The Federal Tax Ombudsman has uncovered an alleged major cyber intrusion into Pakistan’s digital tax system, in which unauthorized access was used to fraudulently adjust input tax credits worth Rs. 74.8 million.

According to official findings, unidentified individuals gained illegal access to a taxpayer’s IRIS profile by misusing login credentials and revised the sales tax return for October 2025. The manipulation inserted fake supplies worth Rs. 415.6 million, wiping out the taxpayer’s entire carry-forward input tax credit.

The affected taxpayer approached the ombudsman seeking an independent inquiry, removal of the fake invoices, restoration of the tax credit and legal action against those responsible.

Investigators found that the fraud appeared to be part of a wider organized network, with indications of possible facilitation by individuals linked to the Federal Board of Revenue and Pakistan Revenue Automation Limited.

Authorities said cybercriminals exploited the data of dormant and blacklisted taxpayers, as well as accounts carrying large accumulated credits, to insert fake transactions into the system. The fraudulent activity was traced across several cities, including Karachi, Lahore, Multan, Quetta and Islamabad, with a number of beneficiaries already identified for legal proceedings.

The ombudsman described the unauthorized access and manipulation of tax records as maladministration and directed the Directorate General of Intelligence and Investigation, Inland Revenue, to carry out a detailed probe. The investigation is expected to rely on digital evidence, including IP tracking, to identify all individuals involved both inside and outside official institutions.

Tax authorities in major regions have been instructed to fully cooperate in tracing the supply chain and ensuring coordinated enforcement action.

Meanwhile, the IRS Business Process Reengineering team has been tasked with proposing system improvements, including stricter controls on credential changes, biometric verification and stronger supervisory checks.

The Federal Board of Revenue has also been directed to submit a compliance report within 60 days, detailing progress on the investigation and steps taken to prevent similar incidents.

The case has raised fresh concerns about weaknesses in Pakistan’s digital tax infrastructure and the need for stronger cybersecurity safeguards across the revenue system.