Hacker Admits Targeting Major US Websites

A hacker who became the first ever Cypriot national to be extradited to the United States has pleaded guilty to extorting major American website operators with stolen user data. 

Joshua Polloso Epifaniou was a teenager when he started hacking into websites, stealing information, and threatening to release it if he didn't receive a ransom. 

The 21-year-old resident of Nicosia, Cyprus, was arrested by Cypriot authorities in February 2018. In July last year, Epifaniou was extradited to the US to face charges in both Georgia and Arizona. 

According to US authorities, between at least October 2014 and November 2016, Epifaniou searched website traffic rankings to identify targets to extort. He then worked with co-conspirators to steal personally identifiable information from user and customer databases belonging to victim websites. 

Among the websites hit by Epifaniou were a free online game publisher based in California, a New York City hardware company, an online employment website headquartered in Virginia, a consumer report website headquartered in Phoenix, and a sports news website based in Atlanta, Georgia, and owned by Turner Broadcasting System Inc.

To steal data, Epifaniou either directly exploited security vulnerabilities in the victim websites or obtained a chunk of data from a co-conspirator who had hacked into the victim network.

Epifaniou then used proxy servers located in foreign countries to log into online email accounts and send messages to victims demanding a ransom payment in crypto-currency to prevent the stolen data being leaked. 

On January 25, the Northern District of Georgia announced that Epifaniou had pleaded guilty to accessing multiple major websites based in the United States without authorization, stealing user data, and demanding that the website operators pay a ransom to prevent his release of the data. 

“This conviction represents the determination of FBI investigators to hold cyber criminals accountable for extorting US companies and citizens no matter where they may be hiding,” said Chris Hacker, special agent in charge of FBI Atlanta.

Prior to the plea, Epifaniou paid nearly $600,000 in restitution to the victims. He also agreed to forfeit an additional $389,113 and nearly 70,000 euros to the government in his plea agreement.

Sentencing is scheduled for March 3, 2021.

What’s Hot on Infosecurity Magazine?