A young hacker who became the first ever Cypriot citizen to be extradited to the US has been found guilty of committing cyber-crimes by a court in the state of Georgia on Monday.

Joshua Epiphaniou, 21, was extradited to the US on July 16 2020, where he faced charges in both Arizona and Georgia for felonies committed from his bedroom in Nicosia when he was still a minor. The maximum sentence for the charges he faces is 20 years.

Epiphaniou’s lawyers tried to reach a deal with FBI in October to reduce his sentence, which will be announced on March 3.

Prior to his extradition, Epiphaniou had been held in custody for three years without a trial and without a conviction for any offence, for which his lawyer in Cyprus tried to plead time served as a mitigating circumstance with the US prosecution.

“The accused gained access to US-based websites and threatened to reveal stolen personal information belonging to users unless they agreed to pay a ransom,” US prosecutor Bobby L. Christine said in his remarks.

“His arrest, extradition and conviction demonstrate our determination to bring to justice any hacker, no matter where he is.”

Atlanta FBI special agent Chris Hacker said the trial represented the agency’s determination to bring to justice cybercriminals for blackmailing US companies and citizens, “no matter where they are hiding”.

“However, the successful prosecution of this case would not have been possible without the help of our federal and foreign partners, including the Cypriot government.”

According to the indictment, between October 2014 and November 2016, when he was aged between 14 and 16, Epiphaniou worked with associates to steal personal data from user and customer databases at victim websites in order to extort the websites into paying ransoms under threat of public disclosure.

He allegedly used proxy servers located in foreign countries to log into online email accounts and send messages to the victim’s websites threatening to leak the sensitive data unless a ransom was paid.

He is alleged to have defrauded the entities of $56,850 in bitcoin and two victims incurred losses of over $530,000 from remediation costs associated with the incident.