Technical writing
IRS Criminal Investigation: The Federal Database Behind Tax Fraud and Financial Crime Prosecutions
IRS Criminal Investigation is the only federal law enforcement agency with jurisdiction over federal tax crimes — filing 2,500–3,000 criminal cases per year covering tax evasion, employment tax fraud, money laundering, narcotics financial crimes, and identity theft refund fraud, with a 90%+ conviction rate.
What IRS Criminal Investigation Is
IRS Criminal Investigation (IRS CI) is the law enforcement arm of the Internal Revenue Service, itself housed within the Department of the Treasury. Its approximately 2,000 special agents hold full federal law enforcement authority — arrest power, search warrant authority, and grand jury access — and are the only agents in the federal government whose statutory jurisdiction covers violations of the Internal Revenue Code. While the FBI, DEA, and other agencies may work financial crime cases that touch on tax violations, only IRS CI can refer those violations to the Department of Justice Tax Division for criminal tax prosecution.
IRS CI publishes an Annual Report each October covering the prior fiscal year. That report is the primary public source of aggregate statistics on criminal tax enforcement: investigations initiated, prosecution recommendations forwarded to DOJ, indictments returned, sentences imposed, and conviction rates. The data is broken out by offense category and, for selected metrics, by field office and judicial district. No structured machine-readable API exposes IRS CI case data; the annual report PDF and DOJ Tax Division press releases are the two main access points for researchers.
The statutory jurisdiction of IRS CI spans the full range of conduct that touches on federal tax obligations. Core tax offenses prosecuted under Title 26 of the United States Code include tax evasion under 26 USC 7201, filing a fraudulent return under 26 USC 7206, willful failure to file a return under 26 USC 7203, and failure to pay tax. Beyond the Internal Revenue Code, IRS CI holds concurrent jurisdiction with other federal agencies over money laundering (18 USC 1956 and 1957), Bank Secrecy Act violations administered by FinCEN, currency structuring offenses, narcotics financial crimes, public corruption financial crimes, and identity theft refund fraud.
Annual Statistics
IRS CI's enforcement pipeline runs from investigation initiation through prosecution recommendation, indictment, sentencing, and incarceration. In recent fiscal years the approximate figures have been:
| Metric | FY2024 (approx.) |
|---|---|
| Investigations initiated | ~2,600 |
| Prosecution recommendations | ~1,700 |
| Indictments / informations | ~1,500 |
| Sentencings | ~1,200 |
| Conviction rate | ~91% |
| Average prison sentence | ~41 months |
The conviction rate is among the highest in federal law enforcement. The gap between investigations initiated and prosecution recommendations reflects the evidentiary demands of criminal tax cases: IRS CI must establish not just that taxes were unpaid but that the failure was willful, a legal standard that requires documentary and testimonial evidence sufficient to overcome the presumption of innocence. Cases that cannot meet that standard are closed administratively or referred for civil examination rather than criminal prosecution.
By offense category, general tax fraud accounts for approximately 30% of IRS CI's investigative caseload in recent years. Identity theft refund fraud constitutes roughly 20%, money laundering approximately 15%, public corruption financial crimes around 8%, and narcotics financial crimes approximately 7%. The remaining cases span employment tax fraud, Bank Secrecy Act violations, and miscellaneous financial crimes.
Tax Evasion
Tax evasion under 26 USC 7201 is the signature offense in IRS CI's caseload. The statute requires proof of three elements: a tax deficiency, an affirmative act of evasion, and willfulness. Affirmative acts — conduct beyond mere failure to report — typically take the form of maintaining a double set of books, making false entries in business records, concealing assets in nominee accounts, or routing income through shell entities. The willfulness element distinguishes criminal tax evasion from civil deficiencies; the government must prove the defendant knew of the legal obligation and intentionally violated it.
Common fact patterns include unreported cash income from service businesses (restaurants, construction contractors, medical practices), offshore accounts at foreign banks used to conceal income from the IRS, inflated business deductions using fictitious invoices, and fraudulent exemptions or credits on filed returns. The offshore fact pattern became substantially more prevalent as a prosecution category after the enactment of the Foreign Account Tax Compliance Act in 2010, which imposed reporting requirements on foreign financial institutions and generated information flows to IRS that had not previously existed.
The most cited historical precedent for criminal tax enforcement is the 1931 conviction of Al Capone, prosecuted for tax evasion on income from bootlegging after the government was unable to build a RICO-style case against his criminal organization. More recent notable cases illustrate the range of defendants: Wesley Snipes received three years for willful failure to file returns on $38 million in income; Michael “The Situation” Sorrentino served eight months for filing a false return; and Paul Manafort received a 47-month sentence for tax fraud and bank fraud arising from unreported income from political consulting work in Ukraine.
Employment Tax Fraud
Employers are required under the Federal Insurance Contributions Act to withhold Social Security and Medicare taxes from employee wages and to withhold federal income tax, then remit those withheld amounts to the IRS on a deposit schedule. Employers who withhold these taxes from employees but fail to remit them to the IRS are, in effect, converting trust fund money — funds that legally belong to the government and the employees — to their own use. The IRS calls this employment tax fraud.
On the civil side, the Trust Fund Recovery Penalty (TFRP) under 26 USC 6672 assesses a penalty equal to 100% of the unremitted trust fund taxes against any “responsible person” who willfully failed to collect or remit those taxes. Responsible persons typically include business owners, chief financial officers, and any officer with control over the company's finances and check-signing authority. The TFRP can be assessed against multiple individuals simultaneously and survives the employer's bankruptcy.
When the failure to remit is willful and the dollar amounts are large, IRS CI refers the case for criminal prosecution. The criminal statute, 26 USC 7202, carries a maximum five-year sentence per count. Employment tax fraud is a significant category in IRS CI's caseload because the offenses are common among small and medium-sized businesses experiencing cash flow difficulties and because the evidentiary proof — the employer's own payroll records and IRS deposit records — is typically straightforward once the investigation is underway.
Offshore Tax Evasion and FATCA
The Foreign Account Tax Compliance Act, enacted in 2010, fundamentally changed the landscape for offshore tax evasion. FATCA requires foreign financial institutions to report information on accounts held by U.S. persons to the IRS under penalty of a 30% withholding tax on U.S.-source payments to non-compliant institutions. The companion requirement, the Foreign Bank Account Report (FBAR) filed on FinCEN Form 114, has existed since 1970 but was rarely enforced; FATCA's information flows gave IRS CI the data needed to identify unreported foreign accounts at scale.
The UBS prosecution in 2009 — which resulted in a $780 million deferred prosecution agreement and the disclosure of approximately 4,450 U.S. account holder names — marked the beginning of a systematic enforcement campaign against Swiss and other offshore banking secrecy. Credit Suisse pleaded guilty in 2014 and paid $2.6 billion, the largest criminal tax penalty in history at the time. Both cases were built on John Doe summons (described below) and international legal assistance requests, and both generated voluntary disclosure programs through which thousands of U.S. taxpayers came into compliance with previously unreported foreign accounts.
Identity Theft Refund Fraud
Identity theft refund fraud involves filing false federal income tax returns using stolen Social Security numbers to claim fraudulent refunds before the legitimate taxpayer files their actual return. The IRS processes approximately 150 million individual returns per year; a criminal who can file a fraudulent return first — typically in late January or early February, before W-2s have been matched to returns — may receive a refund before the fraud is detected. Estimated losses from identity theft refund fraud have run as high as $5 billion in peak years, though IRS fraud filters and the IP PIN program have reduced the problem substantially.
The IRS Identity Protection PIN program, which assigns a six-digit PIN to enrolled taxpayers that must appear on the return to be processed, is the primary prevention tool. On the investigative side, the 2016 breach of the IRS Get Transcript online tool exposed approximately 700,000 taxpayer accounts and illustrated both the scale of the threat and the information security vulnerabilities in IRS systems. IRS CI has devoted substantial resources to identity theft refund fraud prosecutions, working closely with the Secret Service and FBI on organized fraud rings, which have been responsible for a disproportionate share of total losses.
Narcotics Financial Crimes and Public Corruption
IRS CI's involvement in narcotics cases reflects the reality that financial investigation — tracing income, identifying assets, and dismantling the financial infrastructure of criminal organizations — is frequently more productive than purely operational drug enforcement. IRS CI works alongside the DEA and FBI on drug cartel financial investigations, applying its expertise in following money through complex corporate structures, nominee accounts, and international banking channels. The financial dismemberment of a drug organization — seizing laundered proceeds, identifying the financial networks that move drug money, and prosecuting money laundering under 18 USC 1956 — deprives cartels of resources in ways that arrests of individual distributors do not.
Public corruption financial crimes similarly draw on IRS CI's core competency. Officials who receive bribes or kickbacks typically fail to report that income, creating a tax offense layered on top of the underlying corruption. IRS CI investigations of public officials frequently proceed in parallel with FBI public corruption investigations, with IRS CI developing the financial case — unreported income, unexplained asset accumulation, fraudulent returns — that supports or supplements the bribery or extortion charges.
Investigative Tools
IRS CI's primary administrative investigative tool is the summons authority under 26 USC 7602, which allows IRS to compel the production of books, records, papers, and testimony from any person having knowledge of the taxpayer's affairs. Unlike a grand jury subpoena, a 7602 summons does not require a grand jury proceeding and can be issued by IRS CI agents directly. Compliance is enforceable through federal district court summons enforcement proceedings.
The John Doe summons is a variant that targets unnamed persons whose identities are not yet known. The IRS must first obtain judicial approval by demonstrating that the summons relates to an identifiable group or class of persons, that there is a reasonable basis for believing those persons may have failed to comply with tax law, and that the information sought is not readily available elsewhere. John Doe summonses have been used against UBS and other Swiss banks to identify offshore account holders, and more recently against cryptocurrency exchanges including Coinbase (2016), Kraken (2021), and SFOX (2022) to identify U.S. persons who conducted unreported cryptocurrency transactions.
For cases proceeding to grand jury, IRS CI works jointly with the DOJ Tax Division, which must authorize all criminal tax prosecutions. IRS CI also receives Currency Transaction Reports and Suspicious Activity Reports from FinCEN's Bank Secrecy Act database — financial institution filings that flag large cash transactions and suspicious financial patterns. CTRs cover all cash transactions above $10,000; SARs are filed at the institution's discretion when transactions are suspicious regardless of amount. The FinCEN database of BSA filings is a significant lead-generation resource for IRS CI investigations of money laundering, structuring, and related offenses.
International cases rely on Mutual Legal Assistance Treaties, which allow the United States to request that foreign governments compel the production of records located in their jurisdiction. IRS CI also participates in the Joint International Taskforce on Shared Intelligence and Collaboration (JITSIC), a network of tax administration and law enforcement agencies that shares intelligence on cross-border tax fraud and financial crime.
Cryptocurrency Enforcement
IRS CI established a National Cryptocurrency Enforcement team in 2021, formalizing what had been ad hoc cryptocurrency case work into a dedicated unit with specialized training and tools. The unit's work spans tax evasion cases where cryptocurrency was used to conceal income, ransomware proceeds, dark web marketplace proceeds, and large-scale exchange hacks where stolen cryptocurrency was laundered through blockchain transactions.
The scale of IRS CI's cryptocurrency seizures has been striking. In FY2021, the unit seized more than $3.5 billion in cryptocurrency. FY2022 was larger still, driven substantially by the Bitfinex hack recovery: Ilya Lichtenstein and Heather Morgan were arrested in February 2022 after IRS CI traced approximately 119,754 bitcoin — worth roughly $4.5 billion at the time of seizure — stolen in a 2016 Bitfinex exchange hack, representing the largest cryptocurrency seizure in U.S. government history at that point. Total FY2022 cryptocurrency seizures exceeded $7 billion.
IRS CI's blockchain tracing capabilities rely in part on commercial tools provided by Chainalysis, which maps the movement of funds across blockchain addresses and identifies connections between wallets and known entities including exchanges, darknet markets, and sanctioned addresses. The John Doe summons strategy applied to Coinbase, Kraken, and other exchanges complements blockchain tracing by linking on-chain addresses to the real-world identity information that exchanges collect under Know Your Customer requirements.
Data Access
The IRS CI Annual Report is published in PDF form at https://www.irs.gov/compliance/criminal-investigation/irs-ci-annual-report each October. The report contains tables of aggregate statistics organized by fiscal year, case category, and field office district. No structured data API exposes IRS CI case-level records; the annual report tables are the only machine-processable source of aggregate statistics, and they must be extracted from PDF or from HTML versions of the tables when available.
Individual case information is accessible through DOJ Tax Division press releases at https://www.justice.gov/tax/tax-press-releases. These releases announce indictments, guilty pleas, and sentencing outcomes and typically include the defendant's name, offense, district, and sentence length. They are the richest source of individual case detail publicly available, and DOJ publishes them consistently for significant cases. For cases in federal district courts, the PACER (Public Access to Court Electronic Records) system provides access to the underlying criminal dockets, charging documents, and plea agreements for IRS CI-referred cases.
Python: Parsing DOJ Tax Division Press Releases by Offense Category
The following script fetches DOJ press releases related to criminal tax enforcement, classifies each release by offense category using keyword matching, extracts prison sentence lengths where stated, computes average sentence by category, and identifies the federal judicial districts appearing most frequently in prosecution announcements. Because the DOJ does not expose a structured API for criminal tax data, the script relies on the DOJ search endpoint and regular expressions applied to press release text.
import requests
import re
from collections import defaultdict
import statistics
# ---------------------------------------------------------------------------
# DOJ Tax Division Press Releases Analysis
# Source: https://www.justice.gov/tax/tax-press-releases
# The DOJ provides press releases in HTML; we scrape via their search API.
#
# Offense categories and keywords for classification:
# tax_evasion - "tax evasion", "26 U.S.C. 7201", "unreported income"
# employment_tax - "employment tax", "payroll tax", "Trust Fund", "FICA"
# id_theft - "identity theft", "IDTRF", "fraudulent refund", "stolen SSN"
# cryptocurrency - "cryptocurrency", "bitcoin", "virtual currency", "blockchain"
# narcotics - "narcotics", "drug", "cartel", "money laundering" + drug ref
# public_corrupt - "bribery", "kickback", "public official", "corruption"
# money_laundry - "money laundering", "1956", "1957" (catch-all for non-narco)
# ---------------------------------------------------------------------------
BASE_URL = "https://www.justice.gov"
SEARCH_URL = BASE_URL + "/api/v1/search/?query=tax+criminal&page_size=100&page={page}&sort=date"
CATEGORY_PATTERNS = {
"tax_evasion": [r"tax evasion", r"7201", r"unreported income", r"offshore account"],
"employment_tax": [r"employment tax", r"payroll tax", r"trust fund", r"\bfica\b"],
"id_theft": [r"identity theft", r"idtrf", r"fraudulent refund", r"stolen.*ssn"],
"cryptocurrency": [r"cryptocurren", r"bitcoin", r"virtual currency", r"blockchain", r"coinbase", r"kraken"],
"narcotics": [r"narcotics", r"\bdrug\b", r"cartel", r"dea"],
"public_corrupt": [r"bribery", r"kickback", r"public official", r"corrupt"],
"money_launder": [r"money launder", r"\b1956\b", r"\b1957\b"],
}
SENTENCE_RE = re.compile(
r"sentenced.*?(d+)s+month|(d+)s*-s*month.*?sentence|(d+)s+year.*?prison",
re.IGNORECASE,
)
def classify(text: str) -> str:
text_lower = text.lower()
for category, patterns in CATEGORY_PATTERNS.items():
for pat in patterns:
if re.search(pat, text_lower):
return category
return "other_tax"
def extract_months(text: str) -> int | None:
m = SENTENCE_RE.search(text)
if not m:
return None
if m.group(1):
return int(m.group(1))
if m.group(2):
return int(m.group(2))
if m.group(3):
return int(m.group(3)) * 12
return None
def fetch_releases(max_pages: int = 5) -> list[dict]:
releases = []
for page in range(1, max_pages + 1):
resp = requests.get(SEARCH_URL.format(page=page), timeout=30)
if resp.status_code != 200:
break
data = resp.json()
items = data.get("results", [])
if not items:
break
for item in items:
body = item.get("body", "") or ""
title = item.get("title", "") or ""
releases.append({"title": title, "body": body, "date": item.get("date", "")})
return releases
releases = fetch_releases(max_pages=5)
print(f"Fetched {len(releases)} press releases\n")
by_category: dict[str, list[int]] = defaultdict(list)
district_counts: dict[str, int] = defaultdict(int)
DISTRICT_RE = re.compile(
r"(?:District of|Eastern District of|Western District of|Northern District of|Southern District of|Middle District of)s+([A-Z][a-z]+(?:s+[A-Z][a-z]+)*)",
)
for r in releases:
combined = r["title"] + " " + r["body"]
cat = classify(combined)
months = extract_months(combined)
if months is not None:
by_category[cat].append(months)
for dm in DISTRICT_RE.finditer(combined):
district_counts[dm.group(0).strip()] += 1
print("Average sentence by offense category (months):")
print(f" {'Category':<20} {'Cases w/sentence':<18} {'Avg months'}")
print(" " + "-" * 50)
for cat in sorted(by_category, key=lambda c: -len(by_category[c])):
sentences = by_category[cat]
avg = statistics.mean(sentences) if sentences else 0
print(f" {cat:<20} {len(sentences):<18} {avg:.1f}")
print("\nTop 10 districts by prosecution volume:")
top_districts = sorted(district_counts.items(), key=lambda x: -x[1])[:10]
for dist, count in top_districts:
print(f" {count:>4} {dist}")
Several implementation notes. The DOJ search endpoint returns JSON with a results array; pagination is controlled by the page parameter. The classification logic uses the first matching category for each release; cases that match multiple patterns (a narcotics financial crime case that also involves money laundering, for example) are assigned to the first category matched in the priority order defined. The sentence extraction regex covers the most common phrasings in DOJ press releases but will miss sentences described in non-standard formats or stated as ranges rather than fixed terms. District extraction uses a regex for the standard federal district naming conventions; territories and the District of Columbia require minor pattern adjustment to capture fully. Running the script across several years of press releases — by adjusting the search query to include date filters — produces a longitudinal view of how IRS CI's prosecution priorities and average sentence lengths have shifted across administrations and enforcement regimes.
Related: IRS Statistics of Income · FinCEN BSA enforcement
Part of the Federal Regulatory Data Hub.