Ex-Ubiquiti dev jailed for six years after stealing inside corp information, extorting bosses

Nickolas Sharp has been sentenced to 6 years in jail and ordered to pay virtually $1.6 million to his former employer Ubiquiti – after stealing gigabytes of company information after which making an attempt to extort virtually $2 million from the biz whereas posing as an nameless hacker.

Final month, Sharp, 37, pleaded responsible to deliberately damaging a protected laptop, wire fraud, and making false statements to the FBI.

“Nickolas Sharp was paid near 1 / 4 million {dollars} a 12 months to assist preserve his employer protected,” US Legal professional Damian Williams stated in a press release this week.

He abused that belief by stealing an enormous quantity of delicate information, trying to implicate harmless staff in his assault

“He abused that belief by stealing an enormous quantity of delicate information, trying to implicate harmless staff in his assault, extorting his employer for ransom, obstructing regulation enforcement, and spreading false information tales that harmed the corporate and anybody who invested into the corporate “Sharp now faces critical penalties for his callous crimes.”

The penalties aren’t as critical as Williams would have favored, nevertheless. Prosecutors had urged the decide to place Sharp behind bars for between eight and 10 years.

“Such a sentence would adequately mirror the seriousness of Sharp’s crimes, present simply punishment, and ship a message to would-be hackers {that a} substantial jail time period is the probably consequence of such prison conduct,” Williams stated in a memo forward of sentencing [PDF].

Methods to (not) get away with hacking

The weird scheme began in late 2020, when Sharp was interviewing for a brand new job. On the time, he labored as a senior developer at Ubiquiti with entry to the community system large’s AWS cloud cases and GitHub repositories, from which he downloaded confidential firm information, in keeping with the indictment in opposition to him [PDF].

The engineer stole “over 1,400 AWS activity definitions recordsdata, and over 1,100 GitHub code repositories,” and altered the corporate’s log retention histories and adjusted session file names to cover his exercise and make it seem like a coworker was sneaking round on the community, prosecutors stated.

By January 2021, this suspicious exercise had been detected and Sharp was on the group investigating and remediating the snafu. Extremely, Sharp despatched a ransom word to his employer, claiming to be the nameless thief who had stolen the company recordsdata, and demanded 50 Bitcoin — about $1.9 million on the time. In change for the dosh, he’d return the stolen information and disclose a purported backdoor used to steal the info, which did not exist in fact.

When Ubiquiti refused his calls for, Sharp leaked a few of the information to the general public.

It wasn’t me

Sharp used a Surfshark VPN, which he bought utilizing his private PayPal account, to hold out the above exfiltration. That VPN masked the general public IP tackle he was utilizing, in order that it appeared another person was nefariously utilizing his entry to nab the recordsdata. Based on prosecutors, although, whereas exfiltrating information from Ubiquiti’s GitHub repos, Sharp briefly linked immediately from his residence IP tackle, slightly than by way of the VPN, revealing who was behind the theft and led investigators to his door, actually.

The FBI obtained a warrant to look Sharp’s residence, and in March 2021, descended on his Portland, Oregon residence and seized sure digital units belonging to the engineer, together with a laptop computer he had used to steal Ubiquiti’s information.  

Throughout an investigation, Sharp made false statements to FBI brokers: he denied any data of the extortion scheme, he stated he by no means used a Surfshark VPN, and when pressed on this level claimed “another person should have used his PayPal account to make the acquisition,” in keeping with prosecutors. They did not purchase it.

Sharp, nevertheless, seemingly could not preserve his mouth shut, and within the days following the FBI’s raid, he went to the press claiming to be an nameless whistleblower. He falsely claimed that Ubiquiti had been hacked, and his firm had flubbed the incident response.

These false information tales despatched the tech agency’s inventory plummeting 20 p.c between March 30, 2021 and March 31, 2021, inflicting Ubiquiti to lose greater than $4 billion in market capitalization.

After his jail time is up, Sharp will get three years of supervised launch. The decide additionally ordered him to pay restitution of $1,590,487 [PDF] to cowl Ubiquiti’s prices, and to forfeit private property [PDF] used or supposed for use in reference to these offenses. ®