Former Ubiquiti dev pleads guilty in data theft and extortion case
Nickolas Sharp now faces up to 35 years in prison
A former Ubiquiti employee accused of hatching an elaborate plot to first steal data from his employer, extort $2 million from bosses to keep it all under wraps, then later orchestrating a smear campaign against the biz pleaded guilty to multiple felony charges Thursday.
Nickolas Sharp, of Portland, Oregon, now faces years in prison after pleading to one count of transmitting a program to a protected computer that intentionally caused damage, one count of wire fraud, and one count of making false statements to the FBI.
"Nickolas Sharp's company entrusted him with confidential information that he exploited and held for ransom. Adding insult to injury, when Sharp wasn't given his ransom demands, he retaliated by causing false news stories to be published about the company which resulted in his company's market capitalization plummeting by over $4 billion," US Attorney Damian Williams said in a statement Thursday. "Sharp's guilty plea today ensures that he will face the consequences of his destructive actions."
The bizarre story behind the Sharp case is the stuff of CISO nightmares. As we previously reported at the time, Sharp was charged in connection with the high-profile Ubiquiti data theft and ransom attempt in late 2021.
Prosecutors accused Sharp — who was working as a cloud lead for the wireless and LAN switching vendor according to his LinkedIn profile — of using his position and administrative access to the company's AWS cloud instances and GitHub repository to exfiltrate gigabytes of data to his home network.
- Ubiquiti sues Krebs on Security for defamation
- Ubiquiti dev charged with knocking $4bn off firm's value after insider threat spree
- FCC taps 13 providers to manage 6GHz band access for new Wi-Fi standards
- Boffins use nuclear radiation to send data wirelessly
While a team he was working on investigated the breach, prosecutors say Sharp sent a ransom note demanding 50 Bitcoin — worth about $1.9 million at the time — for the return of the data and to identify the backdoor used to acquire it. When Ubiquiti declined to capitulate to his demands, Sharp leaked some of the data to the public.
Sharp might have succeeded had it not been for his confidence that Surfshark VPN — purchased using his personal PayPal account — would shield his identity. According to prosecutors, while exfiltrating data from Ubiquiti's GitHub repos, his home IP address was revealed following a brief internet outage.
In March 2021, FBI agents executed a search of Sharp's home in connection with the hack and seized electronics devices. During the investigation Sharp denied any knowledge of involvement in the case and made "numerous" false statements to the FBI agents, including that he'd never used Surfshark VPN.
When pressed on the matter, Sharp claimed that "someone else must have used his PayPal account to make the purchase," according to prosecutors. The old excuse, the other one did it.
But rather than lie low in the days following the FBI raid Sharp began reaching out to the press posing as a whistleblower and maligning his employer's handling of the breach. His false narrative circulated widely, ultimately trimming billions from Ubiquiti's market capitlisation.
The Manhattan federal court scheduled a sentencing hearing for May 10. ®