The Internal Revenue Service’s Criminal Investigation division has created a cybercrime unit to combat the growing trend of identity theft-related tax fraud as the problem morphs into data breaches and becomes more international in scope.
“We are creating a cybercrimes unit within CI to really focus on some large-scale cybercrime-related cases, specifically focused on identity theft and the impact on tax administration,” said Richard Weber, chief of IRS Criminal Investigation, in a conference call with reporters Monday.
He noted that cases sometimes start with a smaller dollar amount, but then lead into much larger types of theft. “We are looking at not just dollar amounts initially, but whether or not cases are multijurisdictional,” said Weber. “We have 25 field offices across the country. If the cases have an international component to them, that would be something else we would look at, and then the amount of targets or defendants that would be connected.”
Weber said the new unit is not the result of the recent publicity this past tax season over tax refund fraud involving TurboTax.
“This is something we’ve been looking at over the past nine months to a year,” he said. “We’ve seen an evolution of identity theft.”
An IRS-affiliated website that is used by charities for filing their Form 990-N "e-Postcards" was hit by a data breach in February, however (see
The Darknet
When Weber arrived at IRS CI three years ago, he estimates the agency was spending less than 3 percent of its time on identity theft cases across the country. “We are now working on a national level an average of 18 percent of our time on ID theft,” he said. “In some areas like Tampa and Miami, Florida, where we have field offices, we’re working close to 50 percent of our time just on identity theft. When the problem first started, we were working on a lot of street-level type cases, where someone might be in their basement or sitting on a beach with a laptop and trying to ping our systems, and quite frankly getting in a lot easier than today. That morphed into more of a data breach issue, where we saw over the last year in particular more data breach identity theft type cases, as well as cases that had some type of international component. That was really when we started to realize that we should pull some of our resources and have a focus on the cybercrime, the Darknet’ issue and really look at this problem specifically as it relates to cybercrime ID theft.”
Data breaches are occurring at various types of businesses such as payroll companies, department stores and medical facilities. “We’re looking at probably hundreds of millions of records that have been breached from companies across America,” said Weber.
Personally identifiable information, such as Social Security numbers, account numbers and W-2 information, have been stolen from companies and that information is then used to attack the IRS system, he noted. Hackers are able to use the information they glean from data breaches to get around the various filters that the IRS has set up to detect identity theft.
So far this year there have been at least 270 data breaches, exposing more than 100 million records, according to Weber. “Those records could potentially be used to hit the IRS system or to impact the tax system,” he said.
He noted that this February, there was a large-scale data breach at a health insurer, exposing 80 million customer records, including addresses, Social Security numbers and income data, the exact same data that’s needed to file for a tax refund.
“That is primarily the reason why we want to focus on cyber and the Darknet because of what is happening,” said Weber. “The Darknet, which I describe as the underbelly of the Internet, is really what criminals are using today to commit a host of crimes, not just tax refund fraud, which is why all the law enforcement agencies are trying to work better together on this issue because of what’s out there.”
On the Darknet, the IRS has seen various connections to international organized crime rings, particularly in Russia and other Eastern European countries. “One particular crime syndicate had amassed over 1 billion user names, passwords and email addresses,” said Weber. “When this is happening on the Darknet, it’s really only going to be used for criminal activity. There’s no legitimate use of this information that exists on the Darknet.”
Impact of Budget Cuts
However, the effort to build a cybercrime unit has been hampered by budget cuts at the IRS in the past five years. The IRS CI division has approximately 2,500 special agents today, but that’s down from 3,300 agents a few years ago, due to budget cuts.
“We’re at an all-time low,” said Weber. “We’re at the same levels we were at in the 1970s. We haven’t hired anybody this year, and it doesn’t look like we’re hiring anybody in the coming year, depending on what Congress does with our budget. Yet the crime problem is advancing and spiraling in terms of the Internet, cybercrimes and the Darknet.”
In fiscal year 2014, IRS CI conducted 4,297 investigations, including 1,063 related to identity theft. The previous year, in fiscal 2013, IRS CI conducted 5,314 investigations, including 1,492 related to ID theft.
IRS CI plans to start the cybercrimes unit with a group of agents in its Washington, D.C., field office that will develop cases and work with other field offices across the country to develop and support cases.
“We’ll have a specialized group in D.C. and then we’ll have points of contact in every field office working with this group in D.C.,” said Weber. “We’re also working with some of the law enforcement agencies. Then we’ll see where this takes us and the types of cases that we’re going to be able to bring.”
The IRS currently doesn’t have the budget to hire any new cybercrime experts, but over the years Weber said IRS CI has hired a number of special agents with cyber-technology investigative skills. It is also working with other agencies such as the Secret Service, the FBI, the Justice Department and the Department of Homeland Security that have expertise in these types of investigations. While IRS CI focuses on cases involving tax administration, identity theft and money laundering, other agencies can focus more on the data breach itself.
Liberty Reserve, Silk Road and Bitcoin
Among the recent cases where IRS CI has worked with other agencies on cybercrime investigations include ones involving Liberty Reserve, a digital currency provider whose network was used to facilitate crimes such as drug trafficking and child pornography, and Silk Road, whose founder, Ross Ulbricht, was found guilty in February on seven charges of using his network to facilitate drug trafficking via Bitcoin transactions.
“At the end of 2013 we led the case against Liberty Reserve, which was a digital currency company that was involved in international money laundering,” said Weber. “We led that case with the Secret Service and Homeland Security. This case was a $6 billion international money-laundering case. It was probably one of the world’s largest digital currency services at the time, and seven individuals were indicted.”
The case is ongoing against both the company and the individuals. “The crimes that they were involved in laundering really were a smorgasbord of criminal activity, involving computer hacking, identity theft, investment fraud, child pornography and narcotics trafficking,” said Weber. “There was really all types of crimes involved in this operation. It was a case that I think started our efforts looking at the cyberworld and the way money moved throughout the world.”
Weber recalled that back in 2013, he was quoted as saying that if Al Capone were alive today, this is how he would be laundering his criminal proceeds.
After the Liberty Reserve case, IRS CI was involved in the Silk Road case, which also used the Darknet and digital currency for money laundering. “It was mainly used by drug dealers and drug traffickers, but other criminals as well, to launder their money,” said Weber. “We worked with the FBI and the Secret Service. Our primary role was the financial aspects of the case and following the money through the Internet. Our agent in New York was the agent who was able to trace and track the founder of Silk Road, Albrecht, and was the one that was responsible for bringing that case to a conclusion.”
In a related case that surfaced a few weeks ago, Weber noted, a special agent from IRS CI’s Oakland, Calif., field office helped investigate two former federal agents from two other agencies who were involved in stealing over $1 million in Bitcoins related to the original Silk Road investigation.
“Our primary mission in CI is to investigate crimes and to investigate criminal activity,” said Weber. “Working with our civil counterparts at the IRS and also working with the other agencies, we hope to not only investigate criminal activity that’s taken place but also to prevent criminal activity from occurring by getting involved very early on in some of these data breach cases.”