Former Employee Of Technology Company Pleads Guilty To Stealing Confidential Data And Extorting Company For Ransom | USAO-SDNY

Former Employee Of Technology Company Pleads Guilty To Stealing Confidential Data And Extorting Company For Ransom | USAO-SDNY

Damian Williams, the United States Legal professional for the Southern District of New York, declared that NICKOLAS SHARP pled guilty right now in Manhattan federal court docket to a number of federal crimes in connection with a plan he perpetrated to secretly steal gigabytes of confidential information from a public New York-primarily based technology business wherever he was employed (“Company‑1”).  Although purportedly doing the job to remediate the security breach for Enterprise-1, SHARP extorted the company for approximately $2 million for the return of the files and the identification of a remaining purported vulnerability.  SHARP subsequently re-victimized his employer by leading to the publication of deceptive news articles about the company’s managing of the breach that he perpetrated, which were being followed by the decline of around $4 billion in Business-1’s market place capitalization.  SHARP pled guilty to intentionally harmful a guarded computer, wire fraud, and building phony statements to the Federal Bureau of Investigation (“FBI”) just before U.S. District Judge Katherine Polk Failla.

U.S. Attorney Damian Williams explained: “Nickolas Sharp’s enterprise entrusted him with confidential information and facts that he exploited and held for ransom.  Adding insult to harm, when Sharp was not supplied his ransom calls for, he retaliated by leading to bogus news tales to be posted about the company, which resulted in his company’s industry capitalization plummeting by around $4 billion.  Sharp’s responsible plea today makes sure that he will face the penalties of his destructive steps.”

As alleged in the Indictment and based mostly on statements and filings produced in courtroom:

At all instances applicable to the Indictment, Firm-1 was a technology organization headquartered in New York that produced and marketed wi-fi communications merchandise and whose shares were being traded on the New York Stock Trade.  NICKOLAS SHARP was utilized by Corporation-1 from in or about August 2018 through on or about April 1, 2021.  SHARP was a senior developer who experienced entry to qualifications for Corporation-1’s Amazon World-wide-web Expert services (“AWS”) and GitHub Inc. (“GitHub”) servers.

In about December 2020, SHARP consistently misused his administrative entry to obtain gigabytes of confidential information from his employer.  For the vast majority of this cybersecurity incident (the “Incident”), SHARP utilised a digital non-public network (“VPN”) company that he subscribed to from a company named Surfshark to mask his Web Protocol (“IP”) deal with when he accessed Enterprise-1’s AWS and GitHub infrastructure with out authorization.  At just one position through the exfiltration of Company-1 info, SHARP’s dwelling IP address became unmasked adhering to a short term web outage at SHARP’s residence.

In the course of the study course of the Incident, SHARP brought on injury to Corporation-1’s laptop or computer devices by altering log retention guidelines and other files in order to conceal his unauthorized activity on the network.  In or about January 2021, even though operating on a workforce remediating the results of the Incident, SHARP sent a ransom notice to Company-1, posing as an anonymous attacker who claimed to have received unauthorized entry to Firm-1’s pc networks.  The ransom notice sought 50 Bitcoin, a cryptocurrency — which was the equal of close to $1.9 million, centered on the prevailing trade amount at the time — in exchange for the return of the stolen details and the identification of a purported “backdoor,” or vulnerability, to Firm-1’s laptop systems.  Following Company-1 refused the demand, SHARP published a portion of the stolen files on a publicly accessible online system.

On or about March 24, 2021, FBI brokers executed a look for warrant at SHARP’s home in Portland, Oregon, and seized selected electronic units belonging to SHARP.  During the execution of that lookup, SHARP created several untrue statements to FBI brokers, which includes, among the other matters, in material, that he was not the perpetrator of the Incident and that he had not utilized Surfshark VPN prior to the discovery of the Incident.  When confronted with documents demonstrating that SHARP bought the Surfshark VPN provider in July 2020, about 6 months prior to the Incident, SHARP falsely stated, in section and material, that someone else need to have utilised his PayPal account to make the invest in.

Many times immediately after the FBI executed the lookup warrant at SHARP’s residence, SHARP brought about bogus news stories to be printed about the Incident and Firm-1’s reaction to the Incident and connected disclosures.  In those people tales, SHARP determined himself as an nameless whistleblower in just Firm-1 who had labored on remediating the Incident.  In distinct, SHARP falsely claimed that Firm-1 experienced been hacked by an unknown perpetrator who maliciously acquired root administrator accessibility to Corporation-1’s AWS accounts.  In simple fact, as SHARP nicely understood, SHARP had taken Company-1’s data working with credentials to which he experienced obtain in his job as Company‑1’s AWS cloud administrator, and SHARP experienced utilised that information in a unsuccessful try to extort Company-1 for thousands and thousands of dollars.

Next the publication of these article content, concerning March 30, 2021, and March 31, 2021, Business-1’s stock value fell close to 20{5376dfc28cf0a7990a1dde1ec4d231557d3d9e6448247a9e5e61bb9e48b1de73}, dropping more than $4 billion in market capitalization.

*                *                *

SHARP, 37, of Portland, Oregon, pled responsible these days to one depend of transmitting a application to a secured laptop that intentionally brought on problems, one particular depend of wire fraud, and 1 rely of making untrue statements to the FBI.  These offenses have a whole greatest sentence of 35 several years in prison. 

The greatest potential sentences are approved by Congress and are presented listed here for informational uses only, as any sentencing of the defendant will be determined by the judge.  SHARP is scheduled to be sentenced by Judge Failla on May 10, 2023, at 3:00 p.m.

Mr. Williams praised the fantastic investigative perform of the FBI.

This scenario is getting managed by the Office’s Sophisticated Frauds and Cybercrime Unit.  Assistant U.S. Lawyers Vladislav Vainberg and Andrew K. Chan are in charge of the prosecution.