Skip to main content

W-2 tax forms for 2016 can be bought and sold on the dark web at $20 or less

Hacker
hamburg_berlin/Shutterstock
Security researcher Brian Krebs reports that hackers are now selling W-2 tax forms on the dark web, a collection of websites that requires special software or authorization to access and can’t be found using Google or Bing. It’s an online world where pirated software can be obtained and cybercriminal shops can thrive, selling goods like PayPal account credentials, stolen credit cards, and now apparently last year’s tax forms.

According to Krebs, the W-2 tax form data was up for sale on an unnamed dark web shop under the “other” category. The data stemmed from more than 3,600 residents from Florida and included their employer’s name, employer ID, and employer address. The info also included the taxpayer’s personal information such as address, social security number, 2016 wage information, and the taxes withheld.

Recommended Videos

The stolen W-2 records required Bitcoins to purchase and their cost depended on the wage made by the taxpayer, ranging between $4 and $20 each. Thus, the higher the wage, the more money thieves could possibly land if they are successful in tricking the Internal Revenue Service with a fraudulent tax form filed using the purchased taxpayer information.

The tax information may have stemmed from a Florida-based firm called The Payroll Professionals. Krebs figured this out after a source purchased two of the listed W-2 forms stemming from Kirai Restaurant Group LLC. Krebs contacted the restaurant company who said it outsources employee tax forms to The Payroll Professionals.

A representative of The Payroll Professionals confirmed with Krebs that the company was aware of a “potential hacking” and was currently informing customers of the potential problem. Krebs found additional W-2 tax forms on the dark web storefront stemming from companies that use The Payroll Professionals to handle their payroll.

How The Payroll Professionals was hacked is unknown. In a typical scenario, scammers would spoof a bogus email to resemble a high-ranking official in a company and send it to human resources and the payroll department. The email would demand a copy of all employee W-2 data to be returned immediately.

Just days ago, a hacker impersonated Sunrun CEO Lynn Jurich in an email sent to the company’s payroll department and received employee W-2 forms for 2016. The hacker got away with “a substantial portion” of the company’s current and former employee personal and financial information. Luckily, Sunrun’s customer database was not affected by the phishing scam.

“Sunrun recognized the issue within one hour of the scam and immediately began working with the proper authorities,” the company said Friday. “We are committed to the safety and security of our employees’ information and will continue to work diligently to increase the security of our systems and implement tighter controls.”

Taxpayers worried about hackers filing fraudulent claims on behalf of their information can use file form 14039 (pdf) if they believe they are victims of identity theft. Taxpayers can also request a six-digit Identity Protection PIN to help combat fraudulent tax returns.

Kevin Parrish
Former Digital Trends Contributor
Kevin started taking PCs apart in the 90s when Quake was on the way and his PC lacked the required components. Since then…
Samsung DeX for Windows is dead
Samsung DeX mode.

Samsung appears to have plans to retire support of its DeX Windows app upon releasing the OneUI 7 software update.

Android Authority recently observed updates on Samsung’s DeX page on its UK website that sais the DeX for Windows feature will be discontinued as of OneUI 7, which will be available in 2025. The company detailed that DeX for Windows users can transition to the Phone Link feature as an alternative.

Read more
The last major game of 2024 is going to wreck your PC
Indiana Jones drags a Nazi down a staircase with his whip in Indiana Jones and the Great Circle.

We're getting close to the end of 2024, but there's one more major game release in the pipeline -- Indiana Jones and the Great Circle. Unfortunately for a lot of PC players, the system requirements might be too steep, even if your rig is packing one of the best graphics cards.

You can see the list of requirements below, and there's a lot to dig into. For starters, this is the first time I've ever seen the RTX 4090 listed in system requirements. There's no doubt that the RTX 4090 is the cream of the crop for gaming performance, but it's so powerful that even demanding games like Alan Wake 2 and Dragon Age: The Veilguard don't need to recommend it. Here, you'll need the RTX 4090 to max everything out at 4K.

Read more
For $630, you may want to take the plunge on an OLED gaming monitor
The Last of Us Part One running on the MSI MPG 321URX.

OLED prices are dropping fast -- and I mean really fast. For Cyber Week, you can pick up the MSI . Keep in mind that just over 12 months ago, this exact same panel was selling for $1,000, and even with newer monitors making the rounds, this is still one of the best gaming monitors you can buy.

Now, I haven't used this exact monitor, but I have plenty of experience to make an informed recommendation here. I've seen this panel at work in the Alienware 27 QD-OLED, and I've tested plenty of MSI OLED monitors like the MPG 321URX. That's all to say, while I haven't reviewed this specific monitor, I'm intimately familiar with just about every aspect of it.

Read more