Alleged Cypriot Hacker Extradited to US to Face ChargesAccused of Stealing Personal Data and Extorting Victims
A 21-year-old Cypriot man, who is accused of hacking into websites and stealing personal data to extort his victims, has been extradited to the U.S. to face charges of wire fraud and computer hacking, according to the Justice Department.
See Also: Top 50 Security Threats
Joshua Polloso Epifaniou was taken into federal custody over the weekend and then arraigned Monday in federal court in Atlanta. He faces five federal criminal charges, including conspiracy to commit wire fraud, wire fraud, conspiracy to commit computer fraud and identity theft and extortion related to a protected computer, according to a recently unsealed federal indictment.
Epifaniou also faces numerous federal charges in Arizona related to the alleged hacking of Ripoff Report, a business accountability site, according to the Justice Department. Prosecutors say Epifaniou allegedly used a brute-force attack against the website and bypassed its login and password security to steal company data. He then demanded $90,000 from the company, threatening to publish the information if they didn’t pay, according to authorities.
Police in Cyprus arrested Epifaniou in February 2018, and he remained in custody there until he was extradited to the U.S. earlier this month. The case marks the first time that Cyprus has extradited a suspect to the U.S. to face charges under a treaty signed in 2006, according to the Justice Department.
Prosecutors allege that between October 2014 and November 2016, Epifaniou and co-conspirators targeted several U.S. websites to steal personal data. They allegedly exploited vulnerabilities in the websites and obtained stolen credentials to gain a foothold within a network, according to court documents.
Websites targeted by Epifaniou and other hackers included those for a free online game publisher based in Irvine, California; a hardware company based in New York; an online employment service based Innsbrook, Virginia; and an online sports news service owned by Turner Broadcasting System in Atlanta, according to the Justice Department.
After gaining access to personal data from these websites, Epifaniou used proxy servers in other countries to log into online email accounts and send messages to the victim websites threatening to leak the sensitive data unless a ransom was paid, prosecutors allege.
During the two-year period, prosecutors allege that Epifaniou extorted more than $56,000 in bitcoin from victims, transferring the money to bank accounts in Cyprus that he controlled, according to one indictment. The Justice Department also calculated that at least two of the websites targeted during this time faced a combined total of $530,000 in expenses for clean-up and mitigation costs.
Ripoff Report Hack
Federal prosecutors also allege that in October 2016, Epifaniou hacked the website for Phoenix-based Ripoff Report. Prosecutors also allege that Epifaniou gained access to the CEO's email account and sent ransom demands to employees.
In addition to the $90,000 he demanded from Ripoff Report, Epifaniou worked with an unnamed SEO firm to find companies and businesses listed on the Ripoff Report website and promised to illegally remove their listings if they paid him between $3,000 and $5,000, according to the Justice Department.
For his alleged hacking of the Ripoff Report site, Epifaniou will face federal charges that include conspiracy to commit computer hacking, obtaining information from a protected computer, intentional damage to a protected computer and threatening to damage a protected computer, according to the Justice Department.