Insider Threat Attack Caused $4 Billion in Market Capitalization Loss
From IP Theft to Extortion to Posing as an Anonymous Whistleblower & Foiled By a Simple Power Outage

Former Ubiquiti senior developer pleads guilty to inside threat attack causing loss of $4B in market capitalization & $2M extortion attempt

Ubiquiti has provided advanced data-driven software products based on our proprietary artificial intelligence (AI), machine learning (ML) and natural language processing (NLP) technologies serving the automotive supply chain, automotive retail & repair, as well as the manufacturing and healthcare sectors. ubiquiti.com techtarget.com

DOJ: Former Senior Developer Of Technology Company Pleads Guilty To Stealing Confidential Data And Extorting Company For Ransom

Defendant Also Caused the Publication of Misleading News Articles About the Company’s Handling of the Breach the Defendant Perpetrated, Resulting in Loss of Over $4 Billion in Company’s Market Capitalization

NICKOLAS SHARP pled guilty today in Manhattan federal court to multiple federal crimes in connection with a scheme he perpetrated to secretly steal gigabytes of confidential files from a public New York-based technology company where he was employed (“Company‑1”). While purportedly working to remediate the security breach for Company-1, SHARP extorted the company for nearly $2 million for the return of the files and the identification of a remaining purported vulnerability. SHARP subsequently re-victimized his employer by causing the publication of misleading news articles about the company’s handling of the breach that he perpetrated, which were followed by the loss of over $4 billion in Company-1’s market capitalization. SHARP pled guilty to intentionally damaging a protected computer, wire fraud, and making false statements to the Federal Bureau of Investigation (“FBI”).

Company-1 was a technology company headquartered in New York that manufactured and sold wireless communications products and whose shares were traded on the New York Stock Exchange. NICKOLAS SHARP was employed by Company-1 from in or about August 2018 through on or about April 1, 2021. SHARP was a senior developer who had access to credentials for Company-1’s Amazon Web Services (“AWS”) and GitHub Inc. (“GitHub”) servers.

In about December 2020, SHARP repeatedly misused his administrative access to download gigabytes of confidential data from his employer. For the majority of this cybersecurity incident (the “Incident”), SHARP used a virtual private network (“VPN”) service that he subscribed to from a company named Surfshark to mask his Internet Protocol (“IP”) address when he accessed Company-1’s AWS and GitHub infrastructure without authorization. At one point during the exfiltration of Company-1 data, SHARP’s home IP address became unmasked following a temporary internet outage at SHARP’s home.

During the course of the Incident, SHARP caused damage to Company-1’s computer systems by altering log retention policies and other files in order to conceal his unauthorized activity on the network. In or about January 2021, while working on a team remediating the effects of the Incident, SHARP sent a ransom note to Company-1, posing as an anonymous attacker who claimed to have obtained unauthorized access to Company-1’s computer networks. The ransom note sought 50 Bitcoin, a cryptocurrency — which was the equivalent of approximately $1.9 million, based on the prevailing exchange rate at the time — in exchange for the return of the stolen data and the identification of a purported “backdoor,” or vulnerability, to Company-1’s computer systems. After Company-1 refused the demand, SHARP published a portion of the stolen files on a publicly accessible online platform.

On or about March 24, 2021, FBI agents executed a search warrant at SHARP’s residence in Portland, Oregon, and seized certain electronic devices belonging to SHARP. During the execution of that search, SHARP made numerous false statements to FBI agents, including, among other things, in substance, that he was not the perpetrator of the Incident and that he had not used Surfshark VPN prior to the discovery of the Incident. When confronted with records demonstrating that SHARP purchased the Surfshark VPN service in July 2020, approximately six months prior to the Incident, SHARP falsely stated, in part and substance, that someone else must have used his PayPal account to make the purchase.

Several days after the FBI executed the search warrant at SHARP’s residence, SHARP caused false news stories to be published about the Incident and Company-1’s response to the Incident and related disclosures. In those stories, SHARP identified himself as an anonymous whistleblower within Company-1 who had worked on remediating the Incident. In particular, SHARP falsely claimed that Company-1 had been hacked by an unidentified perpetrator who maliciously acquired root administrator access to Company-1’s AWS accounts. In fact, as SHARP well knew, SHARP had taken Company-1’s data using credentials to which he had access in his role as Company‑1’s AWS cloud administrator, and SHARP had used that data in a failed attempt to extort Company-1 for millions of dollars.

Following the publication of these articles, between March 30, 2021, and March 31, 2021, Company-1’s stock price fell approximately 20%, losing over $4 billion in market capitalization.

SHARP, 37, of Portland, Oregon, pled guilty today to one count of transmitting a program to a protected computer that intentionally caused damage, one count of wire fraud, and one count of making false statements to the FBI. These offenses carry a total maximum sentence of 35 years in prison. SHARP is scheduled to be sentenced by Judge Failla on May 10, 2023, at 3:00 p.m. justice.gov