The Industry’s Only SaaS-Delivered Enterprise DLP

Our unique approach to DLP allows for quick deployment and on-demand scalability, while providing full data visibility and no-compromise protection.

No-Compromise Data Protection is:

  • Cloud-Delivered
  • Cross Platform
  • Flexible Controls
DATAINSIDER

Digital Guardian's Blog

Hacker Who Ransomed Companies Pleads Guilty

by Chris Brook on Tuesday January 26, 2021

Contact Us
Free Demo
Chat

The man admitted he accessed sites, stole data, and demanded companies pay a ransom to prevent the release of the data.

Call it DIY ransomware.

A hacker plead guilty this week to extorting a handful of companies after he broke into their websites, stole user data, and demanded they pay thousands of dollars to prevent the release of that data.

While the hacker - Cyprus-based Joshua Polloso Epifaniou, also known as charySQX - was indicted years ago, in September 2017, it wasn't until this week that he plead guilty for his crimes.

Epifaniou became the first Cypriot national to be extradited by Cyprus to the US last year following an agreement, the U.S.-Cyprus Extradition Treaty, signed back in 2006.

In the 2017 indictment he was charged with one count of wire fraud conspiracy, two counts of wire fraud, one count of computer fraud conspiracy, and one count of extortion related to a protected computer. He also reportedly plead guilty to one count of computer fraud in a 24-count indictment transferred from the District of Arizona for purposes of his plea.

Sentencing isn't until March 3, according to the Department of Justice, which announced Epifaniou's guilty plea on Monday.

According to the Justice Department, to carry out the extortions, Epifaniou would either exploit a vulnerability in a company's website or obtain user data belonging to the company via another hacker who'd already broken into its network.

None of the impacted companies were specifically named but the DOJ, only hinted at:

  • An online sports news website owned by Turner Broadcasting System Inc. in Atlanta, Georgia
  • A free online game publisher based in Irvine, California
  • A hardware company based in New York, New York
  • An online employment website headquartered in Innsbrook, Virginia
  • A consumer report website headquartered in Phoenix, Arizona

The indictment filed with the US District Court for the District of Arizona confirms the consumer report website Epifanious accessed was Ripoff Report, a site that allows consumers to post anonymous complaints about people and businesses.

It also claims Epifaniou got access to the site's database through one of its employee's accounts via a brute force attack. After taking the company data he emailed the company's CEO asking for a $90,000 ransom, doubling down on his threat the day after with a video recording of him accessing the CEO's account.

Before he began ransoming companies, Epifaniou used his access at Ripoff Report to charge companies to remove complaints about their business on the site. Working with a SEO company employee, he charged between $3,000 and $5,000 to remove each complaint.

While the DOJ didn't publicly name the victims, an indictment filed in the US Court for the District of Georgia in Atlanta confirms the sports website Bleacher Report, Adafruit - the hardware company that makes Raspberry Pi computers, Snagajob - an employment website, and Armor Games, an online game website, were also among the victims.

Details on how exactly Epifaniou broke into their systems weren't included in the indictment. For some victims, like Armor Games and Adafruit, he exploited a vulnerability and injected code into the website to steal user and customer data. For others, like Bleacher Report and Snagajob, he relied on the aforementioned co-conspirator, who already had access to the databases.

While Epifaniou didn't make a fortune, he clearly made enough to keep going, receiving roughly $1,850 from Armor Games and $19,500 from Turner Sports over the span of one month. All said, he managed to defraud companies of $56,850 in Bitcoin. Two unnamed victims said their businesses incurred losses of over $530,000 from remediation costs associated with the incident.

According to the DOJ, Epifaniou paid nearly $600,000 in restitution to the victims and agreed to forfeit an additional $389,113 and nearly 70,000 euros to the government before entering a plea agreement.

Tags: hacks

Recommended Resources


  • The seven trends that have made DLP hot again
  • How to determine the right approach for your organization
  • Making the business case to executives
  • Why Data Classification is Foundational
  • How to Classify Your Data
  • Selling Data Classification to the Business

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.