Damian Williams, the United States Attorney for the Southern District of New York, announced that NICKOLAS SHARP pled guilty today in Manhattan federal court to multiple federal crimes in connection with a scheme he perpetrated to secretly steal gigabytes of confidential files from a public New York-based technology company where he was employed (“Company‑1”). While purportedly working to remediate the security breach for Company-1, SHARP extorted the company for nearly $2 million for the return of the files and the identification of a remaining purported vulnerability. SHARP subsequently re-victimized his employer by causing the publication of misleading news articles about the company’s handling of the breach that he perpetrated, which were followed by the loss of over $4 billion in Company-1’s market capitalization. SHARP pled guilty to intentionally damaging a protected computer, wire fraud, and making false statements to the Federal Bureau of Investigation (“FBI”) before U.S. District Judge Katherine Polk Failla.
U.S. Attorney Damian Williams said: “Nickolas Sharp’s company entrusted him with confidential information that he exploited and held for ransom. Adding insult to injury, when Sharp wasn’t given his ransom demands, he retaliated by causing false news stories to be published about the company, which resulted in his company’s market capitalization plummeting by over $4 billion. Sharp’s guilty plea today ensures that he will face the consequences of his destructive actions.”
As alleged in the Indictment and based on statements and filings made in court:
At all times relevant to the Indictment, Company-1 was a technology company headquartered in New York that manufactured and sold wireless communications products and whose shares were traded on the New York Stock Exchange. NICKOLAS SHARP was employed by Company-1 from in or about August 2018 through on or about April 1, 2021. SHARP was a senior developer who had access to credentials for Company-1’s Amazon Web Services (“AWS”) and GitHub Inc. (“GitHub”) servers.
In about December 2020, SHARP repeatedly misused his administrative access to download gigabytes of confidential data from his employer. For the majority of this cybersecurity incident (the “Incident”), SHARP used a virtual private network (“VPN”) service that he subscribed to from a company named Surfshark to mask his Internet Protocol (“IP”) address when he accessed Company-1’s AWS and GitHub infrastructure without authorization. At one point during the exfiltration of Company-1 data, SHARP’s home IP address became unmasked following a temporary internet outage at SHARP’s home.
During the course of the Incident, SHARP caused damage to Company-1’s computer systems by altering log retention policies and other files in order to conceal his unauthorized activity on the network. In or about January 2021, while working on a team remediating the effects of the Incident, SHARP sent a ransom note to Company-1, posing as an anonymous attacker who claimed to have obtained unauthorized access to Company-1’s computer networks. The ransom note sought 50 Bitcoin, a cryptocurrency — which was the equivalent of approximately $1.9 million, based on the prevailing exchange rate at the time — in exchange for the return of the stolen data and the identification of a purported “backdoor,” or vulnerability, to Company-1’s computer systems. After Company-1 refused the demand, SHARP published a portion of the stolen files on a publicly accessible online platform.
On or about March 24, 2021, FBI agents executed a search warrant at SHARP’s residence in Portland, Oregon, and seized certain electronic devices belonging to SHARP. During the execution of that search, SHARP made numerous false statements to FBI agents, including, among other things, in substance, that he was not the perpetrator of the Incident and that he had not used Surfshark VPN prior to the discovery of the Incident. When confronted with records demonstrating that SHARP purchased the Surfshark VPN service in July 2020, approximately six months prior to the Incident, SHARP falsely stated, in part and substance, that someone else must have used his PayPal account to make the purchase.
Several days after the FBI executed the search warrant at SHARP’s residence, SHARP caused false news stories to be published about the Incident and Company-1’s response to the Incident and related disclosures. In those stories, SHARP identified himself as an anonymous whistleblower within Company-1 who had worked on remediating the Incident. In particular, SHARP falsely claimed that Company-1 had been hacked by an unidentified perpetrator who maliciously acquired root administrator access to Company-1’s AWS accounts. In fact, as SHARP well knew, SHARP had taken Company-1’s data using credentials to which he had access in his role as Company‑1’s AWS cloud administrator, and SHARP had used that data in a failed attempt to extort Company-1 for millions of dollars.
Following the publication of these articles, between March 30, 2021, and March 31, 2021, Company-1’s stock price fell approximately 20%, losing over $4 billion in market capitalization.