A Cypriot national was extradited to the United States last week to face charges related to various computer intrusions, including the hacking into Ripoff Report.
The man, Joshua Polloso Epifaniou, 21, a resident of Nicosia, Cyprus, was arrested in Cyprus in February 2018 and is the first Cypriot national to be extradited from the country to the United States.
In a five-count indictment filed in the Northern District of Georgia, Epifaniou is charged with wire fraud, extortion related to a protected computer, conspiracy to commit wire fraud, and conspiracy to commit computer fraud and identity theft.
Between October 2014 and November 2016, Epifaniou and co-conspirators allegedly targeted websites to steal personal identifying information (PII) from databases and then extort money from the websites by threatening to make the stolen data public.
The man is charged with stealing data from the websites of multiple companies in the United States, including a free online game publisher, a hardware company, an online employment website, and an online sports news website.
Epifaniou either exploited vulnerabilities to gain access to the data of interest or obtained the data from a co-conspirator. He then accessed email accounts using proxy servers and emailed the victim websites to demand a ransom.
According to the indictment, he defrauded victims of $56,850 in Bitcoin. Two of the victims incurred losses of more than $530,000 from remediation costs associated with the hacking.
In the District of Arizona, Epifanou is charged in a 24-count indictment with obtaining information from a protected computer, conspiracy to commit computer hacking, threatening to damage a protected computer, and intentional damage to a protected computer.
According to the indictment, in October 2016, Epifaniou hacked into the database of Phoenix, Arizona-based Ripoff Report (ROR). The next month, he emailed ROR’s CEO, threatening to leak stolen data and demanding a $90,000 ransom be paid.
A privately owned and operated for-profit website, ROR allows anyone over the age of 14 to complain about firms or persons, but does not require users to provide their real identity. Such complaints might appear on Google, thus potentially damaging the image of the targeted entity.
Between October 2016 and May 2017, Epifaniou allegedly worked with an associated at a search engine marketing provider to identify companies that would be interested in removing complaints posted on ROR’s website.
The two charged those companies between $3,000 and $5,000 to illegally remove each complaint from the ROR database. They allegedly removed at least 100 complaints from the database.
Epifaniou is scheduled for arraignment on Monday, July 20.
Related: Feds Unseal 2018 Indictment Charging Kazakh Man in Hacks
Related: New Yorker Indicted for Stealing Card Data via SQL Injection Attacks
Related: WikiLeaks Founder Assange Faces New Indictment in US
