An Idaho man who worked as an Information Technology Specialist for Ada County by day has been sentenced to prison for hacking medical offices and threatening his victims if they didn’t pay his ransom demands.
Background of the Case
In July 2017, DataBreaches reported a hacking incident with a ransom demand where the description of the circumstances sounded very much like the type of incident thedarkoverlord (TDO) had committed numerous times. DataBreaches commented that the incident sounded like like it could be the work of TDO.
To DataBreaches’ surprise, someone posted a comment claiming that he was the darkoverlord DataBreaches had mentioned. “Todd Davis,” as the commenter called himself, provided additional details about the incident. But he also subsequently emailed DataBreaches to say that he hadn’t realized there was a threat actor called thedarkoverlord and that he wasn’t that threat actor — that he was always “Lifelock” on the dark web. DataBreaches reported his clarification in the comments thread.
That interaction was followed by some additional emails between “Lifelock” and DataBreaches, including emails where he admitted to hacking and attempting to extort Holland Eye Surgery & Laser Center in Michigan and the city’s mayor. Lifelock was mad that they hadn’t paid despite all the demands he had made and wanted this site to expose them. Lifelock provided this site with the patient data as proof and noted that the medical group never reported the incident to patients or HHS in 2016 when it happened. DataBreaches doesn’t like being used by threat actors to pressure their victims, but when DataBreaches investigated his claim, this site found confirmation in actual police records that Holland Eye Surgery & Laser Center knew back in 2016 they had been hacked. They had even told police that the attacker had shown them credible data as proof. DataBreaches reported this site’s findings and filed a whistleblower complaint with HHS over Holland Eye’s failure to disclose the breach in 2016 as required by HIPAA and HITECH.
But the more “Lifelock” emailed this site and provided samples of his communications with his victims, the more he looked like he might really be thedarkoverlord. It was the same time frame (2016-2017), victim type (medical practice), type of threats to the victims if they didn’t pay, writing style, labeling a victim a “cheap jew,” and obsession with victims who didn’t pay their demands. Later on, DataBreaches would find even more points of similarity. Although Lifelock denied that he was thedarkoverlord (TDO) and TDO also informed this site that Lifelock was not TDO, there were so many things Lifelock did that matched TDO that DataBreaches did suspect that Lifelock could be “TDO-1” or associated with TDO. Given that he publicly admitted to hacking two medical practices and the mayor of the city, it was not surprising that the FBI started investigating him. Their investigation uncovered other evidence concerning Lifelock and additional similarities between Lifelock and TDO involving the use of AlphaBay, claims on AlphaBay, and the use of Bitcoin Blender. The FBI would eventually state that it was “likely that Lifelock [was] or ha[d] been associated with TDO and related criminal activities.”
In August 2019, the FBI raided Lifelock’s home in Meridian, Idaho, and in March 2021 Robert A. Purbeck, aka Lifelock, and aka “Studmaster” and “Studmaster1” was indicted by a grand jury in the Northern District of Georgia. He was not charged as thedarkoverlord or charged in connection with any attacks that DataBreaches knew to be the work of thedarkoverlord, so DataBreaches’ suspicion was not confirmed.
Purbeck faced 11 counts in the indictment:
- 18:1030(a)(2)(C), 1030(c)(2)(B)(i) and 1030(c)(2)(B)(iii) and Section 2 FRAUD ACTIVITY CONNECTED WITH COMPUTERS (1-3)
- 18:1030(a)(7)(B) and 1030(c)(3)(A) and Section 2 FRAUD ACTIVITY CONNECTED WITH COMPUTERS (4)
- 18:1343 and Section 2 FRAUD BY WIRE, RADIO, OR TELEVISION (5-8)
- 18:1029(a)(2) and (c)(1)(A)(i) and Section 2 PRODUCES/TRAFFICS IN COUNTERFEIT DEVICE
(9-11)
Purbeck spent the next few years filing numerous motions and complaints in courts in Idaho, California, and Georgia, often filing pro se. In various motions, he tried to get evidence suppressed, his statements suppressed, and his devices returned. In other filings, he claimed Brady violations, challenged venue in the Northern District of Georgia, and accused federal and Idaho law enforcement of perjury and other misconduct, such as accusing an FBI agent of sexual molestation/groping him. Purbeck also filed a civil suit against FBI agents for civil rights violations. Parts of that case have already been dismissed by the court. The magistrate judge’s report, recommendation, and order of May 2023 cover some of the issues Purbeck challenged in the NDGA case. Magistrate Judge Russell Vineyard’s report was not the end of Purbeck’s efforts, however, but his subsequent filings were also unsuccessful. Eventually, the court certified the case was ready for trial and set a trial date.
In March, Purbeck indicated he would be changing his plea. and on March 19, he pleaded guilty to two counts of the 11-count indictment. The two counts charged violation of Title 18, United States Code/ Sections 1030(a)(2)(C)/ 1030(c)(2)(B)(i) and 1030(c)(2)(B)(iii) and Section 2, more commonly known as the Computer Fraud and Abuse Act (CFAA).
Sentencing
As part of the plea deal, the government sought a sentence of 70 months followed by three years of supervised release and restitution of $1,048,702.98. The restitution was to eight victims, some of whose breaches were never publicly reported: Andrea Yaley, DDS; City of Newnan; Nancy DeBoer (former mayor of Holland, Michigan); Family Medical Center; Golden Heart Administrative Professionals; Holland Eye Care; Simon Orthodontics; and Ursa Farmers Co-Op. The court filings indicated that the government had evidence of 19 or more victims, but only eight were named and listed for restitution.
In wading through the pre-sentencing filings, DataBreaches discovered that two other jurisdictions (the Central District of Illinois and the District of Alaska) entered into some agreement that those districts would not attempt to prosecute Purbeck if he pleaded guilty as per the plea agreement with the Northern District of Georgia.
In their pre-sentencing memorandum, the government discussed the victim impact and cited specific examples of Purbeck’s behavior to demonstrate why a longer sentence was needed to protect the public from him. Some of the statements below by the government, have not been previously reported:
Purbeck’s victims included a Florida orthodontist, a California dentist, the City of Newnan Police Department, a Griffin medical clinic, a Locust Grove medical clinic, a former mayor in Michigan, a medical billing service in Alaska, an optometry clinic, a safehouse for women and children who were victims of domestic violence, a dialysis clinic, a church in Stone Mountain, a correctional facility, an Idaho health department, and others.
… In total, Purbeck sent approximately 27 extortion emails to A.Y [a dental practice he attempted to extort]., even threatening to issue warrants against her for sex crimes and place her family members on sex offender registries:
Just so you know. I have access to several or more likely more than 100 police stations throughout the US. I can label your family members as sex offenders in any of those districts. You won’t even know the districts where warrants have been issued in your name for crimes such as forcible rape and felony injury to a child among many other sadistic crimes I can pin on you and your family members. Even if you only get questioned at an airport it will be inconvenient. This is circle one of the hell I can put you in.
… Specifically, on July 3, 2018, Purbeck, after hacking D.S.’s [orthodontal] practice, sent him an email that included one of his patient’s name, date of birth, and social security number, and requested a payment of $15,000 in Bitcoin. Purbeck then sent D.S. another email – this time identifying his minor daughter, her date of birth, social security number, and the school which she attended:
and most importantly sweet [name of D.S.’s minor child], born the [date of birth] is [social security number]. She currently attends [name of school] and will hopefully continue to do so in a safe and secure way. Fear not my new friend, I do not mean threat or harm to your sweet child, I just needs you to be aware of what I know [sic] control. What I have.
Somewhat surprisingly. Purbeck, who was an Information Technology Specialist for Ada County in Idaho and had even been employed in their Sheriff’s Department, also claimed to be an online ordained Christian minister:
Agent [redacted] read emails to Mr. Purbeck from an AOL (Oath) account that Mr. Purbeck used on his phone to communicate with his friends, lawyers and spiritual advisors. Many of the communications were privileged and it is unknown if the FBI employed a taint team to determine whether religious confessions and legal communications were separated from general emails or if the case agents just read to their hearts content. Mr. Purbeck does know they read some of the communications with the individual who was a spiritual adviser because they informed him of the content of the emails. Mr Purbeck was also an online ordained Christian minister (Universal Life Church, Inc. v. United States, 372 F. Supp. 770 (E.D. Cal. 1974)) for over 20 years and some of his communications with a deeply flawed individual were for the purpose of confessing sins. This individual had confessed sins on many occasions including very intimate matters involving fornication, adultery, stealing, employing prostitutes, and using Methamphetamine. It was apparent these are communications showing remorse and covered under priestpenitent privilege.
So someone who was hacking medical entities and a safe house for victims of domestic abuse — someone who was threatening people — was describing someone else as “deeply flawed?”
Earlier today, Chief U.S. District Judge Timothy C. Batten, Sr. sentenced Purbeck to 10 years in prison followed by three years of supervised release and the restitution of $1,048,702.98. Purbeck will have a lot of time to think about what “deeply flawed” really means.