A Nigerian national was sentenced to eight years in prison for hacking multiple tax preparation firms in Massachusetts and filing fraudulent tax returns seeking over $8.1 million in refunds.

37-year-old Matthew Abiodun Akande was arrested in October 2024 at London's Heathrow Airport and extradited to the United States in March 2025. He was indicted by a federal grand jury in July 2022 before his arrest, while he was still living in Mexico.

According to court documents, after gaining access to the companies' systems, Akande stole their clients' personal information and used it to file over 1,000 fraudulent tax returns and collect more than $1.3 million in fraudulent refunds between June 2016 and June 2021.

To gain access to the targeted firms' computer networks, Akande bought licenses for the Warzone remote-access trojan malware (whose infrastructure was seized by the FBI in February 2024) and encryption software known as a crypter to make the malware undetectable by antivirus solutions installed on the victims' devices.

He then sent phishing emails impersonating the Chief Executive Officer of a Massachusetts architectural engineering company to four tax preparation firms, using a web domain and email account mimicking the CEO's name to make the messages appear authentic.

Akande attached the executive's 2019 tax documents to the phishing emails (including W-2 and 1099 forms) to add credibility, and directed recipients to a Dropbox link allegedly containing the CEO's prior-year tax information that, when clicked, silently installed the malware on their systems.

"In reality, the Dropbox account contained a disguised executable file that, when downloaded and executed, would cause the Victim CPA Firms to unknowingly download RAT malware onto their computer networks," the indictment reveals. "The owners of each of Victim CPA Firms [..] accessed the link and, as AKANDE intended, unknowingly downloaded RAT malware, which was used to collect each firm's client PIl and prior years' tax information."

Once inside the firms' networks, Akande used the Warzone RAT malware to steal their clients' Social Security numbers and prior-year tax data, then used the harvested information to file fraudulent returns seeking over $8.1 million in refunds.

The refunds were directed to bank accounts controlled by co-conspirators in the United States, who withdrew the funds in cash and transferred a portion to associates in Mexico, as instructed by Akande.

U.S. District Court Judge Indira Talwani in Boston sentenced Akande to eight years in prison and three years of supervised release, and ordered him to pay nearly $1.4 million in restitution.