Nickolas Sharp, a former employee of networking device maker Ubiquiti, was arrested and charged today with data theft and attempting to extort his employer while posing as a whistleblower and an anonymous hacker.

“As alleged, Nickolas Sharp exploited his access as a trusted insider to steal gigabytes of confidential data from his employer, then, posing as an anonymous hacker, sent the company a nearly $2 million ransom demand,” U.S. Attorney Damian Williams said today.

“As further alleged, after the FBI searched his home in connection with the theft, Sharp, now posing as an anonymous company whistleblower, planted damaging news stories falsely claiming the theft had been by a hacker enabled by a vulnerability in the company’s computer systems.”

Exposed by an Internet outage

According to the indictment [PDF], Sharp stole gigabytes of confidential data from Ubiquiti’s AWS (on December 10, 2020) and GitHub (on December 21 and 22, 2020) infrastructure using his cloud administrator credentials, cloning hundreds of GitHub repositories over SSH.

Throughout this process, the defendant tried hiding his home IP address using Surfshark’s VPN services. However, his actual location was exposed after a temporary Internet outage.

To hide his malicious activity, Sharp also altered log retention policies and other files that would have exposed his identity during the subsequent incident investigation.

“Among other things, SHARP applied one-day lifecycle retention policies to certain logs on AWS which would have the effect of deleting certain evidence of the intruder’s activity within one day,” the court documents read.

After Ubiquiti disclosed a security incident in January following Sharp’s data theft, while working to assess the scope and remediate the security breach effects he also tried extorting the company (posing as an anonymous hacker).

His ransom note demanded almost $2 million in exchange for returning the stolen files and the identification of a remaining vulnerability.

The company refused to pay the ransom and, instead, found and removed a second backdoor from its systems, changed all employee credentials, and issued the January 11 security breach notification.

Billions of dollars in losses after stock drop

After his extortion attempts failed, Sharp shared information with the media while pretending to be a whistleblower and accusing the company of downplaying the incident.

This caused Ubiquiti’s stock price to fall by roughly 20%, from $349 on March 30 to $290 on April 1, amounting to losses of over $4 billion in market capitalization.

“SHARP subsequently re-victimized his employer by causing the publication of misleading news articles about the company’s handling of the breach that he perpetrated, which were followed by a significant drop in the company’s share price associated with the loss of billions of dollars in its market capitalization,” the Department of Justice (DOJ) said.

The company confirmed on April 1 that it was the target of an extortion attempt following a January security breach with no indication that customer accounts were affected after Sharp (acting as a whistleblower) challenged his employer’s take on the breach saying that the incident’s actual impact was massive.

He also said Ubiquiti did not have a logging system thus preventing them from checking what data or systems the attacker accessed. This lines up with DOJ’s info on him tampering with the company’s logging systems.

While the DOJ didn’t name Sharp’s employer in today’s press release or the indictment, all the details perfectly align with previous info on the Ubiquiti breach and information presented in Sharp’s LinkedIn account.

Sharp is charged with four counts and is facing a maximum sentence of 37 years in prison if found guilty.