Cypriot hacker sentenced to federal prison for extorting website operators with stolen personal information

ATLANTA – A Cypriot national who hacked into major websites as a teenager and threatened that he would release stolen user information unless the websites paid a ransom has been sentenced to federal prison. The defendant, Joshua Polloso Epifaniou, is the first Cypriot national ever extradited from Cyprus to the United States.

“Epifaniou harvested the personal information of website users to extort website operators into paying large ransoms,” said Acting U.S. Attorney Kurt R. Erskine. “Cyber extortion is a growing threat to American businesses.  Cyber criminals typically identify sensitive information either by directly exploiting website security vulnerabilities or identifying weakness in the victim’s computer network.”

“This historic extradition and sentencing would not have been possible without the determination of our FBI investigators and the help of our federal and foreign partners,” said Chris Hacker, Special Agent in Charge of FBI Atlanta. “It is further proof that no matter where criminals who prey on U.S. companies and citizens are hiding, either geographically or virtually, we will pursue them and bring them to justice.”

According to Acting U.S. Attorney Erskine, the charges and other information presented in court: Between at least October 2014 and November 2016, Epifaniou was a teenage hacker living with his mother in Cyprus who searched website traffic rankings to identify potential targets of his extortion scheme. After selecting targets, Epifaniou worked with co-conspirators to steal personally identifiable information from user and customer databases at victim websites. Epifaniou stole the sensitive information either by directly exploiting a security vulnerability at the websites or by obtaining a portion of the victim website’s user data from a co-conspirator who had hacked into the victim network. After obtaining the personally identifiable information, Epifaniou used proxy servers located in foreign countries to log into online email accounts and send messages to the victim websites threatening to leak the sensitive data unless a ransom was paid in cryptocurrency. 

During his scheme, Epifaniou’s victims included an online sports news website owned by Turner Broadcasting System Inc. in Atlanta, Georgia; a free online game publisher based in Irvine, California; a hardware company based in New York, New York; an online employment website headquartered in Innsbrook, Virginia; and a consumer report website headquartered in Phoenix, Arizona.

After extorting the consumer report website operator, Epifaniou continued to hack into the website to remove online complaints posted on the website at the request of paying clients. Epifaniou and his co-conspirator, Pierre Zarokian, charged clients between $1,000 and $5,000 for removal of each complaint and falsely told clients that the removals were court-ordered.

Before entering a guilty plea, Epifaniou paid nearly $600,000 in restitution to the victims.

Joshua Polloso Epifaniou, 22, of Nicosia, Cyprus was sentenced by U.S. District Judge Mark H. Cohen to an additional one year and one day in prison, on top of credit for three years and ten months served in custody for the offense prior to his sentencing hearing.  Epifaniou also paid forfeiture of $389,113 and 70,000 euros to the government as a result of his conviction. Epifaniou was convicted on January 25, 2021 after pleading guilty to computer fraud conspiracy and a substantive count of computer fraud transferred from the District of Arizona for purposes of his plea.

This case was investigated by the Federal Bureau of Investigation. Foreign law enforcement partners also made significant contributions to the investigation, including the exceptional support and cooperation provided by the Office for Combating Cybercrime of the Cyprus Police. Valuable assistance also was provided by the Criminal Division’s Office of International Affairs and the U.S. Attorney’s Office for the District of Arizona.

Assistant U.S. Attorney Nathan P. Kitchens, Chief of the Public Integrity and Special Matters Section, prosecuted the case.

For further information please contact the U.S. Attorney’s Public Affairs Office at USAGAN.PressEmails@usdoj.gov or (404) 581-6016.  The Internet address for the U.S. Attorney’s Office for the Northern District of Georgia is http://www.justice.gov/usao-ndga.