A Kentucky man who hacked into a state registry and faked his own death to avoid paying child support was sentenced on Monday to 81 months in prison.
In January 2023, Jesse Kipf used stolen login credentials belonging to a physician to access the Hawaii Death Registry System, where he submitted and “certified” his own death — thereby avoiding paying more than $116,000 in owed child support.
He also hacked into other state death registry systems, as well as “governmental and corporate networks” using stolen credentials, and tried to sell access to those entities on the darkweb.
“Working in collaboration with our law enforcement partners, this defendant who hacked a variety of computer systems and maliciously stole the identity of others for his own personal gain, will now pay the price,” said Michael E. Stansbury, special agent in charge at the FBI’s Louisville Field Office. Kipf was convicted of computer fraud and aggravated identity theft.
In March 2023, Hawaii’s Department of Health began sending out breach notification letters after it was notified by the cybersecurity firm Mandiant that credentials belonging to an external medical death certifier account had been sold on the dark web. The account belonged to a medical certifier who worked for a local hospital but had left the job in 2021.
According to the Health Department release, the hacker accessed the account on January 20, 2023 — the same month Kipf breached the system.
That same year, Kipf also used stolen credentials to access networks belonging to Guest-Tek Interactive Entertainment Ltd. and Milestone, Inc. — specifically to networks related to the companies’ work with hotel chains, including internet connectivity services.
According to a sentencing memo from Assistant U.S. Attorney Kathryn M. Dieruf, Kipf offered for sale on darknet forums tips for how to access death registry systems, and he sold access to at least one company’s hacked databases to Russian customers. Other international buyers of stolen personal information were from Algeria and Ukraine, according to court documents.
While calling for a seven-year sentence — three more months than the one Kipf received — Dieruf asked the judge to send a message to cybercriminals.
“Similarly situated individuals must see the real danger they present to victims and be deterred from engaging in online criminal conduct by the fear of punishment,” she wrote.
“The cloak of anonymity afforded by the dark web is too alluring without the persistent threat of being brought to justice and serving a significant sentence.”
81 is enough months to use years instead.
The account belonged to a medical certifier who worked for a local hospital but had left the job in 2021. Then the hacker accessed the account on January 20, 2023. That’s some quality security controls. Stale accounts over a year old still can log in.