Feds get guilty plea in Ubiquiti data extortion case
A former employee of the technology company Ubiquiti pleaded guilty on Thursday in a Manhattan federal courtroom on charges related to perpetrating an audacious insider attack on his employer, in which he accessed a trove of confidential data before demanding a ransom.
Nickolas Sharp, 37, was a senior software engineer at the New York-based company, which specializes in wireless communications. In his role, he was responsible for cloud infrastructure security, as well as software development.
According to the federal indictment, in late 2020 Sharp began abusing his administrative access and downloaded gigabytes of confidential data from the company’s Amazon Web Services and GitHub servers.
“Nickolas Sharp’s company entrusted him with confidential information that he exploited and held for ransom,” U.S. Attorney Damian Williams said Thursday in a statement announcing the guilty plea.
Sharp’s plan also had a disinformation angle. As Williams noted, “Adding insult to injury, when Sharp wasn’t given his ransom demands, he retaliated by causing false news stories to be published about the company.”
Sharp pleaded guilty to one count of transmitting a program to a protected computer that intentionally caused damage; one count of wire fraud; and one count of making false statements to the FBI. Together, the charges carry a maximum sentence of 35 years, which will be decided by a judge in May.
After the company discovered the breach, Sharp was assigned to the team working to investigate and remediate the incident. It was at this point that he posed as an anonymous hacker and sent a ransom note, demanding about $1.9 million in bitcoin in exchange for the stolen files and information about a purported insecure “backdoor” in the system.
Three minutes before the deadline to pay the ransom, the “hacker” sent a message via Keybase to an Ubiquiti employee: “No BTC. No talk. We done here.” Included was a link to a public folder containing leaked data.
Ultimately, Sharp’s IP address led investigators to his door in Portland, Oregon. He had used the VPN provider Surfshark to hide his tracks, but was exposed one night when there was an Internet outage. As it came back on, the IP address linked to his house was logged as he ran commands to clone GitHub repositories.
In March 2021, FBI investigators searched Sharp’s home. According to the indictment, a few days later he began speaking to the media as an anonymous whistleblower, alleging that the data breach at the company was much worse than had been disclosed and that it was handled poorly.
Following the coverage, Ubiquiti's stock plummeted, losing $4 billion in market capitalization over a two-day span. The journalist Brian Krebs, who quoted Sharp anonymously on his site Krebs on Security, was ultimately sued by Ubiquiti for his coverage. Sharp was arrested in December 2021.
James Reddick
has worked as a journalist around the world, including in Lebanon and in Cambodia, where he was Deputy Managing Editor of The Phnom Penh Post. He is also a radio and podcast producer for outlets like Snap Judgment.