Case 2: 20- c?r- -00094- MRH Document 3 Filed 05/20/20 Page 1 of 18 5.44 mm IN THE UNITED STATES DISTRICT COURT - . MAY 20 2020 FOR THE WESTERN DISTRICT CLERK u. 3. DISTRICT COURT Criminal No. . . - - (1-.8U.S C. 2, 371', 1028A(a)(1), and 1343) JUSTIN SEAN JOHNSON UNDER SEAL . a/k/a TDS . a/k/a . INDICTMENT . INTRODUCTION AND BACKGROUND I 1. I At all times material to this Indictment, the University of Pittsburgh Medical Center I (hereafter, headquartered in Pittsburgh was a $10 billion integrated I global nonpro?t health care enterprise with more than 65,000 employees, 21 hospitals, and 400 clinical locations. It operates outpatient Sites and doctors of?ces, a 2. 3 million?member health insurance division, as-well ascommercial and international ventures 1n Europe and China. I 2. I At all times material to this Indictment, UPMC maintained an electronic human 1 resource database (hereafter, database?) of employee information onthe content server in its computer network, which contained highly sensitive, personally? identi?able information (hereafter, of present and former employees, including names, dates of birth, social security .. I numbers, marriage employment statuses, and federal Form data which also contained income and tax. withholding information. . I At all times material to this Indictment, the HR database was Imanaged by ?iPeopleSoft?Idata and human resource management Software, and IIwas accessible only via password by authorized UPMC personnel. The HR databaSe contained the P11 of approximately 65,000 UPMC employees. Case Document 3 Filled 05/20/20 Page 2 of 18 . On or about December 1, 2013,. an unauthorized: infiltratiOn occurred. tothe HR . database network, and a ?test query? for PII belonging to approximately 23,500 employees was performed by the intruder. 5. I Beginning on or :abOut January 21, 2014, through February 24, 20.14, frequent, remote infiltrations of the. HR database occurred, often multiple times daily, during which time. the - in?ltrator (hereafter, ??hacker?), was able to View and to exfiltrate RPII belonging to "tens of thousands of UPMC'employeesWithin a few days, UPMC investigators determined that PII belonging'to'tens of thousands of UPMCemployees was likely VieWed and stolen by thehacker- i i 1? 7., Between January 31, .2014, and March 6, 2014, approXimately 1,327 unauthorized, fraudulently-?led year 2013 Form 1040, 1040A, and 1040EZ federal income tax returns, (hereafter, 7 ?Returns?) were fraudulently prepared, electronically transmitted and ?led with the IRS iwhich contained the PH of UPMC employees. 1 8. i The Returns were falsi?ed to Claim excessiye withholdings due, and included other :1 materially false statements, which caused the IRS to issue $1.7 million in unauthorized federal tax - refunds. I - 9. I The ?lers-directed that the tax refunds be issued onto gift cards, which the tax ?lers applied towards the purchaseof electronic merchandise at AmazoncomBetween February 27, '14, 2014, approximately $885,578.00 in electronic merchandise; purchased at Arna-zonfcom, such- as Samsung and Apple .cell phones, gaming deVices, and other. electronics, was ordered using thefraudulently obtained gift cards, with instructions- for delivery of the merchandise lite-Venezuela, through 'reshippin?g services located in Miami, Florida. Case Document3 Filed 05/20/20 Page 3'of 18 11. Individuals residing in Maracayi'and Maracaibo; Venezuela, received the Amazon shipments, including,I persons known to the grand jury as Y.L., M.N., and J.M., among others both known and unknown tothe grand jury. I 12. The unlawfully obtained merchandise was later traf?cked and sold on online marketplace websites in South America, Case DocumentB Filed 05/20/20 Paige'4 of 18' COUNT ONE The grand jury charges: A '13. The United States incorporates by reference herein the allegations set forth in I paragraphs 1?12,~ as though set forth at length more fully herein. 0 THE CONSPIRACY AND ITS OBJECTS i 1. 14. . I Beginning in and around November, 2013, and'continuing thereafter until in and around May,2014, in the Western District of and elsewhere, the defendant, USTIN. SEAN JOHNSON, a/k/a TDS, a/k/a DS, conspired with persons known to the grand Jury as Y. L., M. A., and and with other persons both known and unknown to the grand Jury (collectively hereafter, ?Fconspirators? who all knowingly and willfully did conspire, combine, confederate, and agree together to defraud the United States of America, by 1mpairing, impeding, - obstructing, and defeating the lawful government functions of the IRS in the ascertainment, computation, assessment, and collection of the revenue, to wit, the ?ling of falSe Form 1040 federal. income tax returns. MANNER AND MEANS 15. It was a part of the conspiracy that the defendant, JUSTIN SEAN JOHNSON, a/k/a TDS, a/k/a DS (hereafter, determined to unlawfully in?ltrate the HR database content servers located at the University of Pittsburgh Medical Center, which contained personally identi?able information of employees'of UPMC, toex?ltrateand to steal bulk amounts of P11 including names,_dates of birth, social security'numbers, marriage statuses,incomeis, and other informatiOn Contained in employee forms, and to solicit the sale of the data to buyers on ?darkwebgmarketplaces who schemed to ?le false federal'income tax returns. 16. .I ?It was further a part of the conspiracy that in and around November, 2013,1?n a I Facebook chat, JOHNSON Stated that he wanted ?to play with Peoplesoft, ?which is basically HR Case ?Document3 Filed 05/20/20 Page 5 of 18 in a box,? that he was ?conspiring,? and that hexwould be willing to tell the other person about-it ?Ion torclzat.? i 17. i It was further a part of the conspiracy that JOHNSON became self?taught and pro?cient in PeopleSoft management software and performed over 1,000 Google searches for the word ?PeopleSoft,? in order-to uncover any vulnerability in'the software. 18. It Was further a part of the conspiracy that to familiarize himself with P?eopleSOft, JOHNSON stored information on his Geogle Drive titled and ?Super User.? I 19. It was further a part of the conspiracy that in Facebook chats in November, 2013, JOHNSON stated to others that he Would be ?rich by end of year ifyou had What i have,? that he was looking for a ?tor messaging service,? and that ?the onion World is a very wonderful place.? 20. It Was further apart of the conspiracy that JOHNSON conspired with others about I how to obtain bitcoin for a ?seller quali?bation fee? in order to. ?acquire, sell, (and to) pro?t?. I from stolen PH. 21. It was further a part of the conspiracy that JOHNSON and censpirators discussed obtaining unlawful access through PeopleSoft?managed databaSes in order to gain illegal access to company HR databases, for example, the database of a prominent national retailer, 22; It Was further a part of the conspiracy that JOHNSON frequently chatted with others abouthis familiarity with the IRS, the process of filing electronic tax returns, the duties of ?Case Advocates? and how to obtain a preparer tax identi?cation number (hereafter, I 23.. It was further a part of the conspiracy that on or about December fl, 2013, JOHNSON infiltrated the centent server of the HR database at .UPMC by use of the TOR network and queried the PH, including Form W-2 data, of approximately 23,500 UPMC employees. Case Document 3 Filed 05/20/20 Page Was further. a part of the conspiracy that on or. about January 20, 2014, JOHNSON again intruded into the HR database and 'queriedForm data of UPMC employees. . I 25. It was further a part of the conspiracy that between January 21, 2014, and February .24, in?ltrated, queried, and ex?ltrated to hiscontrol, PH belonging to thousands of UPMC employees. I . 26. It was further apart of the conspiracy that JOHNSON, using the moniker, then solicited the sale of the stolen UPMC employee PH ona darkweb trading forum knownas ?Evolution.? 0 27. . It was further a part of the conspiracy that in January, 2014, TDS sclicite'd the sale of UPMC employee P11 on Evolution, stating as follows: i I Identity Fullz 2013 W- 2 [Pack of] 0] Description $3 each Name Address City State Zip SSN DOB Federal State/City W-2 Information (includes employer EIN and address) Provided but unveri?ed data. Marital Status he majority of this listing will originate ?om 28. It was further a part of the conspiracy that between January and February, 2014, . buyers of the stolen UPMC PH acknowledged their purchases of the UPMC employee PH, stated that TDS was. a good seller, and said that they would do business with him again. 29. It was further a part of the conspiracy that TDS solder consigned UPMC employee PH to a person known to the grand jury as M.N. (an unindicted oonspirator), and directed that M.N. send a percentage of pro?ts from the use of the data to TDS 1n bitcoin 30. It was further a part of the conspiracy that M. N. digitally preserved records from his'acquisition of the UPMC from TDS in a folder titled ?new HR pro?les?om 1 Case Document 3 Filed 05/20/20 Page 7 0118 31. I I It was further a part of the conspiracy that on or about October 31, I 2013, JOHNSON. I registered an account at exchange provider Coinbase for the purpose of depositing I. proceeds from the sale of the UPMC employee PII. I 32. It was further a part of the conspiracy that JOHNSON deposited approximately . 1 258. 97 into his Bitcoin wallet from the sale of the UPMC employee PI.I .33, I It was further a part Of the conspiracy that beginning 1n January, 2014, thr0ugh March, 2014, conspirators who purchased the stolen UPMC employee from TDS prepared, electronically transmitted, and ?led approximately 1,327 false Form 1040 federal income tax I "returns from locations 1n Venezuela or elsewhere, which contained the UPMC employee PII. 34'. 1 It was further a part ofthek conspiracy that, for the purpose of'eledtronically transmitting the false federal income tax returns, conspirators registered ?ctitious email addresses through anonymizing foreign email service providers known as ?HushmailcOm? and ?SafewasIfurther a part 10f the conspiracy that conspirators requested taxIrefundIs in the form of AmazonIcom gift cards, which they redeemed for Amazon. com [electronic merchandise. 36. I i It was further a part of the censpiracy that conspirators then, using the previously registered Hushmail or Safe- mail email aCcounts and the Amazon. com gift cards, purchased hundreds of thousands of dollars in electronics and merchandise at Amazon com, such as Samsung Galaxy cell phones, Apple iPhoInes, HP laptop computers, tablets, and gaming devices. 1 37; It was further a part of the conspiracy that conspirators registered shipping accounts I i at reshipping service companies in Miami, Florida, for the purpose Of reshippIing the fraudulently purchased merchandise from the United States to Venezuela. 5 I - Case Document 3 Filed 05/20/20 Page 8 of ?18 38. It was further apart cf the conspiracy that the conspirators caused the fraudulently obtained merchandise to be. sent by reshipping services located 1n Miami, Florida,?by air freight to I Maracay and Maracaibo, Venezuela. i I i I 239'. .. It was further a part of the conspiracy that conspirators then traf?cked-in and sold y' . [l the electronic merchandise through online-. auction websites in Scuth America. 2 . 1 OVERT ACTS 40.. I In furtherance of the conspiracy, and to effect the objects of the conspiracy, the ?de?fendant JUSTIN SEAN JOHSON, a/k/a TDS, a/k/a DS, and conspirators both known and unknoWn to the grand Jury, did commit and cause to be committed, the following overt acts, among others in the Western District of and elsewhereabout October 31, 20,13, JOHNSON. magi an account. at exchange Colinbase; . I I I On December 1, 2013 JOHNSON in?ltrated the UPMC HR database and queried PII belonging td thousands of UPMC employees; 1 Between January 21, 2014, and February 24, 201.4, JOHNSON regularly I infiltrated the content servers of the UPMC HR database and queried and exfiltrated P11 belonging- to thousands of UPMC employees, I I i Between December 11, 2013, and April 12, 2014, JOHNSON made I, deposits of into his CoinbaSe aCcount from the sale of UPMC employee PII, which tOtaled approximately 258. 97; i if I In January, 2014, JOHNSON advertised the sale of UPMC employee P11 to . buyers on the darkweb forum EvOlution and to a person known to the grand Jury as M. Case Document 3 Filed 05/20/20 Page 9 of 18 Between January 31, 2014, and March 6, 2014, conspirators electronically transmitted and filed approximately 1,327 false Form 1040 year 2013 federal income taX_ returns,- which contained the P11 of UPMC employees; I . Between February 27, 2014, and March 10, 2014, conspirators registered Amazoncom email user accounts with Hushmailco'm or Safe?mailnet, and placed orders of electronic merchandise with gift card codes fraudulently obtained and funded? with the unauthorized tax, refunds; On or about March 12, 2014, conspirators plaCed three separate orders, for electronic merchandise with Amazoncom through a user accOunt which shipments were directed to Venezuela through reshipping services in Miami, Florida; I . On or about March 12, 2014, a user account was registered. at Amazoncom styled as for the purpbse of . trafficking the electronic merchandise to purchasers on websites in South America; I I on or about March 19, 2014, March 21,2014, April 4, 2014, andvApril 9, 2014, a conspirator Signing as ?Manuel,? accepted delivery?of electronic merchandise purchased at at a location in Venezuela; and On 'or about ?April 1, 2014, other conspirators personally signed for and 1 accepted deliveries of electronic merchandise ordered for delivery to Venezuela; (1)2 On or about May 7, 2014, conspirators received communications frOm online South America merchant ?MercadoLibre? (not. a conspirator herein) regarding the unlawfully obtained merchandise conspirators advertised for Sale. In violation of Title 18, United States Code, Section 371. Case Document 3 Filed 05/20/20 Page 10 of 18 COUNTS Two THROUGH ELEVEN The grand jury further charges: 41. The United States incorporates by reference herein the allegations? set forth in I paragraphs 1-12, as though set forth at length more fully'herein'. 42. Beginning in and around November, 2013, and continuing thereafter until in and around March, 2017, the defendant, JUSTIN SEAN TDS, a/k/a DS,-devised, and intended to devise, a, scheme and arti?ceto defraud UPMC, and its employees, of their perSo'nally identi?able information, as well as other individuals? personally identi?able information, and to obtain money and property by means of materially false and fraudulent pretenses, representations, and promises, well knowing at the time that the pretenses, representations, and promises were false and fraudulent when made, and which scheme to defraud I placed ?nancial institutions at a risk of ?nancial loss. 43. - It Was part of the scheme and arti?ce to defraud that JOHNSON deceitfully in?ltrated institutional HR databases controlled by PeopleSoft management software, queried for and ex?ltrated sensitive employee PH and?bankaccount information, and then solicited the sale of the PH. on darkweb marketplaces. I I 44. It was further a part of the scheme and arti?ce to defraud that JOHNSON became pro?cient in PeopleSoft management software, learnedits vulnerabilities, and even promoted himself on his resume as having ?installed PeopleSoft systems with Oracle 45. It Was further a part of the scheme, and artifice. to defraud that in October, 2013, JOHNSON registered an account at exchange provider Coinbase. I I 46. i It was further a part 'of the scheme and'arti?ce to defraudthat between anuary 21, 2014, through February 24, 2014, JOHNSON?regularly and deceitfully in?ltrated the content 10? Case DocumentB Filed 05/20/20 Page 11 of 18 servers of the UPMC HR database network and queried for'ahdi ex?ltrated sensitive PII'belonging to thousands of UPMC employees. I i 47. It was further a part of the scheme and arti?ce to defraud that JOHNSON then solicited the sale of the stolen UPMC PII to buyers on the darkweb marketplaces} such as Evolution, which P11 was purchased. by fraudsters and used to fraudulently prepare, electronically transmit, and to ?le hundreds of false Form 1040 year 2013 federal 1ncome tax returns, which causedthe . IRS to unwittingly lssue $1.7 million 1n false tax refunds to the false tax return ?lers. I i I, 4.8 It was further a part of the scheme and arti?ce to defraud that 1n and around August, 2015, TDS appeared on the illicit darkweb- trading forum known as AlphaBay .Marketplace (ABM), and, posted the following [solicitation for the saleof PII he ex?ltrated from institutional A HR databases, stating:_ .- I I i I ?In case anyone remembers me from CF or evo: I?m back. ?It?s another year and once again I?m sitting on tens of thousands of fresh names, SSN, DOB, bank routing/account numbers and payroll ?600 employees is not huge in my book when I can spend time swiping the payroll of a company with I 0, 000+ employees or raiding the HR system of an institution with tens to hundreds of thousands of names ?Never said it was legitimate access Just access. Butfor avoidance of doubt Not my companies. Not employed by these 49. It was further a part of the scheme and arti?ce to defraud that on or about August I A .1 25, 2015, JOHNSON registered a ?Jabber? communication aCCOunt and used it to solicit the sale. . of the stolen PII to prospective buyers. I I 50. It was further a part of the scheme and arti?ce to defraud that in October, _,2016 . JOHNSON changed his dark web pseudonym to and used it to communicate with buyers? and to solicit the Sale of PH. 1 1 ?11 Case Documents. Filed 05/20/201 Page 120118, 51.. I It was further a part of the scheme and arti?ce to defraud that throughout 2016 and 2017, DS frequently solicited the. sale 'of PH that he surreptitiously [obtained in institutional - database in?ltrations on the darkweb marketplace ABM i ,stating, for eXample; . ?And as for me being new? .I Ve been doing this of and on since Evo and I?ll be Selling my own database of W- 2 info as they? re ready.? ve got 45, 000 fresh names/address/DOB/SSN and the source for the info that I like to get rid of in bul. ?Still have most of these Selling the lot for 7 500 or best non- ridiculous o?er.? ?12, 500 rows of direct deposit information (yes, that includes account and routing numbers) retrieved yesterday from an active payroll system (no invalid shit). No logins. No credit cards. No companies Just people - ?I?ve found not one but THREE colleges in the past few years that have had their entire academic student information system acceSsible because of shitty/default passwords ?Prof les with IRS veri?ed 2015 or unveri?ed 2015 nOn filers? .I have many prof les, . of college students and prospective college Students (and Sometimes their parents). with an IRS veri?ed 2015 their financial aid me know.? 52,. I It was. furtheraipar't of the scheme and arti?ce to defraud that in "2016, on ABM, DS solicited the sale Vof sensitivebank account information and PH to buyers, statingi' ?Bulk I ?Have a need for bank info?; have some business for "or ?Any buyers of bank aCcount prof les 7? 53. It was further-a part of the scheme and artifice to? defraudthat in Detober, 2016, DS . stated to a buyer that the stolen PII came from a large healthCare provider in Georgia and Florida. 54. It was further a part of the scheme and arti?ce to defraud that DS solicited the sale. 5 of account holder information belonging to a TD Bank account customer and directed the buyer to deposit the sale proceeds 1n wallet . 55. It was further a part of the sCheme and arti?ce to defraud that in March, 2017, DS communicated With a buyerknown to the grand Jury as and revealed the vulnerability and source of stolen PII, stating in the following exchange with-CL; ?12 Case DOcument3 Filed 05/20/20 5age 13 of 18 CL: ?hey bro, was on AB and seen a post you made about direct access to the . still available I am still working on turning into BT DS: ?can check and see if I still have'access, dunno if i do? C.L.: isaid?i got the like that?s the best way to - DS: ?inot unless you know how to use the software lol? C.L.: ?what software is it?? I DS: ?peoplesoft? - 56-. It was further a part of the scheme and arti?ce to defraud that on or about February I 2017, February 14, 2017, and March 21, 2017, DS sold multiple sets of PH to CL on the darhweb ABM, which CL: paid for in totaling $1,850.00, and. which proceeds .DS concealed through Virtual currency ?mixers.? i I THE WIRE COMMUNICATIONS . Onor about the followmg dates set forth below, in the Western DistriCt of the defendant, JUSTIN SEAN JOHNSON, a/k/a TDS, a/kla DS, for the purpose of executing and attempting to, execute the scheme and arti?ce to defraud, did transmit and cause to be transmitted in. interstate commerce by means of a wire communication, certain signs, signals, sounds, and any appropriate combination of the three, that is, the defendant,lby use of the internet, deceitfully in?ltrated the ?content servers of the human resource database located 'at the University of Pittsburgh Medical Center in Pittsburgh, queried for, and ex?ltrated employee PII to his control, placing ?nancial institutions at a risk of loss, each such-ex?ltration of data being a separate count herein: Count Date - 2 December 1, 2013 3 December 2, 2013 '4 December?28, 2013 - 5 January 22, 2014 6 January 24,- 2014- '13 Case-2:20-cr-00094-MRH- DocumentB Filed 05/20/20 Page 14 of 18 January 28, 2014 February 12, 2014 February 13, 2014 0 February 14, 2014 1 [February 24, 2014 1n Violation of Title 18, United States Code, Section 1343. 14." Case Documents Filed 05/20/20 Page 15 of 18 . COUNTS TWELVE THROUGH FOURTEEN The grand jury further charges: I I i The United States incorporates by reference hereinthe allegations set forth in paragraphs 41 through 56, as though set fOrth at length more fullyherein. . On or about the following dates set forthibelow, in the Western District of the defendant, JUSTIN SEAN JOHNSON, a/k/a TDS, a/k/a DS, for the purpose of executing and attempting to execute the scheme and arti?ce to defraud, did transmit and cause to be transmitted in interstate commerce by means of a wire communication, certain signs, signals, sounds, and any . appropriate combination of the three, that is, the defendant, by use of the internet, fraudulently solicited and sold PII which contained the names, datespvof birth, social security numbers, and adjusted gross incomes for real persons, which the defendant transmitted to a person known to the grand jury as each such transmission of data being a separate count herein: Count 12 - February 7, 2017 13 February 14, 2017 14, March 21,2017 In Violation of Title 18, United States Code, Section 1343. 15 D00ument3 Filed 05/20/20 Page 16 0118 COUNTS FIF TEEN THROUGH THIRTY-EIGHT The grand jury further charges: The United States incorporates by reference herein the allegations set forth 1n paragraphs 41 through 56, as though Set forth at length more fully herein. On or about the following dates set ferth below, 1n the Western District of the defendant, JUSTIN SEAN JOHNSON, a/k/a' TDS, the purpose of executing and- . attempting to eaecute the scheme and-arti?ce to defraud, didt?ransmit and cause to be transmitted in interstate commerce by means of a wire communication, certain signs, signals, sounds, and any . appropriate combination of the three, that is, JOHNSON, by use of the internet, Caused the . preparation, electronic transmittal and ?ling of false Form 1040 year 2013 federal Income tax returns which contained the PH of UPMC employees identi?ed by their initials below, from Western to an IRS. Service Center located in Memphis Tennessee,each such electronic transmittal being a separate count herein: I Count Date January 31', 2014 February 1, 2014 February 2, 2014 February'12, 2014' February 12, 2014 February. 16, 2014 February 16, 2014 February 18, 2014 February 18, 2014 -February\18, 2014 February 20, 2014 February 20, 2014 - February 21,2014 February 22, 2014 February 23, 2014 February 25, 2014 . February 27, 2014 March 4, 2014' March 4, 2014 16 UPMC Employee 1' ?Ds. G.B. M.W. M.P. . 82. DR. - M.W. CQH. . K.S. J.B. L.D. C.B. G.S. C.S. .R.W. SW. 1 1 . Case Document 3 Page 17 of 18 34 March 4; 2014 RB. 35 .MarchS, 2014 LS. 36 . March 5, 2014 RB. .37 'March 5, 2014 .1 38 . March 5, 2014 BS. In Violation of Tide 18, United States Code, Section-s 1343 and 2. 17 Case Document 3 Filed 05/20/20 Page 18 of 18 COUNTS THROUGH FORTY-THREE The grand jury further charges: "On or about March 21, 2017, in the Western District of the defendant, JUSTIN SEAN JOHNSON, a/k/a TDS, a/k/a DS, during and in relation to'the felony Violationsof Wire Fraud, in Violation of Title 18, United States Code, Section 1343, as alleged in Counts 12 through 14, did knowingly and without lawful authority, transfer, possess, and use a means of identi?cation'of another person, specifically, the defendant, by'use of the internet, transferred, possessed, and used,the names, social security numbers, and dates of birth of the real persons identified by initials below during the sale .of their to a person knoWn to the grand} jury as C.L., each such transfer, possession, and use being a separate count herein below: Count Initials . T.K. In Violation of Title 18, United States Code, Sections 1028A(a)(1) and 2.: A True Bill, Foreperson . in, .- a? I. . ,1 scorr W1 BRADY United States Attorney PA ID No. 88352 18'