Developer pleads guilty to hacking and attempting to extort employer

In recent disgruntled employee news, the US Department of Justice (DOJ) announced that 37-year-old Nickolas Sharp pled guilty to multiple federal charges concerning a scheme he perpetrated to steal confidential files from his employer. Although this employer is referred to as “Company-1” in the official DOJ press release, The Verge reports that the company in question is network technology provider Ubiquiti.

The crimes 

Working as a senior developer for Ubiquiti between 2018 and 2021, Sharp had access to credentials for the company’s AWS and GitHub servers. In December 2020, Sharp took advantage of this administrative access by downloading gigabytes of confidential data. He then orchestrated a cybersecurity attack against Ubiquiti’s systems and altered log retention policies and other files to hide his unauthorized activity on the network. 

Soon after in January 2021, he pretended to be an anonymous hacker and sent a ransom note to the company, demanding 50 Bitcoin (worth $1.9 million at the time) in exchange for the stolen data and information about the alleged backdoor he used to access Ubiquiti’s systems. The company refused, and Sharp published some information online while pretending to investigate the security breach internally.

How he got caught

While carrying out the attack, Sharp used Surfshark VPN to hide his IP address. However, an Internet outage occurred at one point during the process, unmasking his real IP address. According to TechRadar, this is because Sharp failed to turn on his VPN’s kill switch. This feature ensures that if a VPN connection suddenly drops, it won’t revert back to the default Internet connection. This feature is generally not turned on by default.

The FBI were able to use this information to track him down, search his residence, and seize his electronic devices. Sharp lied to agents during the search, claiming he had not carried out the incident and had never used Surfshark. When confronted with PayPal records showing his purchase of the VPN service, Sharp claimed someone else must have done it. 

Following the search, Sharp doubled down by posing as an anonymous whistleblower, informing media outlets that Ubiquiti had actually been hacked by an unidentified perpetrator who maliciously acquired root administrator access to their servers. This resulted in the publication of several false news stories, and the company experienced losses of $4 billion in market capitalization.

The outcome 

Ultimately, Sharp pled guilty to transmitting a program to a protected computer that intentionally caused damage, one count of wire fraud, and one count of making false statements to the FBI. He could face a maximum sentence of 35 years in prison for these charges.

Share on Twitter, Facebook, Google+