Justin Sean Johnson is under indictment in Pittsburgh on charges of conspiracy, wire fraud and aggravated identity theft in connection with the 2014 hack at UPMC.
Prosecutors said Mr. Johnson conspired with others in South America, including a Cuban national living in Venezuela who was prosecuted here for his role as a middle man, to sell the stolen data on the dark web, resulting in the filing of bogus tax returns for IRS refunds.
The Venezuelen man, Yoandy Perez Llanes, was sentenced here in 2017 and subsequently deported.
Llanes had pleaded guilty to money laundering, conspiracy and aggravated identity theft for what prosecutors said was a "back end" role in the scheme.
The 43-count indictment against Mr. Johnson was returned on May 20 and unsealed today; he appeared briefly Wednesday in the Eastern District of Michigan.
Mr. Johnson, 29, known online as "TDS" and "DS," stole names, Social Security numbers, addresses and salary information of Pennsylvania's largest health care system, U.S. Attorney Scott Brady said.
"His theft left over 65,000 victims vulnerable to years of potential financial fraud," Mr. Brady said in a statement.
He promised to pursue similar hackers until they are in custody and held accountable. Former U.S. Attorney David Hickton made a similar claim when Llanes was finally extradited to Pittsburgh after fighting extradition all the way to Venezuela's highest court. The extradition was hailed as a victory for the Justice Department in trying to bring international cybercriminals to U.S. courts to face punishment.
Tom Fattorusso, agent in charge of IRS-Criminal Investigation, said the victims in stolen ID cases such as the UPMC employees are victimized repeatedly by fraudsters after their information is hacked. He said victims have to deal with the stress of knowing their personal data is out there on the dark web and being used to file false tax returns or sold to others who file false returns.
"This causes a hardship for the innocent victims when they try to file their own tax returns," he said. "Victims are then left to deal with credit issues caused by the unscrupulous actions of the criminals.”
At Llanes' sentencing in 2017, a UPMC nurse whose information was hacked and sold to file bogus returns said her sense of security had been forever violated.
"Although his crime was against the the U.S. government and I received my IRS refund money back, my devastation is not about the money," she said. "I am a proud American and was affected deeply by this invasion of my privacy. You have no idea what I went through when I discovered I was hacked."
Mr. Johnson hacked UPMC's human resources database in 2014, the grand jury said. He sold it for use by conspirators who then filed hundreds of fake 1040 tax returns in 2014 using the UPMC employee data. The filings caused the IRS to send some $1.7 million in false refunds.
The files directed that the refunds be issued onto Amazon.com gift cards, which the filers applied toward the purchase of electronics on Amazon.
From February through March 2014, about $885,000 in electronic merchandise bought on Amazon, such as cell phones and games, was ordered using the gift cards with instructions for delivery to Venezuela through reshipping services in Miami.
Co-conspirators in Maracay and Maracaibo, Venezuela, received the shipments, the grand jury said. One of them was Llanes. Two others are named only by initials M.N. and J.M.
The grand jury said the merchandise was later sold in online marketplaces in South America.
Mr. Johnson was ordered detained by a judge in Michigan on Thursday and was headed to Pittsburgh for an initial hearing.
©2020 the Pittsburgh Post-Gazette. Distributed by Tribune Content Agency, LLC.
