Former Ubiquiti developer admits to stealing data while trying to extort money from network company

What happened now? Nicholas Sharp, a former Ubiquiti employee who oversaw the company’s cloud team, admitted to stealing gigabytes of personal data from the company’s network under the guise of an anonymous hacker and whistleblower. Sharp, a 36-year-old software engineer from Portland, Oregon, is accused of stealing gigabytes of sensitive data from Ubiquiti GitHub repositories and AWS servers in December 2020.

Sharp bail guilty on three counts: providing false information to the FBI, wire fraud, and intentionally transferring malware to a protected computer. The maximum penalty for each of these crimes is 35 years in prison.

Ubiquiti reported a security incident in January 2021 following a data theft incident. Sharp, pretending to be an anonymous hacker, tried to blackmail the company. The ransom note asked for 50 bitcoins, equivalent to approximately $1.9 million at the time, in exchange for recovering the data and exposing the network vulnerability that allowed the hack. However, instead of paying the ransom, Ubiquiti decided to update the login details for each employee. In addition, the company discovered and fixed a second backdoor on its systems before reporting a security breach on December 11.

“Nicholas Sharp’s company entrusted him with confidential information that he used and withheld for ransom,” U.S. Attorney Damian Williams said in a statement.

“Adding insult to injury when Sharp did not receive a ransom demand, he retaliated by causing the publication of false news about the company, causing his company’s market capitalization to drop by more than $4 billion.”

Spicy used his cloud admin credentials for cloning hundreds of repositories via SSH and stealing personal files from the Ubiquiti AWS infrastructure (December 10, 2020) and GitHub repositories (December 21 and 22).

He tried to hide his home IP address while collecting data using the Surfshark VPN service, but his location was revealed after a brief internet outage. In addition, he also changed the rules for storing logs on Ubiquiti’s servers and other data that would allow his identity to be revealed during an investigation.

On March 24, 2021, the FBI raided Nicholas Sharp’s home and seized his electronic equipment. Under interrogation, he gave several false statements to FBI officials, including that he was not a criminal and had never used this VPN before. Recordings showing Sharp purchased the Surfshark VPN service in July 2020, about six months before the incident, led him to make a fraudulent claim that someone else must have accessed his PayPal account to complete the transaction.

Sharpe, posing as an informant, accused Ubiquiti of downplaying the breach in media interviews after the extortion attempt failed. After he disputed Ubiquiti’s claim and stated that the impact of the incident was significant, the company admitted on April 1 that it was the target of an extortion attempt following the January hack without any indication that user accounts were affected.

He also claimed that Ubiquiti did not have a logging mechanism that would prevent them from determining if an “intruder” had access to any systems or data. However, his allegations are consistent with the Department of Justice’s information that he interfered with the company’s registration systems.