Joshua Epiphaniou, the first Cypriot national ever extradited to the US where he is facing hacking charges and up to 20 years in prison, has had his court arraignment in Georgia, at which his lawyer has been trying to negotiate a time served sentence with the prosecution.
Twenty-year-old Epiphaniou, who has Asperger’s syndrome, was extradited on July 17 after being in prison in Cyprus for over two years, awaiting extradition to the US for alleged hacking and extortion crimes committed when he was still a minor.
Under US law, time served is a sentence where the defendant is credited immediately after the guilty verdict with the time spent in remand awaiting trial. The time is usually subtracted from the sentence, with only the balance or no time being served after the verdict, depending on the case.
Epiphaniou’s lawyer in Cyprus, Michael Chambers told the Cyprus Mail on Wednesday that he and his US lawyer, Stephen P Johnson, “are optimistic regarding the outcome of the case”.
Furthermore, Chambers said his US colleague has also requested some documents from Cyprus proving the defendant has Asperger’s syndrome, in attempt to further mitigate the prosecution’s requests.
No date has yet been set for the next court appointment, Chambers said.
Epiphaniou was in jail in Cyprus for over two years following his arrest in February 2018 and is wanted in the states of Georgia and Arizona for cyber intrusion and extortion.
Cyprus amended its Constitution in 2013 to allow for the extradition of Cypriot nationals to a European country or to a third country on the basis of a European arrest warrant or on the basis of a bilateral or multilateral treaty that the republic has signed.
A five-count indictment filed in Georgia charges the 20-year-old with conspiracy to commit wire fraud, wire fraud, conspiracy to commit computer fraud, identity theft, and extortion.
According to the indictment, between October 2014 and November 2016, when he was aged between 14 and 16, Epiphaniou worked with associates to steal personal data from user and customer databases at victim websites in order to extort the websites into paying ransoms under threat of public disclosure.
He allegedly used proxy servers located in foreign countries to log into online email accounts and send messages to the victim’s websites threatening to leak the sensitive data unless a ransom was paid.
He is alleged to have defrauded the entities of $56,850 in bitcoin and two victims incurred losses of over $530,000 from remediation costs associated with the incident.