Former Ubiquiti dev who extorted the firm gets six years in prison

Nickolas Sharp, a former senior developer of Ubiquiti, was sentenced to six years in prison for stealing company data, attempting to extort his employer, and aiding the publication of misleading news articles that severely impacted the firm's market capitalization.

In January 2021, network device manufacturer Ubiquiti announced that it suffered a data breach at a third-party cloud provider on December 2020, informing all its customers that they needed to reset their passwords and enable 2FA on their accounts.

While allegedly working as part of the incident response, the Department of Justice says Sharp posed as the anonymous hacker, demanding that Ubiquity pay 50 Bitcoin ($1.9 million at the time) to learn of the exploited vulnerability and for the stolen data to be deleted.

After the company refused to pay, Sharp contacted the media, posing as a whistleblower to spread misinformation about how Ubiquity handled the security incident.

"In those stories, Sharp identified himself as an anonymous whistleblower within Company-1 [Ubiquiti] who had worked on remediating the incident and falsely claimed that Company-1 had been hacked by an unidentified perpetrator who maliciously acquired root administrator access to Company-1's AWS accounts," reads the U.S. DoJ announcement.

"In fact, as Sharp well knew, Sharp himself had taken Company-1's data using credentials to which he had access, and Sharp had used that data in a failed attempt to extort Company-1 for millions of dollars."

The DOJ says the spread of false information resulted in Ubiquiti's stock price dropping by about 20%, corresponding to market capitalization losses of over $4 billion.

Evidence led to Sharp

In December 2021, Sharp was arrested and charged with data theft and extortion after internal investigations showed that he used his privileges to exfiltrate customer data from his employer's systems.

While the rogue developer had cleared his traces from the logs in the company's systems and used Surfshark VPN to hide his IP during the attack, a temporary internet outage disrupted the encrypted tunnel connection and briefly exposed his location.

In February 2023, after Sharp repeatedly tried to mislead FBI investigators, the former Ubiquiti employee pleaded guilty to one count of transmitting a program to a protected computer that intentionally caused damage, one count of wire fraud, and one count of making false statements to the FBI.

Although the charges could incur a maximum sentence of 37 years in prison, the Southern District Court of New York decided to sentence Sharp to 6 years in prison, three years of supervised release, and ordered the payment of restitution of $1,590,487.