U.S. Attorney for the Southern District of New York Damian Williams announced that NICKOLAS SHARP pleaded guilty today in Manhattan federal court to multiple federal crimes related to his surreptitious theft of Class GB secrets from a public property in New York The plan of the document – the technology company where he is employed (“Company-1”). While allegedly working to remediate Company-1’s security breach, SHARP extorted nearly $2 million from the company to return the documents and identify the remaining alleged breaches. SHARP subsequently victimized his employer again after publishing misleading news articles about the company’s handling of the breach he committed, and Company-1 subsequently lost more than $4 billion in market value. SHARP pleaded guilty before US District Judge Katherine Polk Failla to willful damage to protected computers, wire fraud and making false statements to the Federal Bureau of Investigation (“FBI”).
U.S. Attorney Damian Williams said: “Nicholas Sharp’s company entrusted him with confidential information, which he used to hold him for ransom. Reportedly retaliated, causing his company’s market value to plummet by more than $4 billion. Sharp’s guilty plea today ensures he will face the consequences of his destructive actions.”
As alleged in the indictment, and based on statements and documents in court:
At all times related to the indictment, Company-1 was a New York-based technology company that manufactures and sells wireless communications products and whose stock trades on the New York Stock Exchange. NICKOLAS SHARP was employed by Company-1 from approximately August 2018 until approximately April 1, 2021. SHARP is a senior developer with access to Company-1’s Amazon Web Services (“AWS”) and GitHub Inc. (“GitHub”) servers.
Around December 2020, SHARP repeatedly abused his administrative privileges to download gigabytes of confidential data from his employer. During much of this cybersecurity incident (“Incident”), SHARP used a virtual private network (“VPN”) service he subscribed to from a company called Surfshark to mask his Internet protocol when he visited the company (“IP”) address-1 unauthorized AWS and GitHub infrastructure. During the Company-1 data breach, SHARP’s home IP address was exposed after a temporary internet outage at SHARP’s home.
During the course of the incident, SHARP caused damage to Company-1’s computer systems by changing log retention policies and other files to hide his unauthorized activity on the network. Around January 2021, while working with teams remediating the impact of the incident, SHARP sent Company-1 a ransom note posing as an anonymous attacker claiming to have gained unauthorized access to Company-1’s computer network. The ransom note demanded 50 bitcoins, a cryptocurrency — the equivalent of about $1.9 million at prevailing exchange rates at the time — in exchange for the return of the stolen data and the identification of the so-called “backdoor,” or vulnerability, to the Company- 1 computer system. After Company-1 rejected the request, SHARP posted some of the stolen documents on a publicly accessible online platform.
On or about March 24, 2021, FBI agents executed a search warrant at Sharp’s residence in Portland, Oregon, and seized certain electronic devices belonging to Sharp. During the search, SHARP made numerous false statements to FBI agents, including essentially stating that he was not the perpetrator of the incident and that he had not used Surfshark VPN before discovering the incident. When confronted with records proving that SHARP purchased the Surfshark VPN service in July 2020, approximately six months before the incident, SHARP partially and substantially falsely stated that someone else must have used his PayPal account to make the purchase.
Days after the FBI executed a search warrant on SHARP’s residence, SHARP released a fake news story about the incident and Company-1’s response to it and related disclosures. In these reports, SHARP identified itself as an anonymous whistleblower to Company-1 who worked to remedy the incident. Specifically, SHARP falsely claimed that Company-1 was compromised by an unidentified attacker who maliciously gained root administrator access to Company-1’s AWS account. In fact, as SHARP learned, SHARP had obtained Company-1’s data using credentials he had access to as an AWS cloud administrator for Company-1, and SHARP had used that data to attempt to extort millions of dollars from Company-1 Dollar.
Following the publication of these articles, from March 30, 2021 to March 31, 2021, Company-1’s share price fell approximately 20%, representing a loss of more than $4 billion in market value.
* * *
SHARP, 37, of Portland, Ore., pleaded guilty today to one count of transmitting a program to a protected computer with intent to cause damage, one count of wire fraud and one count of making false statements to the FBI. These offenses carry a maximum penalty of 35 years’ imprisonment.
The maximum penalty is set by Congress and is presented here for information only, as any sentence for the accused will be determined by a judge. SHARP is scheduled for sentencing by Judge Faira on May 10, 2023 at 3:00pm
Mr Williams praised the FBI for its excellent investigative work.
The case is being handled by the office’s Complex Fraud and Cybercrime Unit. Assistant U.S. Attorneys Vladislav Vainberg and Andrew K. Chan are prosecuting.