Cypriot hacker pleads guilty to extorting website operators with stolen user data
ATLANTA – Joshua Polloso Epifaniou, a Cypriot national, has pleaded guilty to accessing multiple major websites based in the United States without authorization, stealing user data, and demanding that the website operators pay a ransom to prevent his release of the data. Epifaniou is the first Cypriot national to be extradited from Cyprus to the United States.
“Epifaniou hacked into U.S.-based websites and threatened the disclosure of stolen personal information belonging to users, unless the websites paid him large ransoms,” said Acting U.S. Attorney Bobby L. Christine. “His arrest, extradition, and conviction demonstrate our resolve to bring to justice any hackers, no matter where they reside.”
“This conviction represents the determination of FBI investigators to hold cyber criminals accountable for extorting U.S. companies and citizens no matter where they may be hiding,” said Chris Hacker, Special Agent in Charge of FBI Atlanta. “However, the successful prosecution of this case would not have been possible without the help of our federal and foreign partners, including the government of Cyprus.”
According to Acting U.S. Attorney Christine, the charges and other information presented in court: Between at least October 2014 and November 2016, Epifaniou was a teenage hacker in Cyprus who searched website traffic rankings to identify potential targets of his extortion scheme. After selecting targets, Epifaniou worked with co-conspirators to steal personally identifiable information from user and customer databases at victim websites. Epifaniou stole the sensitive information either by directly exploiting a security vulnerability at the websites or by obtaining a portion of the victim website’s user data from a co-conspirator who had hacked into the victim network. Once the personally identifiable information was obtained, Epifaniou used proxy servers located in foreign countries to log into online email accounts and send messages to the victim websites threatening to leak the sensitive data unless a ransom was paid in cryptocurrency.
During his scheme, Epifaniou’s victims included:
- An online sports news website owned by Turner Broadcasting System Inc. in Atlanta, Georgia;
- A free online game publisher based in Irvine, California;
- A hardware company based in New York, New York;
- An online employment website headquartered in Innsbrook, Virginia;
- A consumer report website headquartered in Phoenix, Arizona.
Prior to the plea, Epifaniou paid nearly $600,000 in restitution to the victims, and Epifaniou agreed to forfeit an additional $389,113 and nearly 70,000 euros to the government in his plea agreement.
On September 19, 2017, Joshua Polloso Epifaniou, 21, of Nicosia, Cyprus, was indicted on one count of wire fraud conspiracy, two counts of wire fraud, one count of computer fraud conspiracy, and one count of extortion related to a protected computer. In addition, Epifaniou pleaded guilty to one count of computer fraud in a 24-count indictment transferred from the District of Arizona for purposes of his plea.
Sentencing is scheduled for March 3, 2021, at 10:00 a.m., before U.S. District Judge Mark H. Cohen.
This case is being investigated by the Federal Bureau of Investigation. Foreign law enforcement partners also made significant contributions to the investigation, including the exceptional support and cooperation provided by the Office for Combating Cybercrime of the Cyprus Police. Valuable assistance also was provided by the Criminal Division’s Office of International Affairs and the U.S. Attorney’s Office for the District of Arizona.
Assistant U.S. Attorney Nathan P. Kitchens, Chief of the Public Integrity and Special Matters Section, is prosecuting the case.
For further information please contact the U.S. Attorney’s Public Affairs Office at USAGAN.PressEmails@usdoj.gov or (404) 581-6016. The Internet address for the U.S. Attorney’s Office for the Northern District of Georgia is http://www.justice.gov/usao-ndga.