Clicky

Former Employee Of Technology Company Charged With Stealing Confidential Data And Extorting Company For Ransom While Posing As Anonymous Attacker | USAO-SDNY

Damian Williams, the US District Attorney for the Southern District of New York, and Michael J. Driscoll, Assistant Director of the New York Office of the Federal Bureau of Investigation (“FBI”), announced the arrest of NICKOLAS today. SHARP was known for stealing gigabytes of confidential files from a New York-based technology company he was employed by (“Company-1”) and then, while allegedly working on the security breach, ordered the company to be returned extorted nearly $ 2 million of the files and identified a remaining alleged vulnerability. SHARP then again harassed its employer by publishing misleading news articles about the company’s handling of the breach it committed, followed by a significant drop in the company’s share price that resulted in a billion dollar loss in market capitalization.

SHARP was arrested in Oregon District today and will be brought before US Judge John V. Acosta this afternoon. The case has been assigned to U.S. District Judge Katherine Polk Failla.

US Attorney Damian Williams said: “As claimed, Nickolas Sharp has used his account as a trusted insider to steal gigabytes of confidential data from his employer. It was further alleged that after the FBI searched his home in connection with the theft, Sharp now published malicious messages as the company’s anonymous whistleblower, falsely claiming that the theft was carried out by a hacker targeted through a vulnerability in the Computer systems of the company has been activated. Now the alleged theft and lies have been exposed and Sharp is facing serious federal charges. “

FBI Assistant Director Michael J. Driscoll said, “We claim that Mr. Sharp invented a twisted conspiracy to blackmail the company he worked for by using his technology and data against the company. In addition to violating several federal laws, he allegedly orchestrated the release of information to the media when his ransom demands were not met. When confronted, he lied to FBI agents. Mr. Sharp may have thought he was smart enough to pull off his plan, but a simple technical glitch ended his dreams of getting rich. “

According to the indictment unsealed in federal court in Manhattan today[1]:

At all times relevant to the indictment, Company-1 was a technology company headquartered in New York that manufactured and sold wireless communications products and whose shares were traded on the New York Stock Exchange. NICKOLAS SHARP, the defendant, was employed by Company-1 from about August 2018 through on or about April 1, 2021. SHARP was a senior developer providing credentials access to Company-1’s Amazon Web Services (“AWS”) and servers from GitHub Inc. (“GitHub”).

Around December 2020, SHARP repeatedly misused its administrative access to download gigabytes of confidential data from its employer. For the majority of this cybersecurity incident (the “Incident”), SHARP is using a virtual private network service to which it subscribes from a company called Surfshark to mask its Internet Protocol (“IP”) address when it was on Company’s AWS and GitHub -1 accesses infrastructure without authorization. During the exfiltration of Company 1 data, SHARP’s private IP address was exposed after a temporary Internet failure at SHARP’s home.

In the course of the incident, SHARP caused damage to Company-1’s computer systems by changing log retention policies and other files to hide its unauthorized activity on the network. On or about January 2021, while working on a team to correct the impact of the incident, SHARP sent a ransom note to Company-1 impersonating an anonymous attacker claiming unauthorized access to Company-1’s computer networks. The ransom demand was for 50 Bitcoin, a cryptocurrency – the equivalent of approximately $ 1.9 million based on the exchange rate at the time – in exchange for the return of the stolen data and the identification of an alleged “back door” or security hole to the computer systems of Company-1. After Company-1 rejected the request, SHARP published some of the stolen files on a publicly accessible online platform.

On or about March 24, 2021, FBI agents executed a search warrant of SHARP’s residence in Portland, Oregon and confiscated certain SHARP electronic equipment. During the conduct of this search, SHARP made numerous false claims to FBI agents, including that he was not the perpetrator of the incident and that he had not used Surfshark VPN before the incident was discovered. When SHARP was faced with records showing that SHARP purchased the Surfshark VPN service in July 2020, about six months before the incident, SHARP partially and essentially falsely stated that someone else was using their PayPal account for the purchase must have used.

Several days after the FBI executed the search warrant on SHARP’s home, SHARP arranged for false news about the incident and Company-1’s response to the incident and related disclosures to be published. In these stories, SHARP identified itself as an anonymous whistleblower within Company-1 who had worked to resolve the incident. In particular, SHARP falsely claimed that Company-1 was hacked by an unknown perpetrator who maliciously gained root administrator access to Company-1’s AWS accounts. In fact, as SHARP knew well, SHARP had extracted the data from Company-1 with credentials that he had access to in his role as Company-1’s AWS Cloud Administrator, and SHARP had used this data on a failed attempt to get Company -1 to extort millions of dollars.

As of the posting of these articles, Company-1’s stock price fell approximately 20% between March 30, 2021 and March 31, 2021 and lost more than $ 4 billion in market capitalization.

SHARP, 36, from Portland, Oregon, is charged on four counts. The first charge alleges that he transferred a program to a protected computer that intentionally caused harm, with a maximum sentence of 10 years in prison. The second charge charges the transmission of an interstate threat with a maximum sentence of two years in prison. The third charge is wire fraud, with a maximum sentence of 20 years in prison. The fourth count accuses the FBI of providing false information, which carries a maximum sentence of five years in prison. The maximum possible sentences are prescribed by Congress and are provided here for informational purposes only as any conviction of the accused is determined by the judge.

Mr. Williams praised the FBI’s exceptional work.

This case is handled by the Office’s Complex Fraud and Cybercrime Division. Deputy US attorney Vladislav Vainberg leads the indictment.

The charges contained in the indictment are only accusations and the accused is presumed innocent until proven guilty.


[1] As the opening sentence implies, all of the text of the Indictment and the description of the Indictment set forth herein constitute allegations only, and any fact described should be treated as an allegation.