Sentencing by a US court of young hacker Joshua Epiphaniou, originally scheduled for March 3, was postponed to March 17 after a prisoner in his cell block was found positive for Covid-19, his lawyer said on Thursday.

The first Cypriot citizen to be extradited to the US, Epiphaniou has been found guilty of committing cyber-crimes.

“Joshua was unable to be taken to court on Wednesday for his sentence as he will have to quarantine for the next two weeks,” Michael Chambers, one of the lawyers representing Epiphaniou, based in Limassol, told Cyprus Mail.

Epiphaniou, 21, was extradited to the US on July 16, 2020, where he faced charges in both Arizona and Georgia for felonies committed from his bedroom in Nicosia when he was still a minor.

Chambers still expects him to walk free after the announcement of his sentence, as he believes that the prosecution will take into account a number of mitigating circumstances.

Prior to his extradition, Epiphaniou had been held in custody for three years without a trial and without a conviction for any offence, for which his lawyer in Cyprus tried to plead time served as a mitigating circumstance with the US prosecution. Epiphaniou has also been diagnosed with Asperger’s syndrome.

“We are positive that the judge will consider the time that Epiphaniou already spent in jail, both in Cyprus and in the US, as time served,” Chambers said.

“He was found guilty only because he pleaded guilty during his last time in court. This is the reason behind the judge’s decision.”

Chambers added that the young hacker’s lawyer in the US told him he is expecting the judge to consider the time served in jail as the most important mitigating factor, one that will eventually see him leave the US.

According to the indictment, between October 2014 and November 2016, when he was aged between 14 and 16, Epiphaniou worked with associates to steal personal data from user and customer databases at victim websites in order to extort the websites into paying ransoms under threat of public disclosure.

He used proxy servers located in foreign countries to log into online email accounts and send messages to the victim’s websites threatening to leak the sensitive data unless a ransom was paid.

He defrauded the entities of $56,850 in bitcoin and two victims incurred losses of over $530,000 from remediation costs associated with the incident.