Newly released documents show the panic that gripped the Panamanian law firm of Mossack Fonseca after it realised that its records had been hacked in March 2016, shortly before the International Consortium of Investigative Journalists in Washington and the Süddeutsche Zeitung in Germany leaked them to the world.

The new leak consists of emails, PDFs of passports and electronic files of criminal cases that the now-defunct firm generated between early 2016 and late 2017. These are, in their way, as revelatory as the originals that were publicised in April 2016.

They also show how the firm was unable to persuade customers - shady or otherwise - to present it with 'due diligence' documents at short notice. A Swiss wealth management advisor who acted for 80 companies that the firm had set up is quoted as writing: “The client disappeared - I can't find him any more!” Meanwhile, a lawyer in Florida who had to field a blizzard of requests from Mossack Fonseca for long-overdue 'due diligence' records reportedly wrote: “We can't go back a day after asking for papers to ask for something else, we look like...amateurs - a Mickey Mouse operation.” In other words, the law firm often had no idea who was benefiting from its services. It had registered thousands of companies in offshore jurisdictions without identifying their owners properly.

The ICIJ takes great pleasure in quoting something that the law firm told it in a defensive letter in March 2016: "We are responsible members of the global financial and business community. We conduct thorough due diligence on all new and prospective clients that often exceeds in stringency the existing rules and standards to which we and others are bound. Many of our clients come through established and reputable law firms and financial institutions across the world, including the major correspondent banks, which are also bound by international 'know your client' (KYC) protocols and their own domestic regulations and laws. The documents you cite in your reporting show that we routinely deny services to individuals who are compromised or who fail to provide information we need in order to comply with our KYC and other obligations." In fact, the consortium says, even two months after it had discovered the hack, it had not tracked down 70+% of 28,500 active companies that it was serving in the British Virgin Islands. As readers know, 52% of the 240,000 shell companies represented by the law firm were incorporated in the BVI, according to the original cache of April 2016. The ICIJ says that it also did not know who owned three-quarters of the 10,500 active shell companies in Panama that were on its books.

The consortium interviewed Guillermina McDonald, Mossack Fonseca's lawyer, last month. She told it that the firm considered its clients to be the lawyers, bankers and accountants who served as intermediaries rather than the end-users. Jack Blum, an American attorney who used to work for the Senate Antitrust Subcommittee and the Senate Foreign Relations Committee, told it in a separate communication: “It shouldn’t be acceptable that a firm like this doesn’t know the owner of one shell company, let alone thousands of them. It tells you how far the shell business has gone in terms of being a sham. It strikes me that it’s as crazy as crazy can be.”

When regulators in various jurisdictions came asking for details of accounts in 2016-17, the law firm was hard-put to find them. The Financial Services Authority of the Seychelles asked it to hand over the names of the owners of 5,379 active companies incorporated there, but the ICIJ says that internal emails show “employees acknowledging to each other that they might not be able to comply with the requests – and discussing the potential risk of losing the right to operate in the country.”