Ex-Ubiquiti dev jailed for 6 years after stealing internal corp data, extorting bosses

Nickolas Sharp has been sentenced to six years in prison and ordered to pay almost $1.6 million to his now-former employer Ubiquiti – after stealing gigabytes of corporate data from the biz and then trying to extort almost $2 million from his bosses while posing as an anonymous hacker.

In February, Sharp, 37, pleaded guilty to intentionally damaging a protected computer, wire fraud, and making false statements to the FBI. He was sent down on Wednesday by US District Judge Katherine Polk Failla.

“Nickolas Sharp was paid close to a quarter million dollars a year to help keep his employer safe,” US Attorney Damian Williams said in a statement.

He abused that trust by stealing a massive amount of sensitive data, attempting to implicate innocent employees in his attack

“He abused that trust by stealing a massive amount of sensitive data, attempting to implicate innocent employees in his attack, extorting his employer for ransom, obstructing law enforcement, and spreading false news stories that harmed the company and anyone who invested into the company.

“Sharp now faces serious penalties for his callous crimes.”

Those penalties in the end weren’t as serious as Williams would have liked. Prosecutors had urged the judge to put Sharp behind bars for between eight and 10 years.

“Such a sentence would adequately reflect the seriousness of Sharp’s crimes, provide just punishment, and send a message to would-be hackers that a substantial jail term is the likely consequence of such criminal conduct,” Williams said in a memo ahead of sentencing [PDF].

How to (not) get away with hacking

The bizarre scheme started in late 2020, when Sharp was interviewing for a new job. At the time, he worked as a senior developer at Ubiquiti with access to the network device giant’s AWS cloud instances and GitHub repositories, from which he downloaded confidential company data, according to the indictment against him [PDF].

The engineer stole “over 1,400 AWS task definitions files, and over 1,100 GitHub code repositories,” and altered the company’s log retention histories and changed session file names to hide his activity and make it look like a coworker was sneaking around on the network, prosecutors said.

By about January 2021, Ubiquiti became aware of this suspicious activity, prosecutors said, and Sharp was on the team investigating and remediating the snafu. Incredibly, Sharp at the time had anonymously sent a ransom note to his employer, claiming to be the thief who had stolen the corporate files, and demanded 50 Bitcoin — about $1.9 million at the time. In exchange for the dosh, he’d return the stolen data and disclose a purported backdoor used to steal the data, which didn’t exist of course.

When Ubiquiti refused his demands, Sharp leaked some of the data to the public.

It wasn’t me

Sharp used a Surfshark VPN, which he purchased using his personal PayPal account, to carry out the above exfiltration. That VPN masked the public IP address he was using, so that it appeared someone else was nefariously using his access to nab the files. According to prosecutors, though, while exfiltrating data from Ubiquiti’s GitHub repos, Sharp briefly connected directly from his home IP address, rather than via the VPN, revealing who was behind the theft and led investigators to his door, literally.

The FBI obtained a warrant to search Sharp’s home, and in March 2021, descended on his Portland, Oregon residence and seized certain electronic devices belonging to the engineer, including a laptop he had used to steal Ubiquiti’s data.  

During an investigation, Sharp made false statements to FBI agents: he denied any knowledge of the extortion scheme, he said he never used a Surfshark VPN, and when pressed on this point claimed “someone else must have used his PayPal account to make the purchase,” according to prosecutors. They didn’t buy it.

Sharp, however, seemingly couldn’t keep his mouth shut, and in the days following the FBI’s raid, he went to the press claiming to be an anonymous whistleblower. He falsely claimed that Ubiquiti had been hacked, and his company had flubbed the incident response.

These false news stories sent the tech firm’s stock plummeting 20 percent between March 30, 2021 and March 31, 2021, causing Ubiquiti to lose more than $4 billion in market capitalization.

Sharp, who was gone from Ubiquiti by April that year, tried to convince Judge Failla that he stole the data as some kind of internal penetration test, ultimately to make Ubiquiti more secure, and thus should escape jail time, though the bench decided otherwise.

After his prison time is up, Sharp will get three years of supervised release. The judge also ordered him to pay restitution of $1,590,487 [PDF] to cover Ubiquiti’s costs, and to forfeit personal property [PDF] used or intended to be used in connection with these offenses. ®

READ MORE HERE