June 18, 2020

An information technology specialist at the Federal Emergency Management Agency (FEMA) was arrested this week on suspicion of hacking into the human resource databases of University of Pittsburgh Medical Center (UPMC) in 2014, stealing personal data on more than 65,000 UPMC employees, and selling the data on the dark web.

On June 16, authorities in Michigan arrested 29-year-old Justin Sean Johnson in connection with a 43-count indictment on charges of conspiracy, wire fraud and aggravated identity theft.

Federal prosecutors in Pittsburgh allege that in 2013 and 2014 Johnson hacked into the Oracle PeopleSoft databases for UPMC, a $21 billion nonprofit health enterprise that includes more than 40 hospitals.

According to the indictment, Johnson stole employee information on all 65,000 then current and former employees, including their names, dates of birth, Social Security numbers, and salaries.

The stolen data also included federal form W-2 data that contained income tax and withholding information, records that prosecutors say Johnson sold on dark web marketplaces to identity thieves engaged in tax refund fraud and other financial crimes. The fraudulent tax refund claims made in the names of UPMC identity theft victims caused the IRS to issue $1.7 million in phony refunds in 2014.

“The information was sold by Johnson on dark web forums for use by conspirators, who promptly filed hundreds of false form 1040 tax returns in 2014 using UPMC employee PII,” reads a statement from U.S. Attorney Scott Brady. “These false 1040 filings claimed hundreds of thousands of dollars of false tax refunds, which they converted into Amazon.com gift cards, which were then used to purchase Amazon merchandise which was shipped to Venezuela.”

Johnson could not be reached for comment. At a court hearing in Pittsburgh this week, a judge ordered the defendant to be detained pending trial. Johnson’s attorney declined to comment on the charges.

Prosecutors allege Johnson’s intrusion into UPMC was not an isolated occurrence, and that for several years after the UPMC hack he sold personally identifiable information (PII) to buyers on dark web forums.

The indictment says Johnson used the hacker aliases “DS and “TDS” to market the stolen records to identity thieves on the Evolution and AlphaBay dark web marketplaces. However, archived copies of the now-defunct dark web forums indicate those aliases are merely abbreviations that stand for “DearthStar” and “TheDearthStar,” respectively.

“You can expect good things come tax time as I will have lots of profiles with verified prior year AGIs to make your refund filing 10x easier,” TheDearthStar advertised in an August 2015 message to AlphaBay members.

In some cases, it appears these DearthStar identities were actively involved in not just selling PII and tax refund fraud, but also stealing directly from corporate payrolls.

In an Aug. 2015 post to AlphaBay titled “I’d like to stage a heist but…,” TheDearthStar solicited people to help him cash out access he had to the payroll systems of several different companies:

“… I have nowhere to send the money. I’d like to leverage the access I have to payroll systems of a few companies and swipe a chunk of their payroll. Ideally, I’d like to find somebody who has a network of trusted individuals who can receive ACH deposits.”

When another AlphaBay member asks how much he can get, TheDearthStar responds, “Depends on how many people end up having their payroll records ‘adjusted.’ Could be $1,000 could be $100,000.”

2014 and 2015 were particularly bad years for tax refund fraud, a form of identity theft which cost taxpayers and the U.S. Treasury billions of dollars. In April 2014, KrebsOnSecurity wrote about a spike in tax refund fraud perpetrated against medical professionals that caused many to speculate that one or more major healthcare providers had been hacked.

A follow-up story that same month examined the work of a cybercrime gang that was hacking into HR departments at healthcare organizations across the country and filing fraudulent tax refund requests with the IRS on employees of those victim firms.

The Justice Department’s indictment quotes from Johnson’s online resume as stating that he is proficient at installing and administering Oracle PeopleSoft systems. A LinkedIn resume for a Justin Johnson from Detroit says the same, and that for the past five months he has served as an information technology specialist at FEMA. A Facebook profile with the same photo belongs to a Justin S. Johnson from Detroit.

Johnson’s resume also says he was self-employed for seven years as a “cyber security researcher / bug bounty hunter” who was ranked in the top 1,000 by reputation on Hacker One, a program that rewards security researchers who find and report vulnerabilities in software and web applications.


30 thoughts on “FEMA IT Specialist Charged in ID Theft, Tax Refund Fraud Conspiracy

  1. Osiris

    Sad state. Instead of using his skills for good, he decided to use them for evil. Now it’s time to pay.

    1. Sean

      When did being on the good side of cyber-security ever pay? Guy was going for a 100k payout for what was essentially a few days worth of work.

      1. Catwhisperer

        He sold himself too cheap. A good rule of thumb is that if you’re not going to make 10 times your yearly pay for each year you could possibly spend in prison, then it’s not worth it.

        What a sad waste of talent, well, maybe for the short term. He cooperates, does his time well, and there is a future for him in industry or government…

        1. yup

          Despite what the movies will tell you, the Feds would never hire an ex-felon. Any defense attorney with half a brain would call their work into question.

          1. Jobani

            What about Frank Abagnale? Abagnale is currently a consultant and lecturer for the FBI academy and field offices.

  2. Sean

    Is there any indication as to how he was able to gain access to the database?

    1. GhostGardens

      I’m going to speculate that he used one of two avenues; either he exploited a vulnerability within Weblogic (which PeopleSoft runs on in many cases) or this guy got the credentials for the access id, which generally never changes on a PeopleSoft installation because it’s used in a lot of places around the system.

  3. MattyJ

    I hope FEMA is looking into its security practices now …

  4. BF

    Use skills for evil? nope Money… pure and simple greed is what is running rampant.

    1. Doubtist

      Greed is one of the original “evils” in fact.

      1. Osiris

        Yep… one of the seven deadly sins…

        1. Lust
        2. Gluttony
        3. Greed
        4. Sloth
        5. Wrath
        6. Envy
        7. Pride

  5. DelilahTheSober

    If I had a Federal government job with excellent benefits, a retirement plan and job security, the last thing I would do is jeopardize my career by doing something stupid.

    1. James Edward Lewis II

      Did he have that job back when he committed the crime?

      Maybe he thought that the Feds weren’t after him anymore by the time he decided to “go legit”.

  6. Richard

    Where is management accountability for digital hygiene audit failure mitigation? Hacks against platforms that are monitored, hosted in securely maintain environments, apply xFA, etc. are far less likely to experience breach or hack incidents. Insider theft is one possible exception. In this case, one suspects that IT management performed “coffee cup inspection” oversight and basically shirked their roles to ensure adequate training, oversight, equipment.

    I do not condone the criminal’s action, but believe culpability is unevenly shared. UPMC IT governance was asleep and needs to be disciplined. A civil penalty of $10,000 seems like a decent penalty for neglect in this case.

  7. rip

    Of course this perp is just emulating the biggest con of them all.

    Maybe they can sit in a cell together and discuss the pros/cons.

  8. Dennis

    Oh schucks, I thought for sure he was a white guy. Nope. So it’s BLM then.

    1. Hitler's Bovine Semen Syringe Jr.

      Wow, a low IQ racist alerting the world to their presence as a moron.

      You NEVER see that!

  9. PHP

    The US needs a “primary” account per citizen. One account that gets all salaries, and is used for all tax refunds. Should be stored by government, and companies should be able to lookup account for SSN.
    Works in other countries. Banks are responsible for ID check (and possible losses), if somebody fraudalently changes someone else’s account. And they are the ones reporting it in.
    Then forbid any cash payment of salary, and require all banks to accept anybody with ID to open accounts. Then they will also know who got how much taxable salary, and black money would be easier to spot.

    1. Really?

      We should trust government bureaucrats who hire administrators like Justin Sean Johnson? Local, state and federal government agencies do a horrible job with protecting information, managing citizens’ records, handling money, honoring civil rights, and respecting individual privacy. But you want to use government as the solution?

    2. GovLover

      This is the same guy thats always vouching for more government power, spying, etc. on every comment I’ve ever seen.

  10. member

    funny how when facebook, google, etc sells your data is fine but when someone else is doing it, we make an example out of him

    1. James

      please don’t be this stupid, conflating someone who voluntarily signs up for a social media account, on a platform that is widely known to sell your info no less, with someone’s identity being legit stolen from their employer’s HR systems…. that’s wildly different, and everyone should know better

  11. Jim

    Interesting, but, when you have a government that argues, that a private enterprise is better, and creates public failure, how can you trust either? Is Facebook any better then the banks? Are the banks any better then the government? Does one hire better and have more trust? No. It’s the employee doing the job that creates the trust, or enables the downfall. Yes we need better laws without exception, that bad actors are punished, even to the corporate level. We are not doing that. I’m actually amazed law enforcement found him. Now, let’s see if he gets a slap on the wrist.

  12. Seth

    Anakin…you were supposed to destroy the Sith, not join them! 🙁

  13. security vet

    …gov’t employees have not had a defined retirement – aka a pension – for a long time now – he only gets what he saves in a thrift savings pan (TSP) – basically a 401(k) plan…

    …his connection to fema is just a red herring – it has nothing to do with him going bad…

  14. JCitizen

    FEMA is evil period. Just a bunch of jack booted thugs. Not unlike the brown shirts of old. Their performance in these COVID times is especially dastardly.

  15. saha

    el saha el25barya FEMA is evil period. Just a bunch of jack booted thugs. Not unlike the brown shirts of old. Their performance in these COVID times is especially dastardly.

  16. Pamela Roberson

    Every thing I log into goggle ,comcast,at&t ,Xfinity
    Over the past two years I have had over 5600 goggle accounts taken over .They commit mad fraud on them everything but the cops won’t let me make a report. Well I do but they pay it no attention .
    This messed up in a major way. The Morman church is not totally at fault ..They do share some of the responsibility .
    The real burden falls on who gave my position away and then who pressed my family. Set me up and set me to jail while they took my businesses then sold me .This is Morden day slavery

Comments are closed.