refund fraud not only drains government resources but also erodes client trust and exposes firms to secondary attacks using stolen data.

Recommendations to Fortify Against Tax Refund Fraud

1. Phishing-resistant defenses — Train staff rigorously on BEC-style lures; implement email security gateways that block lookalike domains and scan attachments/links.
2. Endpoint and network hardening — Deploy EDR solutions to detect RATs and anomalous behavior; restrict admin privileges and segment networks to limit lateral movement.
3. Secure file-sharing practices — Avoid public Dropbox links for sensitive documents; use encrypted, audited platforms with access logging.
4. PII protection and monitoring — Encrypt stored tax data, enable multi-factor authentication everywhere, and monitor IRS e-file activity for unusual patterns tied to your clients.
5. Incident response readiness — Have a plan for rapid containment if malware is detected; regularly test backups and conduct tabletop exercises for fraud scenarios.
6. Expert monitoring — Partner with an MSSP for 24/7 threat hunting, especially around tax deadlines when attacks surge.

At Black Belt Secure, our managed detection and response, vCISO advisory, and proactive vulnerability assessments help organizations—particularly those in finance, accounting, and professional services—stay ahead of persistent threats like RAT-enabled tax refund fraud and BEC campaigns. We provide the layered defenses needed to protect sensitive client data year-round, including seasonal surge monitoring to catch anomalies early.

This case shows that even “old-school” tactics, when combined with commodity tools and international coordination, can generate millions in illicit gains through tax refund fraud. By prioritizing email security, endpoint visibility, and seasonal vigilance, businesses can close the doors on these profitable heists and safeguard both their operations and their clients’ financial futures.