A Florida CPA discovers something strange during tax season: the IRS keeps rejecting client returns because someone has already filed them.

What begins as a routine tax season glitch soon reveals a massive cyber-enabled fraud scheme involving hacked CPA firms, a dark web marketplace selling remote server access, and thousands of stolen identities used to file fraudulent tax returns.

In this episode of Tax Crime Junkies, Dominique Molina and Tom Gorczynski dive into the story behind RICH4EVER4430, a cybercrime operation that turned tax firms into inventory on the dark web.

More than 9,200 fraudulent returns.
$45 million in refund claims.
An international investigation spanning multiple countries.

And it all started with something surprisingly simple: an open Remote Desktop port and a weak password.

Tax season is stressful enough for tax professionals.

But imagine submitting a client’s return… and the IRS tells you it’s already been filed.

That’s exactly what happened to one Central Florida CPA firm in 2017.

At first, it seemed like a mistake. Duplicate filings happen. Sometimes clients file on their own.

But when the same rejection started happening to multiple clients, the firm realized something far more serious had occurred:

Their system had been breached.

Hackers had accessed the firm’s servers, stolen thousands of taxpayer records, and used that data to file fraudulent returns months before legitimate filings were submitted.

But the story doesn’t start there.

It starts inside a Florida beauty supply store.

Two cousins, Andi Jacques and Dickenson Elan, began their journey into tax fraud by opening a small tax preparation business that quietly fabricated W-2s to inflate client refunds.

When that operation shut down, they took what they learned and built something far more ambitious.

They partnered with a hacker who had discovered a dark web marketplace called xDedic.

This platform didn’t sell stolen identities.

It sold entire business networks.

For as little as a few hundred dollars in Bitcoin, criminals could purchase access to compromised company servers around the world.

Among the most valuable listings?

CPA firms.

Once inside a tax firm’s system, hackers could extract everything they needed:

• Social Security numbers

• prior-year AGI

• dependent information

• employer data

• bank routing numbers

• scanned tax documents

In other words:

Fully assembled identity kits.

With that data, Jacques and his co-conspirators began filing fraudulent returns before the real taxpayers ever had a chance to file.

Over the next several years, the group filed more than:

• 9,200 fraudulent tax returns

• requesting $45 million in refunds

• successfully collecting over $7 million

Meanwhile, an international investigation was quietly unfolding.

The IRS Criminal Investigation division partnered with the FBI, Europol, and investigators across Europe to dismantle the xDedic dark web marketplace, ultimately tracing the fraud ring responsible for the stolen returns.

The result:

Eight conspirators convicted.
Millions in restitution ordered.
And a sobering reminder that tax firms are one of the most valuable targets in the cybercrime economy.

In this episode, Dominique and Tom unpack the entire scheme and explain:

• How hackers infiltrated CPA firm networks
• Why tax firms are prime targets for cybercriminals
• How dark web marketplaces sell access to business servers
• The role of Remote Desktop Protocol (RDP) vulnerabilities
• Why weak passwords and missing MFA still cause major breaches
• How stolen tax data fuels refund fraud
• What tax professionals can do to protect their firms and their clients

Because in today’s world…

Data isn’t just an asset.
It’s a target.

Resources Mentioned

IRS Security Summit
https://www.irs.gov

Identity Theft Affidavit – Form 14039
https://www.irs.gov/forms-pubs/about-form-14039