Latest news with #TheFifthEstate
2 days ago
- Politics
'Active clubs' are all over Canada. What are they?
The members of these groups, known in white nationalist communities as active clubs, are hiding in plain sight. They obscure their faces and locations in social media posts, but a months-long investigation (new window) , in collaboration with The Fifth Estate , has uncovered exactly where they are operating. What are 'active clubs'? Active clubs tend to be male-focused groups that promote white supremacist ideals. Their activities range from public protests to vandalism campaigns to social media posts. They expect the current political order will be swept aside, potentially by force, for a new white-focused society. Antisemitic and anti-immigrant themes are common, and some groups use Nazi iconography. Names of the specific groups include Second Sons and Nationalist-13. Second Sons was founded by Jeremy MacKenzie, creator of the controversial right-wing network Dialagon, which the RCMP has labelled (new window) an extremist, militia-like organization. However, these groups are not a singular movement. They are part of a decentralized white supremacist and neo-Nazi network. Where did they come from? The idea was started by two neo-Nazis, according to the Global Project Against Hate and Extremism. One is a Russian. The other is American Robert Rundo, who is responsible for spreading the concept of setting up racist fight clubs. The U.S. Attorney's Office in California says Rundo has been doing it since 2017. He called it the Rise Above Movement, and spent the next few years setting up an international network of such groups in the U.S., Canada, Europe, Australia and elsewhere. These are what became active clubs. Last December, Rundo was sentenced to two years in prison for planning and engaging in riots across California. This defendant sought to further his white supremacist ideology by plotting riots and engaging in violence at political rallies, said U.S. Attorney Martin Estrada. Not just boxing clubs They appear to be groups of men interested in fitness and martial arts, and they recruit others to join them. But that hides a dark reality, says Mack Lamoureux at the Institute for Strategic Dialogue, a London-based think-tank that studies authoritarianism, hate and extremism. The minute you peel back even the slightest layer of this onion, it becomes far more insidious, he said. These are virulent white supremacists. Enlarge image (new window) NS13 members have trained at this undisclosed location on multiple occasions. Comparing it to pictures from public parks in southern Ontario revealed it was the John Wright Soccer Complex in Brantford, west of Hamilton, Ont. Details that gave it away included the gazebo ceiling and the piece missing from it, combined with the soccer goalposts in the background. Photo: CBC In Nationalist-13 videos, their faces are hidden with the Totenkopf , the grinning death mask used by the Nazi SS. In one video, a member shows off a lighter emblazoned with a Nazi swastika. The black, grey and white banner of the Second Sons is a deliberate echo of the Red Ensign, Canada's original colonial flag, which was replaced by the maple leaf in 1965. White nationalists call the Red Ensign Canada's true flag, representing the country before they say it was spoiled by immigrants. These guys hide their faces and locations. How do we know where they are? Covered faces and blurred parts of videos were not enough to fully conceal the identities and locations of Nationalist-13 and Second Sons members. The CBC visual investigations team was able to uncover the location of their training sessions by matching up distinctive features of the inside of boxing clubs, such as padded walls, as well as the specific shape and position of windows. Enlarge image (new window) The location of the NS13 video on the left was unknown, until CBC's visual investigations team compared the distinctive windows above the boxing ring to those in the Amazing Fitness gym, on the right, in Hamilton, Ont. Photo: CBC Some prominent group members also have clearly visible tattoos that can be compared with other photos of them, which allowed the CBC team to confirm their identities even though their faces were obscured. What's been the reaction? Owners of gyms who CBC News approached said they were unaware some of the people using their facilities were actually fascist fight clubs. John Moran, the manager at Amazing Fitness, said we have no affiliation whatsoever with these individuals or their ideology, and we categorically reject any form of hate or discrimination. Rob Barham, the owner of Hammer BJJ, said I don't affiliate myself with … any sort of white supremacy groups. Kevin Mans, owner of Niagara BJJ in Welland, said that as soon as he saw the photos CBC shared, he called his staff and told them these individuals couldn't come back. Hamilton City councillor Nrinder Nann is alarmed. I think it's a serious public safety concern. The rise of extremist organizing is a national security threat and it isn't an issue to take lightly. Lyndon George, executive director of the Hamilton Anti-Racism Resource Centre, said given the violent nature of this ideology, these groups shouldn't be able to operate with impunity in public places. We shouldn't have to wait for that violence to happen for there to be a response, said George. Enlarge image (new window) CBC's visual investigations team matched up distinctive clothing and tattoos to confirm the identity of white supremacist and Nationalist-13 member Brandon Lapointe. Photo: CBC Is this just happening in the Hamilton area? No. Active clubs can be found in various locations across Canada and in dozens of places throughout the U.S. One in Tennessee has been widely reported (new window) on. There are 187 active clubs in 27 countries (new window) , according to the Global Project Against Hate and Extremism. They are seen as the next generation of white nationalist organizations in Canada, and they are in touch with similar groups elsewhere. [Canadian active clubs] have very, very deep connections with other far-right and extremist organizations, said Lamoureux. This includes America Patriot Front, which is probably the largest and most active white supremacist organization.
07-07-2025
- Business
Ontario architect's seal forged by remote worker believed to be North Korean fraudster
An imposter, believed to be North Korean, forged the official seal of an Ontario architect, an investigation by The Fifth Estate has found. The Democratic People's Republic of Korea (DPRK) has in recent years engaged thousands of remote workers whose purpose is to generate revenue for the regime, according to an international advisory issued by the U.S. government (new window) . Their exploits have been detailed in indictments (new window) from the U.S. Department of Justice and reporting (new window) from around the world (new window) . While they are best-known for high-value cryptocurrency hacks (new window) , these workers will also take real jobs at real companies under false identities. According to an FBI bulletin (new window) from January, this employment sometimes ends with the worker stealing proprietary information or holding data and code hostage for ransom. "The threat posed by DPRK operatives is both real and immediate," U.S. Attorney Leah B. Foley said in an announcement (new window) on June 30. Thousands of North Korean cyber operatives have been trained and deployed by the regime to blend into the global digital workforce. They also masquerade as licensed professionals on freelance websites offering to do things like reviewing and approving engineering or architectural plans with forged stamps. According to the Association of Architects of Ontario (new window) , an architect's stamp — otherwise known as a seal — is a representation to the public that the professional is taking responsibility for the document and that it was prepared by them or under their supervision and direction. In Ontario, seals are issued by self-regulated bodies created and governed by specific legislation. For instance, Professional Engineers Ontario (new window) operates under the authority of the Professional Engineers Act (new window) . In mid-May, a pseudonymous online researcher known only as Cookie Connoisseur (new window) posted (new window) a series of professional stamps on X bearing the names of engineers across the United States. Cookie Connoisseur claimed they were being used by North Korean remote workers. Among them was the professional seal of Canadian architect Stephen Mauro, who is based in the Greater Toronto Area. His stamp appeared on a blueprint for a boutique studio designed by a company called Global Creative Consultant Engineers (GCCE). Speaking with The Fifth Estate , Mauro stated he had never heard of GCCE, had never seen the drawing before and did not stamp it. He also pointed out that the signature on the seal did not resemble his, and that the stamp itself contained minor differences from his official seal. The biggest thing is to find out where these are being submitted in Ontario, Mauro said, to notify the municipalities that it's not an actual architect submitting these. Remote freelance work Searching online, The Fifth Estate was able to locate a Facebook page for GCCE, which included an email address and phone number for a man named Faisal Hussain. When contacted by CBC, Hussain said he was based in Pakistan and confirmed the drawings were his. Début du widget Twitter. Passer le widget ? Fin du widget Twitter. Retourner au début du widget ? When asked about his relationship with Mauro, Hussain initially stated he is working with me as teammate. In a subsequent video call, Hussain said he had hired Mauro via an online freelancing platform and had never seen his face or heard his voice. He's been working with me for two years and I didn't get any issue from the city, Hussain said. He did not respond to questions about which city he was referring to. Faisal Hussain's LinkedIn profile states he is a 'USA CITY PERMIT EXPERT,' but contains no mention of Global Creative Consultant Engineers. (Faisal Hussain / LinkedIn) Photo: (Faisal Hussain / LinkedIn) According to a 2022 U.S. government advisory on North Korean IT workers, they most commonly obtain freelance jobs through various online platforms. The sentiment is echoed by cybersecurity expert Michael Barnhart, who works for the risk management firm DTEX Systems. Whatever the popular thing in the host nation is what they're going for, Barnhart said, adding that he's seen logs of conversations where North Korean remote workers are asking an AI platform for lists of popular freelance websites in Canada and Japan. Are the documents real? In an attempt to highlight North Korean remote workers' activities, Cookie Connoisseur, as well as a number (new window) of other (new window) accounts, regularly post files — videos, photos, chat logs — that they claim originate from North Korean actors. Asked if they would be interviewed for this story, Cookie Connoisseur referred The Fifth Estate to Barnhart, the cybersecurity expert. He said he acts as the public face of this loose collective of online researchers. The U.S.-based Barnhart, who formerly led North Korea threat-hunting operations for a Google subsidiary called Mandiant, told The Fifth Estate that the members of the collective work regular jobs and do this research in their spare time. Barnhart would not disclose how the collective obtained the blueprint bearing the Ontario architect Mauro's seal. In an email to CBC, he said the information had been corroborated by multiple researchers in the industry who had been tracking this particular North Korean operator. He also noted that North Korean operatives read news articles about their work, and that as a result, providing too much information could divulge the researcher's methods. Alongside freelancing websites, North Korean remote workers also engage in what Barnhart called spray-and-pray job applications for positions at companies hiring remote workers. They apply for hundreds of jobs a day, and hope that with such a high volume, they will get at least some responses. If you're a Fortune 500 company, then I can easily say you've at least been targeted, Barnhart said. Whether you've hired them, that's a different story. Matthew Pierce (new window) · CBC News
Yahoo
06-06-2025
- Yahoo
B.C. babysitter must be acquitted in toddler's drowning death, Supreme Court rules
The Supreme Court of Canada has ruled that a woman originally convicted in the 2011 drowning death of a toddler in her care must be acquitted. Tammy Marion Bouvette was babysitting 19-month-old Iyanna Teeple in Cranbrook, B.C., in 2011 when the toddler was found unresponsive in the bath. Teeple was flown to a hospital in Calgary, where she later died. Bouvette was originally charged with second-degree murder in the child's death, then later pleaded guilty to the lesser charge of criminal negligence. She was sentenced to 12 months in jail. But an independent review of the case determined that the Crown hadn't disclosed all evidence to Bouvette or her counsel before she entered her guilty plea. In 2023, the B.C. Court of Appeal quashed her conviction and ordered a stay of proceedings, but declined to enter an acquittal. Bouvette appealed and, in a ruling released Friday morning, the Supreme Court of Canada concluded she should be immediately acquitted on the grounds that the Crown also sought an acquittal and said it would call no evidence at a new trial. 'A miscarriage of justice' The case became the subject of an investigation by CBC's The Fifth Estate in 2020 after CBC journalists uncovered a report that criticized pivotal pathology evidence in the Crown's case against Bouvette. Bouvette has maintained she did not abuse or kill the child and told The Fifth Estate she had wanted to avoid a lengthier prison sentence for a murder charge when she made her plea. In 2023, the B.C. Court of Appeal determined that the B.C. Prosecution Service had failed to disclose to Bouvette's defence lawyers several items of key evidence, including the pathology evidence report, which supported Bouvette's claim that she had not hurt or neglected the child. Bouvette's former defence lawyer told The Fifth Estate that he had not received that report from the Crown during the prosecution. At the time, the judges wrote that they "make no finding of bad faith or malice on the part of the Crown. But neither can we ignore that the disclosure breaches were not isolated or confined to information of dubious value to the appellant." "As a consequence of material non-disclosure, the appellant was deprived of the opportunity to make an informed decision about how to plead apprised of the strengths and weaknesses of the case against her on fundamental issues." The court ruled that Bouvette's criminal negligence conviction causing the toddler's death was "the product of a miscarriage of justice," and ordered a stay of proceedings because retrying her case would be an "abuse of process." Friday ruling In the Friday ruling, judges were unanimous in their decision, if for different reasons. Writing for the majority, Justice Nicholas Kasirer said the first possible ground for an acquittal under section 686(2) of the Criminal Code is where there's a lack of evidence to ground a reasonable conviction. The second possible ground is where the Crown seeks an acquittal and says it would call no evidence at a new trial. Kasirer said Bouvette was acquitted on this second ground.
CBC
01-05-2025
- CBC
Alleged leaders of child exploitation cult known as 764 arrested, charged
Warning: This story contains references to suicide, sexual abuse, violence, graphic material and language that may be upsetting to some readers. Two men have been arrested and charged with running an international child exploitation enterprise known as 764 which targets vulnerable minors online and coerces them to self-harm, make child sexual abuse material of themselves and participate in violent acts — including animal abuse and even suicide. Prasan Nepal, 20, who police say used the moniker "Trippy" in the 764 network, was arrested in North Carolina. Leonidas Varagiannis, a 21-year-old U.S. citizen, known as "War" was arrested in Greece, according to police. They allegedly led a core subgroup called 764 Inferno that operated using encrypted messaging platforms. Police say the men exploited at least eight minors, some as young as 13 years old. "The information in the criminal complaint is sickening," said an online investigator named Becca who tracks 764 and shares what she learns with law enforcement. For her safety, we are only using her first name. CBC's The Fifth Estate first investigated 764 and its related groups last year, and has since discovered victims around the world, including one in Red Deer, Alta., named Trinity. Trinity, whose identity CBC has agreed to protect for her safety, first reported her allegations of exploitation by 764 members to RCMP in July 2021 but did not hear from them again until last year after the FBI asked to meet with her. During the meeting with both law enforcement teams in May 2024, she provided officers with a list of names of 764 perpetrators who she says exploited her through Discord and Telegram. One of the names on that list was Trippy. Neither she nor her mother wanted to comment on the arrests saying they are trying to move past their ordeal. The Fifth Estate also interviewed a Canadian father whose 15-year-old daughter recently killed herself after being exploited by other members of 764 for at least two years. The CBC is not naming him to protect his daughter's identity and for his own safety. The father says he continues to be harassed by people he suspects are part of the network. News of the arrests "gives me hope," he said, adding that awareness, especially for parents and authorities, is critical. He says he missed the early signs of his daughter's exploitation, including self-harm. "That's the part that I hate," he said, "It was happening right in front of me and I didn't recognize it." Since its investigations into 764, The Fifth Estate has spoken with another parent who says her teenage daughter was victimized by 764 members for two years. The parent also says her daughter had contact with Varagiannis online. CBC has not independently verified that claim. She also asked to not be named for her family's privacy and safety. She says she hopes the arrests will diminish the network's access to other victims. "I also hope that this will send a warning to other members, or prospective members, that it's only a matter of time before their violent, predatory actions catch up with them and they're forced to face justice of their own.' Investigating the alleged top leaders According to an affidavit and criminal complaint unsealed Wednesday in the United States District Court for the District of Columbia, Nepal had been involved in 764 since its inception in 2020. He emerged as its leader in August 2021 after the founder, Bradley Cadenhead, was arrested by the FBI. Cadenhead created 764 in 2020 at the age of 15 and named the group after his area code in Stephenville, Texas. He is serving an 80-year sentence for pleading guilty to possession with intent to promote child pornography in 2023. Varagiannis is believed to have joined in December 2023 and became a co-leader of 764 Inferno, which was reserved solely for the inner core members of 764 and was by invitation only. Nepal and Varagiannis had strict rules for joining 764, according to police. Potential members had to produce and share content that often included child sexual abuse material and images of victims self harming. "These defendants are accused of orchestrating one of the most heinous online child exploitation enterprises we have ever encountered," said U.S. Attorney General Pamela Bondi in a media release Wednesday. Nepal and Varagiannis, along with two others, allegedly created a guide that gave prospective members instructions on how to create "content" by targeting vulnerable "e-girls," who struggled with mental illness. According to the affidavit, on May 27, 2024, Nepal posted step-by-step instructions in a chat on how to groom a victim. "Go to Reddit … or Twitter," he typed. "[Find a] self-harm community and speak with a girl like it's a normal friend" and "then seduce her with how much you love how she cuts." That content included sexually exploitative material and images of underage girls who had been coerced to cut the names of group members into their skin, according to police. Members reportedly compiled these images and videos into what they called "lorebooks" that were considered valuable currency within the group, often used to gain notoriety for 764 and to recruit more members. Expert says arrests are 'majorly significant' Becca calls the arrests "majorly significant" and says the fact the two are charged with running a global criminal network, and not individual child pornography charges, speaks to how seriously police are taking the threat. "They're working to get these guys charged with heavier crimes and sentences." Becca says Nepal's arrest is especially important because he was not only the self-proclaimed leader of 764, he was its most active member who created new Telegram and Discord channels to keep the group going when other accounts were banned by the platforms they were operating on. 764 has several offshoots, she adds, but in the course of her research she says she's found a single predator can have dozens, even hundreds of victims. "The impact is huge because of all the kids who could potentially be saved because of one person no longer being on the internet." Becca says Nepal's arrest has also caused panic in 764 chatrooms as authorities continue to crack down on the network. "That's really good news. We want them running on the backfoot." The father who spoke to The Fifth Estate about his daughter's victimization by 764 says he contacted police more than a year before his daughter took her life and says he initially felt dismissed by authorities. He says he is planning to channel his grief toward advocacy and is calling for social media platforms to do more to protect children online. "I'm still in shock about it," he said. "Our institutions are moving slowly against something that is moving very quickly." 764 posed threat of escalating violence The Fifth Estate has spoken to several experts and law enforcement officials who say police are now more aware of the threat. They say 764 stands out for its level of violence and for the age of its members, many of whom are minors themselves. In Canada, extremism researchers say there are likely perpetrators across the country and thousands of potential victims. The group also poses an escalating threat worldwide as it forges alliances with other violent online groups that promote mass killings and targeted attacks. Other violent acts have been linked to 764, including a school shooting earlier this year in Nashville, stabbings last fall in Sweden and the murder of an elderly woman in Romania in 2022. Police have also foiled deadly plots tied to the groups in the U.K. and the United States in recent months. In Italy, police arrested a member last month who they say was in the advanced stages of a plan to kill vulnerable people. The RCMP's counterterrorism unit is leading 764 investigations in Canada and issued a national public warning about the group last August. Police here have arrested at least two members of 764. In response to The Fifth Estate 's request for comment on the latest arrests and whether there are Canadian victims linked to the accused, in an email the RCMP says it works closely with its international partners and does not comment on ongoing or potential investigations and investigations conducted by other countries. It added: "Safeguarding Canadians from ideologically motivated violent extremism, such as that perpetrated by 764, remains a priority for the RCMP." As for Nepal and Varagiannis, if convicted, the charge of operating a child exploitation enterprise carries a minimum sentence of 20 years and a maximum of life in prison.
CBC
15-04-2025
- CBC
B.C. health-care workers' CRA accounts hacked after 28,000 social insurance numbers stolen in data breach
Nurse Leslie Warner will never forget being taken to her local RCMP detachment in Fernie, B.C., in 2022 and charged in a social security fraud operating out of Alberta. She says she was fingerprinted and had her mug shot taken. "I was like: 'Oh my God, this is my identity theft,'" Warner recalls telling police. "I did not do this." The fraud charges were dropped soon after she explained that an imposter had been using her identity since 2020, when someone hacked into her Canada Revenue Agency account and filed a bogus return in Alberta that stated tax preparation company H&R Block was her new "authorized representative." But Warner had never authorized H&R Block to file her taxes. Warner said she has been trying for years to understand how her identity — and at times her life — came to be hijacked. She is also still "nervous" about her CRA account being hacked again. The Fifth Estate has learned that Warner's name is one of thousands included in a massive breach of employees' personal information — including social insurance numbers — from the British Columbia government's Interior Health authority, which runs hospitals and medical facilities in the eastern part of the province. While it is unclear how many of those names were exploited by fraudsters, The Fifth Estate has found that stolen identities from several Interior Health employees — past and present — have been used to obtain bogus CRA refunds and fraudulent loans in the past several years. A former Ontario privacy commissioner says "it could be a nightmare" for individuals whose names and private identification are included in the breach. "This is horrible," said Ann Cavoukian, executive director of the Global Privacy and Security by Design Centre. "These are the things that have to be brought to the public's attention." 'Anonymous' sends Fifth Estate list of stolen identities A source, identifying themselves only by the name "Anonymous," wrote to The Fifth Estate last month and shared what they said was a list of names stolen from the B.C. government agency. The source said they obtained the list from sellers operating on the "dark web" who set up a group on the encrypted Telegram app in 2017 and then sold the data for about $1,000. The Fifth Estate has not independently verified the existence of the Telegram group or how much the data was sold for. However, The Fifth Estate has confirmed with numerous people on the stolen list that they did in fact work for B.C.'s Interior Health authority. All of them said that the information contained about them is accurate. The breach includes social insurance numbers, home addresses and birth dates of more than 28,000 employees who worked at the agency between 2003 and 2009. "As an ex-criminal who was involved in similar activities in the past, I now want to help others and right my wrongs," Anonymous wrote in an email to The Fifth Estate. "I believe this information could be extremely valuable in identifying and contacting potential and future fraud victims." If you worked at B.C.'s Interior Health authority between 2003 and 2009 and believe you may be the victim of stolen identity or a hacked CRA account, please email, in confidence, or text or call 416-526-4704. Click here to contact CBC News completely anonymously using SecureDrop. In their email to The Fifth Estate, Anonymous said the list was first obtained from a "data leak years ago" and that the information "has been sold and distributed to thousands of people over the past five to six years." The Fifth Estate has not confirmed how many people obtained the data. Scammers targeted H&R Block offices across Alberta For Warner, the knowledge her name was on the list has convinced her this is how her identity was stolen. She said she has even more questions now about how the breach happened, when it was first detected and how many other Interior Health employees have had their CRA accounts hacked or might in the future. "This is happening in real time," Warner said, adding she believes there are "masterminds" running the schemes who will continue "doing this to other people." A previous Fifth Estate /Radio-Canada investigation revealed that tens of thousands of Canadians have had their CRA accounts hacked since 2020 and that scammers have been taking advantage of security gaps between the Canada Revenue Agency and third-party tax preparation companies. Special CRA access codes assigned to third-party tax preparation companies have been repeatedly exploited by fraudsters to get into Canadians' tax accounts, The Fifth Estate learned. The Fifth Estate reported in March that two taxpayers in B.C., one from Creston and one from Kelowna, had their accounts hacked in 2023 and bogus returns filed in their names by imposters who had targeted H&R Block locations in Alberta. It turns out that both their names are also on the list of Interior Health employees recently leaked to The Fifth Estate. Like Warner, the Kelowna victim is also a nurse. Now, new documents and interviews with more stolen identity victims have revealed that at least six people who worked for Interior Health in B.C. had their CRA accounts hacked by imposters using various H&R Block locations across Alberta. A seventh stolen identity victim, a nurse from Penticton, was listed by imposters as the sole director of two federally registered shell companies in Edmonton. Fraudsters then used those fake companies in her name to produce the bogus T4 slips used in their tax frauds. "I feel dirty having been a victim of this," said the nurse, who did not want her name used publicly to protect her privacy, when contacted by The Fifth Estate. Those seven victims' names — and private identification — all show up in the leaked database of Interior Health authority employees that was sent to The Fifth Estate. Warner's ordeal began when she checked her CRA account in 2021 and realized an imposter had received a bogus tax refund in her name, after using her social insurance number and changing her email address and her direct deposit information to a bank account with Digital Commerce Bank in Calgary. And she had noticed she had three new authorized representatives: H&R BLOCK (OFFICE 50575). H&R BLOCK (50638). H&R BLOCK CANADA, INC. "I started looking through — my address had changed, my phone number had been changed. Suddenly I had children." Warner also noticed that the CRA sent a letter to the attention of an H&R Block tax preparer in Edmonton in March 2021, stating that he was Warner's "authorized contact for electronic filing." The following month records show the CRA sent a letter in her name to H&R Block's headquarters in Calgary. Warner was living and working in B.C. throughout that entire period. Internal memos reveal H&R Block aware of fraudsters In an email to The Fifth Estate last November, H&R Block stated it did not know of "any incidents" where Canadians had their CRA accounts hacked through the unauthorized use of its "EFILE credentials" — those special access codes that allow third parties to file returns on behalf of customers. Still, internal H&R Block messages obtained by The Fifth Estate show that the company was aware that fraudsters were using their offices to file false returns. An undated H&R Block memo labelled "Out-of-Province Tax Filers" states that: "We have seen an increase in fraud by people claiming to move from British Columbia to Alberta." Another notice to employees, dated April 14, 2022, stated that H&R Block has "seen fraudulent cases in Edmonton and Calgary" of bogus T4 slips from a fake company called "Hawt shotz Deliveries Inc." The following year, on June 15, 2023, an "updated" memo stated that "there are currently two fraudsters" trying to use bogus T4 slips from a numbered company in Edmonton. Imposters, the memo stated, tried unsuccessfully to get instant refunds at H&R Block locations in Red Deer and Edmonton. The Fifth Estate reported last month that imposters used a fake T4 slip from that same numbered company to get an instant refund through an H&R Block office in Alberta, after successfully hacking into the CRA account of the former Interior Health employee living in Creston, B.C. The internal H&R Block memo also warns that scammers appeared to be using fake IDs and the "stolen identity" of two more people whose names also show up in the leaked list from B.C.'s Interior Health authority. One H&R Block employee, who says headquarters instructed its workforce this year not to talk to reporters, told The Fifth Estate they believe the tax preparation company's main concern was "not losing money" rather than pursuing the fraudsters. In a statement Friday, H&R Block said its previous statement about not knowing of any Canadians being affected by unauthorized use of its EFILE credentials is accurate. "What you are referring to is a matter of identity theft and unrelated to EFILE credentials," H&R Block said. "It is misleading and irresponsible to make any assumptions around the circumstances relating to any fraudulent tax filing incident, and to make assertions about a specific party's ultimate responsibility for it," reads the statement. H&R Block did not specifically address how imposters were able to successfully use H&R Block offices to process the bogus returns and hack into CRA accounts. Interior Health alerted to stolen names last March In March 2024, B.C.'s Interior Health Authority issued a media release that some employees' personal information had been found during an RCMP investigation and asked anyone who had worked for the agency between 2003 and 2009 to call a 1-800 number to see if their name was on the list. Several employees whose names, addresses, dates of birth and social insurance numbers show up on the list provided to The Fifth Estate say the health agency told them they were not on the list. Interior Health has said the list the RCMP found contained 20,000 names. The list provided to The Fifth Estate contains 28,000 names. In its media release last year, Interior Health said it had hired "external security experts" from audit and consulting firm Deloitte Canada who "confirmed that this information is not on the dark web." The dark web is often used by criminal networks to buy and sell stolen information. In their email, Anonymous told The Fifth Estate that they learned about the stolen data on the dark web and any statement to the contrary "is untrue." "Me personally, as well as others, have bought it on Telegram shops, and other dark web forums," Anonymous wrote. "I'm sure [Interior Health] released that statement as a protection from liability and act like it's not that big of a leak." Information on the dark web can come and go over time. WATCH | Could CRA deals with tax companies be partly to blame for accounts being hacked? Tax Hack: Identity Theft 1 month ago Duration 45:10 Tens of thousands of tax accounts have been hacked and hundreds of millions of dollars have disappeared as criminals game the system by stealing identities and filing bogus returns. Could the CRA's deals with tax companies be partly to blame? Deloitte declined to answer questions about how, or when, it might have determined something was not on the dark web, citing client confidentiality. In a statement, Interior Health's vice-president of digital health, Brent Kruschel, wrote that "due to the age of the data and its broad scope, IH was not able to accurately confirm where the information came from." "As this remains an active RCMP investigation and before the courts, Interior Health is not able to provide additional information," he said. For her part, Warner said she does not want to point fingers except at the criminals who stole her identity. She simply has more questions — about who knew what and when and why she wasn't told earlier.
