Authorities arrested and charged a Michigan man for allegedly hacking the human resource database of a medical center, stealing the personally identifiable information of more than 65,000 employees, and selling the stolen data on the darkweb.
According to court records, Justin Sean Johnson, 29, hacked the human resource databases of the University of Pittsburgh Medical Center (UPMC) in late 2013 and early 2014. He used his access to steal names of employees, Social Security numbers, addresses, employment statuses, and W-2 information. Johnson allegedly sold the stolen information on the darkweb. According to court records, customers filed false tax returns and claimed tax refunds.
The 43-count indictment alleges that Johnson first hacked into the HR database of UPMC on December 1, 2013. He stole the personal information of more than 23,500 UPMC employees during the first breach. Johnson then hacked into the UPMC HR database regularly between January 21, 2014, and February 24, 2014, and stole the information of thousands of UPMC employees.
Between December 11, 2013, and April 12, 2014, Johnson allegedly listed the stolen information on the Evolution darkweb marketplace. Johnson allegedly operated under the aliases “DearthStar” and “TheDearthStar." An example of a listing from TheDearthStar is copied below:
US identity Fullz + 2013 W-2 [Pack of 10]
Description $3 each Name Address City State Zip SSN DOB Federal State/City W-2 Information (includes employer EIN and address) Provided but unverified data: Marital Status
!!!The majority of this listing will originate from Pennsylvania!!!
Johnson deposited his earnings into an account with Coinbase. The deposits allegedly amounted to more than $8,000.
The buyers of the stolen information sold by Johnson reportedly filed more than 1,300 false income tax returns between January and March 2014. The filers then claimed more than $1.7 million in unauthorized tax refunds.
U.S. Attorney Brady:
Justin Johnson stands accused of stealing the names, Social Security numbers, addresses and salary information of every employee of Pennsylvania’s largest health care system. After his hack, Johnson then sold UPMC employees’ PII to buyers around the world on dark web marketplaces, who in turn engaged in massive campaign of further scams and theft. His theft left over 65,000 victims vulnerable to years of potential financial fraud. Hackers like Johnson should know that our office will pursue you relentlessly until you are in custody and held accountable for your crimes.
The indictment alleges that after the UPMC hack in 2014, Johnson continued to hack companies and sell stolen information on darkweb marketplaces. Investigators believe he operated vendor accounts through 2017.
On May 20, 2020, Johnson was indicted by a federal grand jury in Pittsburgh for conspiracy, wire fraud and aggravated identity theft charges. He was arrested on June 16 in Detroit.