The use of offshore business entities is generally not illegal in the jurisdictions in which they are registered, but during their investigation reporters found that some of the shell companies may have been used for illegal purposes, including fraud, drug trafficking, and tax evasion.
The documents were made available to the Süddeutsche Zeitung beginning in early 2015 by an anonymous source, an unremunerated whistleblower using the pseudonym "John Doe". The information documented actions going back to the 1970s and eventually totaled 2.6 terabytes of data. Given the scale of the leak, the newspaper enlisted the help of the U.S.-based International Consortium of Investigative Journalists (ICIJ), distributed documents for investigation and analysis to some 400 journalists at 107 media organizations in more than eighty countries. The first news reports based on the papers, and 149 of the documents themselves, were published on April 3, 2016. A full list of companies is promised for early May 2016. The president of
While no formal definition exists, offshore financial centers (sometimes also called "tax havens") are typically defined as jurisdictions whose banking industries:
- primarily provide services to people or businesses who are not resident;
- do not require companies to disclose information; and
- have low-tax regimes.
Companies and individuals may place money in offshore financial centers for a variety of reasons, some "perfectly legal and benign". However, as noted by The Economist and researchers like the Tax Justice Network, "the most obvious use of offshore financial centers is to avoid taxes" and other laws and regulations.
Law firms play a central role in the operation of offshore financial centers. Mossack Fonseca, a Panamanian law firm, is one of the biggest offshore law firms, and an "industry leader". The firm's services include incorporating companies in offshore financial centers and administering offshore companies. This can include creating "complex shell company structures" that, while legal, also allow the firm's clients "to operate behind an often impenetrable wall of secrecy". The leaked papers detail such structures.
Mossack Fonseca has acted on behalf of more than 300,000 companies, most of which are registered in the
More than a year before the first publication of the
The reporters communicated with the source only via encrypted channels, as he demanded anonymity: "There are a couple of conditions. My life is in danger, we will only chat over encrypted [lines]. No meeting ever." Süddeutsche Zeitung journalist Bastian Obermayer said the source decided to do it because he thought Mossack Fonseca was behaving unethically. "The source thinks that this law firm in
The International Consortium of Investigative Journalists organized the research and review of documents. They enlisted reporters and resources at The Guardian, the BBC, Le Monde, SonntagsZeitung, Falter, and La Nación and German public broadcasters Norddeutscher Rundfunk and Süddeutscher Rundfunk and Austrian ORF (broadcaster). The team initially met in
The total quantity of the leaked data significantly exceeds that of the Wikileaks Cablegate 2010 (1.7 GB), Offshore Leaks 2013 (260 GB), Lux Leaks 2014 (4 GB), and Swiss Leaks 2015 (3.3 GB). The data primarily comprises e-mails, PDF files, photos, and excerpts of an internal Mossack Fonseca database, covering a period from the 1970s to 2016. The Panama Papers leak provides data on some 214,000 companies with a folder for each shell firm that contains e-mails, contracts, transcripts, and scanned documents. The leak comprises 4,804,618 emails; 3,047,306 database format files; 2,154,264 PDFs; 1,117,026 images; 320,166 text files; and 2,242 files in other formats.
The data was systematically indexed using proprietary software donated by the Australian company Nuix. The software is also used by international investigators. Nuix was used to perform optical character recognition (OCR) on the millions of scanned documents, making the data machine-readable and searchable. Reporters then used Nuix tools to extract individual and corporate names from the documents for analysis. Compiled lists of important people were then cross matched against the processed documents. The next step in the analysis was to connect people, roles, monetary flow, and structure legality.
The company advised its customers April 1, 2016, of an email hack, but denied any connection to the leak, saying the hack was limited. Privacy experts have noted that the company did not encrypt its emails and also seems to have been running a three-year-old version of Drupal with several known vulnerabilities.