DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Cypriot man, accused of hacking Armor Games and Ripoff Report extradited to U.S.

Posted on July 21, 2020 by Dissent

Seen on KNEWS:

The Republic of Cyprus has extradited two alleged cyber criminals to the United States, including a young man who is the first Cypriot national to be extradited under an extradition treaty with the US.

Joshua Polloso Epifaniou, a 21-year-old from Nicosia and the first Cypriot national to be extradited to the United States, landed at Kennedy Airport in New York last Friday. He was extradited on FBI warrants to face multiple cyber charges in Georgia and Arizona, including intrusion and money extortion.

Read more on KNEWS.

Epifaniou’s M.O. seemed to be that he would hack sites and then attempt to extort the owners into paying him some ransom so that he would not dump data or do other damage. He was described as a skilled young hacker who had previously earned bug bounties by finding vulnerabilities.

Among Epifaniou’s alleged victims in the Northern District of Georgia are Adafruit, Snagajob, Armor Games,and  Bleacher Report. In Arizona, he’s charged for an incident involving Ripoff Report. Epifaniou’s earlier aliases (cited in the Georgia cases) included CharySQX and Georgos Petiou, while other aliases used in the Arizona cases included Charley Sullivan, Chary Malatan, and Richard Charley.

Epifaniou allegedly hacked Armor Games in October, 2014, exploiting a vulnerability in the site. And although he didn’t acquire the entire database, he contacted the firm claiming to have data on 450,000 users and threatened to dump the data if the firm didn’t pay him a ransom demand in BTC. He also took the site offline to motivate the firm to pay up. At the time, his ransom demand was less than $2,000.00. The firm paid. An Armor Games database with more than 11 million records from 2014 has been publicly circulated, but this site does not know definitively if it is from this incident, although it seems plausible.

The Ripoff Report scheme, alleged in the Arizona indictment, was more complex. Epifaniou allegedly hacked ROR in October, 2016 using a brute force attack that gave him access to an employee’s account.  Several weeks later, he emailed the CEO of ROR, demanding $90,000 within 48 hours or he would start dumping the data.  But beginning even before that, he had started working with an employee at an unnamed reputation management/SEO firm in Glendale, California. The SEO employee would then contact companies that had bad reports in ROR and offer to get the bad reports removed through the SEO service.  What they would then seemingly do is access ROR’s database to remove the listing, and then tell the SEO client that they had gotten the file removed via a court order or some legitimate means.  According to the indictment, Epifaniou and his partner managed to remove about 100 firms’ bad reviews that way, charging each firm $3,000 – $5,000 for the alleged SEO service.

Epifaniou’s Ripoff scheme appears to have run between October, 2016 and May, 2017. Unfortunately for Epifaniou, it appears that the prosecution has a lot of instant messaging records that show Epifaniou and his co-conspirator discussing their plans and methods. A sealed indictment was filed in September, 2017.

Update: I just read Hacker News coverage from yesterday. They have a lot of the same details I just reported but they also provide some additional info that you may want to read.

On an additional note, I don ‘t recall ever getting a breach notification letter from Ripoff Report in 2016, even though my information was in there from a report I had filed years earlier. I know my information was in there because it is STILL in there.  And how do I know THAT?  Well, Ripoff Report recently had a misconfigured Amazon s3 bucket that a researcher found and alerted me to. I gave him permission to check for anything by me, and sure enough, he was able to find the old report.

The researcher attempted to notify ROR of the leak by email, but the emails bounced back.  I personally called ROR and left a voicemail message. I got no call back. I then tried reaching the CEO via LinkedIn. Still no response. So the researcher contacted Amazon and it seems like they were able to reach ROR to get the bucket secured on July 16.  Is ROR going to notify anyone about this latest incident? Do they know how many people may have accessed their database?

Imagine that you apply for position with a firm who has a copy of RipoffReport. Assume that as part of their background check on you, they look to see if you have ever filed anything with ROR, and lo and behold, it turns out that years ago, you filed a ripoff report about their company — the same one you now seek employment with.  How might that work out for you?

 

 

 

 

Category: Breach IncidentsBusiness SectorHackOther

Post navigation

← TX: County judge: Public’s info compromised in REvil cyberattack
University of York hit by cyber-attack – personal details of students and staff may have been stolen →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Rewards for Justice offers $10M reward for info on RedLine developer or RedLine’s use by foreign governments
  • New evidence links long-running hacking group to Indian government
  • Zaporizhzhia Cyber ​​Police Exposes Hacker Who Caused Millions in Losses to Victims by Mining Cryptocurrency
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Google: Hackers target Salesforce accounts in data extortion attacks
  • The US Grid Attack Looming on the Horizon
  • US govt login portal could be one cyberattack away from collapse, say auditors
  • Two Men Sentenced to Prison for Aggravated Identity Theft and Computer Hacking Crimes
  • 100,000 UK taxpayer accounts hit in £47m phishing attack on HMRC
  • CISA Alert: Updated Guidance on Play Ransomware

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • How the FBI Sought a Warrant to Search Instagram of Columbia Student Protesters
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Malaysia enacts data sharing rules for public sector
  • U.S. Enacts Take It Down Act
  • 23andMe Bankruptcy Judge Ponders Trump Bill’s Injunction Impact
  • Hell No: The ODNI Wants to Make it Easier for the Government to Buy Your Data Without Warrant
  • US State Dept. says silence or anonymity on social media is suspicious

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.
Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report