Damian Williams, the United States Attorney for the Southern District of New York, announced that NICKOLAS SHARP pleaded guilty today in Manhattan federal court to several federal crimes in connection with a scheme he carried out to secretly steal gigabytes of confidential files from the public New York-based technology company where he works (“Company-1”). While supposedly working to fix the security breach for Company-1, SHARP extorted the company for nearly $2 million for the return of files and identification of the remaining alleged vulnerability. SHARP subsequently victimized his boss again by causing the publication of misleading news articles about the company’s management of the breach he had committed, which was followed by the loss of more than $4 billion in Company-1’s market capitalization . SHARP pleaded guilty to intentionally damaging a protected computer, wire fraud, and making false statements to the Federal Bureau of Investigation (“FBI”) before US District Judge Katherine Polk Failla.
US Attorney Damian Williams said: “Nickolas Sharp’s company handed him confidential information that he exploited and held for ransom. Adding insult to injury, when Sharp was denied his ransom demands, he retaliated by causing false news to be published about the company, resulting in his company’s market capitalization plummeting to over $4 billion. Sharp’s guilty plea now ensures that he will face the consequences of his harmful actions.
As stated in the Indictment and based on statements and filings made in court:
At all times relevant to the Indictment, Company-1 was a technology company headquartered in New York that manufactured and sold wireless communications products and whose shares were traded on the New York Stock Exchange. NICKOLAS SHARP worked at Company-1 from or about August 2018 to or about April 1, 2021. SHARP was a senior developer with access to credentials for Amazon Web Services (“AWS”) at Company-1 and GitHub Inc. (“GitHub”) servers.
Around December 2020, SHARP repeatedly abused his administrative access to download gigabytes of confidential data from his employer. For most of this cybersecurity incident (the “Incident”), SHARP used a virtual private network (“VPN”) service he subscribed to from a company named Surfshark to hide his Internet Protocol ( “IP”) address when he accesses the Company. -1’s AWS and GitHub infrastructure without permission. At some point during the exfiltration of Company-1 data, SHARP’s home IP address became unmasked after a temporary internet outage at SHARP’s home.
During the Incident, SHARP caused damage to Company-1’s computer systems by changing log retention policies and other files to hide his unauthorized network activity. On or about January 2021, while working with a team recovering from the effects of the Incident, SHARP sent a ransom note to Company-1, posing as an unknown attacker claiming to gained unauthorized access to Company-1’s computer networks. The ransom note seeks 50 Bitcoin, a cryptocurrency — equivalent to approximately $1.9 million, based on the prevailing exchange rate at the time — in exchange for the return of the stolen data and the identification of the alleged “backdoor,” or weakness. , to Company-1’s computer systems. After Company-1 refused the demand, SHARP published a portion of the stolen files on an online platform accessible to the public.
On or about March 24, 2021, FBI agents executed a search warrant at SHARP’s residence in Portland, Oregon, and seized several electronic devices belonging to SHARP. During the execution of that search, SHARP made several false statements to FBI agents, including, among other things, in substance, that he did not commit the Incident and that he did not use Surfshark VPN prior to Incident discovery. When confronted with records showing that SHARP purchased the Surfshark VPN service in July 2020, approximately six months prior to the Incident, SHARP falsely stated, in part and substance, that someone else was using the his PayPal account to purchase.
A few days after the FBI executed a search warrant at SHARP’s residence, SHARP caused false news to be published about the Incident and Company-1’s response to the Incident and related disclosures. In the stories, SHARP identified himself as an anonymous whistleblower within Company-1 who was working to fix the Incident. In particular, SHARP falsely claimed that Company-1 was hacked by an unknown perpetrator who maliciously obtained root administrator access to Company-1’s AWS account. In fact, as SHARP is well aware, SHARP obtained Company-1’s data using the credentials to which he had access in his role as AWS cloud administrator of Company-1, and SHARP used that data in a failed attempt to extort Company-1 for millions. in dollars.
After the publication of these articles, between March 30, 2021, and March 31, 2021, the stock price of Company-1 fell by approximately 20%, losing more than $4 billion in capital market.
***
SHARP, 37, of Portland, Oregon, pleaded guilty today to one count of transmitting a program to a protected computer intentionally causing damage, one count of wire fraud, and one count of count of making false statements to the FBI. These offenses carry a total maximum penalty of 35 years in prison.
The maximum potential sentences are prescribed by Congress and are provided here for informational purposes only, as any sentencing of the defendant will be determined by the judge. SHARP is scheduled to be sentenced by Judge Failla on May 10, 2023, at 3:00 p.m.
Mr. Williams praised the outstanding investigative work of the FBI.
This case is handled by the Office’s Complex Frauds and Cybercrime Unit. Assistant US Attorneys Vladislav Vainberg and Andrew K. Chan handled the prosecution.
