Accused Cypriot scammer threatened to publish stolen data if victims didn’t pay huge extortion fees

Victims included the Ripoff Report and a sporting news site owned by TBS.
Joshua Epifaniou

The government of Cyprus has extradited a 21-year-old accused cybercriminal to the United States after he was accused of breaching a number of U.S. companies as part of a years-long extortion effort.

Joshua Epifaniou, a Cypriot national, arrived in New York City on Friday, more than two years after he was initially arrested in connection with a corporate hacking spree.

Epifaniou is charged with stealing personal information from at least four sites, then demanding a payment in exchange for not publishing that data, according to the U.S. Department of Justice. Epifaniou also hacked Ripoff Report, a business accountability site, and charged his clients between $3,000 and $5,000 to delete relevant complaints, prosecutors contend. Epifaniou also allegedly worked with a search engine optimization firm to research companies disparaged on Ripoff Report that would be most likely to pay for his services.

The Justice Department announced Saturday that Epifaniou was the first Cypriot national to be sent to the U.S. under an extradition treaty. Law enforcement sent Epifaniou to the U.S. along with Ghassan Diab, a citizen of Lebanon wanted in Florida on unrelated charges of laundering proceeds from drug sales through the black market.


Epifaniou’s alleged hacking scheme involved the theft of personal data from a game publisher in Irvine, Ca., a hardware company based in New York, NY, an employment website in Va. and a TBS-owned sporting news website based in Atlanta, Ga.

By exploiting software vulnerabilities to steal data, then threatening to publicize that information if the victim didn’t pay a ransom, attackers defrauded victims out of $56,850 in bitcoin between October 2014 and November 2016. The affected organizations also paid more than $530,000 to remediate their security incidents.

Epifaniou also breached Ripoff Report on Oct. 30, 2016, the indictment alleges, by using a brute force attack, which involves guessing usernames and passwords through a trial-and-error method. As part of the scam, Epifaniou is accused of emailing Ripoff Report’s chief executive and threatening to publish stolen data if the company refused to pay $90,000 within 48 hours. While the indictment does not say whether Ripoff Report agreed to the terms, Epifaniou’s alleged operation continued for months afterward, as he accepted payments to delete dozens of records.

Representation for Epifaniou could not be located for comment.

He is scheduled to be arraigned on Monday in a court in the Northern District of Georgia.


The indictment is available in full below.

[documentcloud url=”” responsive=true]

Jeff Stone

Written by Jeff Stone

Jeff Stone is the editor-in-chief of CyberScoop, with a special interest in cybercrime, disinformation and the U.S. justice system. He previously worked as an editor at the Wall Street Journal, and covered technology policy for sites including the Christian Science Monitor and the International Business Times.

Latest Podcasts