A Cypriot man has been jailed in the US over a scam that involved extorting website operators with stolen personal information.
Joshua Polloso Epifaniou, 22, of Nicosia, threatened to release stolen user information unless the websites paid a ransom as part of a scam that ran between October 2014 and November 2016.
Epifaniou pleaded guilty to computer fraud conspiracy and computer hacking in January. Before entering a guilty plea, Epifaniou paid nearly $600,000 in restitution to the victims.
At a sentencing hearing this week, Epifaniou was jailed for one year and one day, in addition to the three years and 10 months he’s already served in custody for the offense prior to his sentencing hearing.
US District Judge Mark Cohen further imposed a combined forfeiture order of $472,000.
Data leak threat
Epifaniou, a teenager living with his mother in Cyprus at the time of his offences, selected potential victims based on website traffic rankings, the US Department of Justice (DoJ) said in a news release yesterday (March 17).
He then worked with his shady associates to find and exploit website or network vulnerabilities in order to steal personally identifiable information (PII) from user and customer databases at targeted organizations.
After obtaining the PII, Epifaniou used proxy servers in foreign countries to send extortion demands, threatening to leak sensitive data unless the victim transferred funds in cryptocurrency wallets controlled by the gang.
Epifaniou operated under aliases including ‘Charley Sullivan’ and ‘Richard Charley’.
According to the original indictment (PDF), victims included Bleacher Report, an online sports news website; Armor Games, an online gaming platform; Adafruit, a New York-based electronic hardware company; Snagajob, an employment search website; and Ripoff Report, a US consumer report website.
SQL injection was one of the main vectors of these attacks, according to the indictment, which adds that Epifaniou extorted $19,000 in bitcoin from Turner Broadcasting Corporation and $1,650 in bitcoin from Armor Games, respectively.
The much higher restitution payment Epifaniou has been obliged to pay is a reflection of the huge surge in value of bitcoin over recent years.
According to the DoJ statement, Epifaniou was also operating a lucrative side hustle that involved using his illicit access to Ripoff Report in order to “remove online complaints posted on the website at the request of paying clients”.
“Epifaniou and his co-conspirator, Pierre Zarokian [plea deal, PDF], charged clients between $1,000 and $5,000 for removal of each complaint and falsely told clients that the removals were court-ordered,” according to the DoJ.
The case was investigated by the FBI and assisted by the Office for Combating Cybercrime of the Cyprus Police. Epifaniou is the first Cypriot national ever extradited from Cyprus to the United States.
Source: https://portswigger.net/daily-swig/cypriot-hacker-who-extorted-website-owners-by-threatening-to-leak-stolen-data-is-jailed