A former employee of network technology provider Ubiquiti pleaded guilty to multiple felony charges on Thursday after posing as an anonymous hacker in an attempt to extort almost $2 million worth of cryptocurrency while employed at the company.
Nickolas Sharp, 37, worked as a senior developer for Ubiquiti between 2018 and 2021 and took advantage of his authorized access to Ubiquiti’s network to steal gigabytes’ worth of files from the company during an orchestrated security breach in December 2020. The press release announcing his plea does not mention the company’s name, calling it only Company-1, but he has been identified publicly as a former employee and in a lawsuit filed by Ubiquiti.
Prosecutors said that Sharp used the Surfshark VPN service to hide his home IP address and intentionally damaged Ubiquiti’s computer systems during the attack in an attempt to conceal his unauthorized activity. Sharp later posed as an anonymous hacker who claimed to be behind the incident while working on an internal team that was investigating the security breach.
Sharp leaked data stolen from Ubiquiti after the company refused to pay 50 bitcoin ransom
While concealing his identity, Sharp attempted to extort Ubiquiti, sending a ransom note to the company demanding 50 Bitcoin (worth around $1.9 million at that time) in exchange for returning the stolen data and disclosing the security vulnerabilities used to acquire it. When Ubiquiti refused the ransom demands, Sharp leaked some of the stolen data to the public.
The FBI was prompted to investigate Sharp’s home around March 24th, 2021, after it was discovered that a temporary internet outage had exposed Sharp’s IP address during the security breach:
For the majority of this cybersecurity incident (the “Incident”), SHARP used a virtual private network (“VPN”) service that he subscribed to from a company named Surfshark to mask his Internet Protocol (“IP”) address when he accessed Company-1’s AWS and GitHub infrastructure without authorization. At one point during the exfiltration of Company-1 data, SHARP’s home IP address became unmasked following a temporary internet outage at SHARP’s home.
Sharp lied to FBI investigators, denying responsibility for the incident and claiming he hadn’t used the Surfshark VPN service prior to the internal investigation in January 2021. When presented with evidence that he had, in fact, purchased the Surfshark VPN service in July 2020, Sharp claimed that “someone else must have used his PayPal account to make the purchase.”
Sharp faces up to 35 years in prison after pleading guilty to multiple felony charges
Several days after the FBI investigation, Sharp contacted Brian Krebs of Krebs on Security masquerading as an anonymous whistleblower and falsely claiming that the hacker had acquired root administrator access to Ubiquiti’s accounts. He also accused the company’s legal team of attempting to cover up the security breach. Ubiquiti lost over $4 billion as a result of the company’s stock price falling by approximately 20 percent in the days following Krebs on Security’s publication of these false reports.
Ubiquiti sued Krebs in March of last year, alleging his coverage defamed the company. Krebs and the company agreed to dismiss the lawsuit in September, and he has removed the original articles from his site.
Sharp now faces a maximum sentence of 35 years in prison for intentionally damaging a protected computer, wire fraud, and making false statements to the FBI. His sentencing hearing is scheduled for May 10th, 2023.