Ignacio “Iggy” Balderas sat at the long table, elbows on the money-green tablecloth, and stared up at the commissioners on the dais before him. To his right sat executives from two other military contractors, DynCorp International and Aegis LLC; to his left was an empty seat where another CEO was supposed to be. But that contractor’s lawyer had told the panel that his client was “nervous about appearing in front of this commission.”

Balderas, CEO of Triple Canopy Inc., evidently had no such qualms. It was June 21, 2010, drawdown time in Iraq, and he was there before the independent Commission on Wartime Contracting — set up by Congress to oversee the U.S. growing war-zone private sector — to testify, in part, about oversight and responsibility in the private security contracting industry.

Triple Canopy was one of military contracting’s 800-pound gorillas, formed after the U.S. invasion of Iraq in 2003 — and even its formation was a stroke of boldness. It was a private army that existed largely on paper, bidding for Pentagon and State Department contracts, before the Army Delta Force soldiers who’d founded it had even procured a single gun or armored vehicle. The rush to arm and equip that private force only came after the company was awarded $90 million to protect U.S. coalition authorities in Iraq.

Since then, it had become a major player, inheriting many of embattled contractor Blackwater’s responsibilities when that company fell out of favor in Iraq. But Triple Canopy, too, had now come under media scrutiny — for allegedly firing on Iraqi civilians, misleading family members about the death of a security worker in Iraq, buying weapons on the black market, and mismanaging contracts in myriad ways.

So it wasn’t out of character when Balderas, addressing the bipartisan watchdog commission, went on a polite but persistent offensive. He began touting the benefits of employing American private security companies in foreign theaters of war. Using U.S.-owned private firms provided value and accountability, he testified, because they are “subject to a host of laws designed to enforce U.S. legal and policy considerations.” Foreign firms posed a risk because they could “avoid paying U.S. taxes, avoid U.S. criminal investigations and jurisdiction, and avoid having to appear before Congress.”

Four months after that hearing, the State Department awarded Triple Canopy a contract worth nearly a billion dollars to protect U.S. diplomats traveling in Iraq.

What Balderas didn’t mention in his two and a half hours before the commission — what the Panama Papers now reveal — was that, just weeks prior, Triple Canopy had acquired Edinburgh International, a Dubai-based military contractor, operating out of a suite of offshore companies in the British Virgin Islands, registered for a time through the Panamanian law firm Mossack Fonseca. The leaked files from the firm were obtained by Süddeutsche Zeitung, and shared with Fusion, the McClatchy newspaper chain, and more than 100 other media partners by the International Consortium of Investigative Journalists.

That acquisition — run through an offshore shell company, Trifecta International Holdings Inc., that Triple Canopy created specifically for the purchase — gave one of America’s larger and more controversial security contractors a business structure with the potential to sidestep the very same U.S. oversight and accountability that Balderas had made a selling point to the commission.

Balderas — now retired from Triple Canopy — did not respond to a request for comment from Fusion. Gary Moore, former general counsel for Triple Canopy and current chief legal officer for its parent company, Constellis Group, told Fusion that it annually discloses the existence of its offshore subsidiaries to the Pentagon and IRS, and that their business is routine. “If you have offshore business, it’s normal… like any of the other Fortune 500 companies,” Moore said, adding: “The British Virgin Islands is one of the locations that people go for foreign companies that conduct business in foreign locations; it’s standard practice.”

In a statement provided post-publication, a State Department official said that they have “not had any contractual issues resulting from the merger [of the companies],” adding that “the eligibility and capability of a U.S. based private security contractor to hold and perform a Worldwide Protective Services contract would not appear to be affected by its control or operation of offshore subsidiaries that are not involved in the performance of the WPS contract.”

Related Watch how easy it is to start an anonymous shell company for your cat

Yet serious security and propriety questions arise when a military contractor, performing sensitive security tasks for U.S. government officials in a war zone, has concealable offshore holdings, says Charles Tiefer, a contracting expert at the University of Baltimore law school — and a member of the Commission on Wartime Contracting who sat in on Balderas’ 2010 testimony.

‘There’s no reason for them to do that, except for the same reason that people bank in Turks and Caicos.’

Simply knowing that such offshores exist isn’t enough information for the U.S. to provide oversight of a company’s activities. “There’s no defense-auditing sunshine on a British Virgin Island company,” Tiefer told Fusion. “All that the U.S. knows is that there’s [a company] out there.” (The Defense Contract Audit Agency, which oversees Pentagon contractors, did not respond to Fusion’s request for comment.)

The five British Virgin Island offshores acquired by Triple Canopy include ERSM (Afghanistan) Limited, a company that Edinburgh International had used to provide security and other services in Afghanistan since 2005. The company remains active and has secured millions in U.S. government contracts. (In 2012, the offshores switched their address from Mossack Fonseca’s British Virgin Islands office to that of a new registered agent in the Cayman Islands.)

Such offshore activities are not as routine among military contractors as Triple Canopy portrays them, Tiefer said. In his three years on the contracting commission, “The alarm bells went off on the very few occasions when an American or British company had an overseas [holding],” he said.

“There’s no reason for them to do that, except for the same reason that people bank in Turks and Caicos, which is to take them out of the line of visibility of American domestic authorities, who can’t audit the doings of Caribbean island entities.”

As Fusion and its partners have reported extensively, offshore shell companies can be used for a variety of legitimate reasons. But the Panama Papers investigation shows that these structures are also ideal for limiting legal liability, concealing the sources and amounts of a firm’s wealth, avoiding taxes, and enabling illicit activities.

That’s a dangerous brew in the hands of military security contractors, said Erica Razook, a former anti-corruption legal officer at the Open Society Justice Initiative.

“In an industry centered on the use of force and violence, to base operations in jurisdictions where those two things—the money and people coming into the operation—are being shielded from any kind of authority is particularly concerning,” she told Fusion.

U.S. oversight of wartime contractors has long been messy and inadequate. Triple Canopy plays a central role in that messy history. In the years leading up to its acquisition of Edinburgh International, the security firm was criticized for understaffing its security details and poor accounting methods. It currently faces a Department of Justice lawsuit that alleges the firm falsified marksmanship records for 332 poorly skilled Ugandan guards hired to provide security at Al Asad airbase in dangerous Anbar in 2009 and 2010 — the second largest airbase in Iraq. (Triple Canopy’s Moore declined to comment on the case, noting that litigation was still pending.)

Triple Canopy has also faced scrutiny for its methods in the field; two security workers sued the firm in 2006, claiming they were fired for reporting a supervisor who had shot indiscriminately at Iraqi vehicles, causing an unknown number of casualties. “I couldn’t stand what was happening,” another Triple Canopy guard who was present for the shooting incidents told the Washington Post in 2007. “It seemed like every day they were covering something up.” (The parties eventually settled the suit out of court; Triple Canopy did not acknowledge liability in the settlement.)

Depositions of Triple Canopy employees taken in that lawsuit also suggested that some of its personnel had purchased weapons on Iraq’s black market, raising concerns that the proceeds had gone to anti-U.S. insurgents. “We’re spending a lot of money on these rifles, millions of dollars — where do you think that money is going to?” an ex-manager said in his June 2007 deposition. “Who are we supporting in doing that? We’re supporting people who are trying to kill Americans is the logical conclusion.” (Triple Canopy officials acknowledged buying weapons in Iraq, but said they had done nothing wrong.)

The U.S.’s Special Inspector General for Iraq Reconstruction, Stuart Bowen, opened a criminal investigation against Triple Canopy in that case, but he ultimately decided not to file charges against the firm. “It’s unclear if anything that Triple Canopy did was criminal, but it was symptomatic of the chaos that prevailed at the time,” Bowen told ProPublica in 2009. “It’s another example of contracting gone wrong.”

Through that chaos, one way large military contractors adapted was through rebranding — renaming and restructuring their operations to distance themselves from past criticisms, Razook told Fusion. “They are often deliberately disassociating from their history, from any kind of transparency that there may have been,” she said. Blackwater’s evolution was a prime example of this process. The controversial security contractor — whose founder is currently under a federal investigation for money laundering — was renamed Xe in 2009, then rebranded as Academii in 2011.

And in 2014, Academii merged with Triple Canopy under a new corporate parent known as Constellis Holdings.

Public records in the U.S. government’s official System for Award Management (SAM) reveal no obvious connections between Triple Canopy and its offshore contractor firms. ERSM Afghanistan’s mailing address is in Dubai. Its business type is listed as “foreign owned.”

Tiefer said that could effectively put an end to the government’s ability to audit Triple Canopy. “The nasty term that contractors tried to say didn’t apply to them was ‘mercenaries,’ and you’re getting closer to the mercenary model when they operate from an offshore place that doesn’t have visibility,” he said. “So if they have this hidden network, they can do things that are outrageous to U.S. sensibilities through this network somewhere else.” (A spokeswoman for Triple Canopy/Constellis disputed this characterization, saying in a statement that “Triple Canopy does not use BVI entities to conduct its business.”)

Yet the U.S. government doesn’t seem to share Tiefer’s misgivings. In mid-February, the Pentagon and State Department awarded Triple Canopy a new round of sensitive security and counter-narcotics contracts. Together, they’re potentially worth more than $4.5 billion. DOD and State representatives did not return Fusion’s requests for comment by press time.

Update: This story was updated to include a State Department response to Fusion’s request for comment.