The Industry’s Only SaaS-Delivered Enterprise DLP
Our unique approach to DLP allows for quick deployment and on-demand scalability, while providing full data visibility and no-compromise protection.
No-Compromise Data Protection is:
- Cross Platform
- Flexible Controls
The man admitted he accessed sites, stole data, and demanded companies pay a ransom to prevent the release of the data.
Call it DIY ransomware.
A hacker plead guilty this week to extorting a handful of companies after he broke into their websites, stole user data, and demanded they pay thousands of dollars to prevent the release of that data.
While the hacker - Cyprus-based Joshua Polloso Epifaniou, also known as charySQX - was indicted years ago, in September 2017, it wasn't until this week that he plead guilty for his crimes.
Epifaniou became the first Cypriot national to be extradited by Cyprus to the US last year following an agreement, the U.S.-Cyprus Extradition Treaty, signed back in 2006.
In the 2017 indictment he was charged with one count of wire fraud conspiracy, two counts of wire fraud, one count of computer fraud conspiracy, and one count of extortion related to a protected computer. He also reportedly plead guilty to one count of computer fraud in a 24-count indictment transferred from the District of Arizona for purposes of his plea.
Sentencing isn't until March 3, according to the Department of Justice, which announced Epifaniou's guilty plea on Monday.
According to the Justice Department, to carry out the extortions, Epifaniou would either exploit a vulnerability in a company's website or obtain user data belonging to the company via another hacker who'd already broken into its network.
None of the impacted companies were specifically named but the DOJ, only hinted at:
- An online sports news website owned by Turner Broadcasting System Inc. in Atlanta, Georgia
- A free online game publisher based in Irvine, California
- A hardware company based in New York, New York
- An online employment website headquartered in Innsbrook, Virginia
- A consumer report website headquartered in Phoenix, Arizona
The indictment filed with the US District Court for the District of Arizona confirms the consumer report website Epifanious accessed was Ripoff Report, a site that allows consumers to post anonymous complaints about people and businesses.
It also claims Epifaniou got access to the site's database through one of its employee's accounts via a brute force attack. After taking the company data he emailed the company's CEO asking for a $90,000 ransom, doubling down on his threat the day after with a video recording of him accessing the CEO's account.
Before he began ransoming companies, Epifaniou used his access at Ripoff Report to charge companies to remove complaints about their business on the site. Working with a SEO company employee, he charged between $3,000 and $5,000 to remove each complaint.
While the DOJ didn't publicly name the victims, an indictment filed in the US Court for the District of Georgia in Atlanta confirms the sports website Bleacher Report, Adafruit - the hardware company that makes Raspberry Pi computers, Snagajob - an employment website, and Armor Games, an online game website, were also among the victims.
Details on how exactly Epifaniou broke into their systems weren't included in the indictment. For some victims, like Armor Games and Adafruit, he exploited a vulnerability and injected code into the website to steal user and customer data. For others, like Bleacher Report and Snagajob, he relied on the aforementioned co-conspirator, who already had access to the databases.
While Epifaniou didn't make a fortune, he clearly made enough to keep going, receiving roughly $1,850 from Armor Games and $19,500 from Turner Sports over the span of one month. All said, he managed to defraud companies of $56,850 in Bitcoin. Two unnamed victims said their businesses incurred losses of over $530,000 from remediation costs associated with the incident.
According to the DOJ, Epifaniou paid nearly $600,000 in restitution to the victims and agreed to forfeit an additional $389,113 and nearly 70,000 euros to the government before entering a plea agreement.