Hacker who sold UPMC employee data on the dark web pleads guilty

A Michigan man pleaded guilty Thursday morning to hacking a UPMC employee database in 2014 and stealing the personal information of more than 65,000 people and then selling it on the dark web.

Justin Sean Johnson, 30, will be sentenced by U.S. District Chief Judge Mark Hornak in about four months. He is being held in the Butler County Prison and appeared for Thursday’s hearing on an online video program.

Johnson faces a maximum of seven years in prison after pleading guilty to just two of 43 counts against him. He pleaded guilty to one count of conspiracy and one count of aggravated identity theft, although he accepted responsibility for all of the conduct laid out in the indictment.

According to Assistant U.S. Attorney Greg Melucci, Johnson, investigators with the IRS, U.S. Postal Service and U.S. Secret Service conducted a nearly five-year investigation concerning Johnson and his co-conspirators.

They found that Johnson, who had become an expert in the PeopleSoft software used by UPMC, used that expertise to hack their employee database.

He then sold that information, using the moniker “The Dearth Star” and later “Dearthy Star” on the dark web.

“Virtually every UPMC employee’s [personally identifiable information] was victimized,” Melucci said. “The intruder clearly had a high skill set.”

Then, in 2014, the prosecutor continued, the IRS received hundreds of false 2013 tax returns seeking to have the refunds sent on Amazon.com gift cards.

The Amazon gift cards were then used to buy hundreds of thousands of dollars of electronics merchandise that was then delivered to Venezuela.

At least one co-conspirator Yoandy Perez Llanes was arrested in Venezuela. He pleaded guilty in Pittsburgh in 2017.

According to the U.S. Attorney’s office, more than $1.7 million in false returns were filed.

Even after charges were filed against Llanes, Johnson continued to sell stolen data on the dark web, Melucci said, regularly advertising in 2016 and 2017 that he had personal identifying information for more than 45,000 people.

He sold that data for cryptocurrency online.

In addition to the UPMC data that was stolen, Melucci said that investigators found the personal information of an additional 89,310 people on electronics recovered during Johnson’s arrest in 2020 in Detroit. That data, they said, came from Butler University in Indianapolis; Daytona State College in Florida; medical centers in Georgia and South Carolina, as well as other colleges in California, New Jersey and Oregon.

Throughout the course of the investigation, Melucci told the court, agents found multiple chats in which the defendant offered tax advice and talked about his proficiency with PeopleSoft.

Evidence found on his computers showed that Johnson Googled the term PeopleSoft more than 1,000 times. But as time wore on, Melucci said, Johnson also started to search repeatedly for information about any criminal charges filed against him, including on federal court databases, and checking for national criminal warrants.