06/23/2020Cybercrime, Law Enforcement

The man who allegedly hacked the University of Pittsburgh Medical Center’s human resource systems and stole PII from more than 65,000 UPMC employees was arrested Tuesday morning in Detroit , Michigan, announced today by United States Attorney Scott W. Brady.

On allegations of conspiracy, wire fraud and aggravated identity theft connected with UPMC’s 2014 hack, Justin Sean Johnson was charged by a federal grand jury in Pittsburgh.

Johnson is alleged to have then sold employees’ Personally Identifiable Information ( PII) and W-2 information on the dark web, resulting in the filing of thousands of false IRS tax returns.

Named Justin Sean Johnson, a/k/a “TDS,” a/k/a “DS,” 29, originally from Michigan, the 43-count indictment returned on May 20 and was unsealed today. Johnson made an initial appearance in Michigan’s Eastern District Federal Court yesterday. The Government plans to seek the defendant’s detention pending trial

The 43-count indictment alleges that, on December 1, 2013, Johnson first hacked into UPMC’s HR database. During the first hack he stole the personal details from more than 23,500 UPMC employees. Johnson then regularly hacked into the UPMC HR database between 21 January 2014 and 24 February 2014 and stole the information from thousands of UPMC staff.

Johnson allegedly identified the stolen information on the darkweb marketplace Evolution between 11 December 2013 and 12 April 2014. Allegedly Johnson operated under the aliases “DearthStar” and “DearthStar.”

Johnson deposited his earnings into an account with Coinbase. The deposits allegedly amounted to more than $8,000. Between January and March 2014, buyers of the stolen information Johnson sold reportedly filed more than 1,300 false income tax returns. Then, the filers claimed over $1.7 million in unauthorized tax refunds.

The indictment alleges Johnson tried to hack businesses and sell stolen information on darkweb marketplaces since the UPMC breach in 2014.Investigators conclude the vendor accounts were run through 2017.

A federal grand jury in Pittsburgh indicted Johnson on 20 May 2020 for conspiracy, wire fraud and felony allegations of identity theft. He was arrested in Detroit on 16 June.