Cypriot Hacker Pleads Guilty to Data Theft, ExtortionJoshua Polloso Epifaniou Was Extradited to the US in June 2020
A Cypriot hacker has pleaded guilty to a pair of federal charges after admitting that he hacked the websites of several U.S. organizations, stole data and then threatened to disclose it unless a ransom was paid, according to the U.S. Justice Department.
Joshua Polloso Epifaniou, 21, of Nicosia, Cyprus, pleaded guilty this week to computer fraud conspiracy and obtaining information from a protected computer. He faces up to five years in prison and a $250,000 fine when he's sentenced in March, according to court documents.
Police in Cyprus arrested Epifaniou in February 2018, and he was extradited to the U.S. in June 2020, according to the Justice Department. He has remained in custody since. The case marked the first time that Cyprus extradited a suspect to the U.S. to face charges under a treaty signed in 2006.
Before entering into the plea agreement, Epifaniou paid nearly $600,000 in restitution to his victims. He also agreed to forfeit a total of about $459,000, prosecutors say. And he agreed to cooperate with the government in any further investigations.
How Epifaniou Operated
From October 2014 to November 2016, Epifaniou and other hackers targeted several vulnerable U.S. websites to steal credentials and then gain a foothold in the organizations' networks, according to the U.S. Attorney's Office for the Northern District of Georgia, which oversaw the case.
Epifaniou, prosecutors say, targeted websites based on their internet traffic rating. He worked with others to steal personally identifiable information and other data from the targeted organizations’ databases.
"Epifaniou stole the sensitive information either by directly exploiting a security vulnerability at the websites or by obtaining a portion of the victim website's user data from a co-conspirator who had hacked into the victim network," according to the Justice Department.
After gaining access to personal data, Epifaniou used proxy servers in other countries to log into email accounts and send messages to the targeted websites threatening to leak the sensitive data unless the victims paid a ransom in cryptocurrency, prosecutors say.
Websites targeted by Epifaniou and other hackers included those for a free online game publisher based in Irvine, California; a hardware company based in New York; an online employment service based in Innsbrook, Virginia; a consumer report website in Phoenix; and an online sports news service owned by Turner Broadcasting System in Atlanta, according to the Justice Department.
Epifaniou extorted more than $56,000 in bitcoin from victims, transferring the money to bank accounts in Cyprus, according to a federal indictment. The Justice Department also calculated that at least two of the websites he targeted faced a combined total of $530,000 in cleanup and mitigation costs.
Federal prosecutors also determined that in October 2016, Epifaniou used a brute-force attack to hack the website for the Phoenix-based Ripoff Report, a business accountability site, gaining access to the CEO's email account and then sending ransom demands to employees, according to the court documents.
In addition to the $90,000 he demanded from Ripoff Report, Epifaniou worked with an unnamed SEO firm to find companies and businesses listed on the Ripoff Report website and then promised to remove their listings if they paid him between $3,000 and $5,000, according to the Justice Department.