Damian Williams, U.S. Attorney for the Southern District of New York, announced that NICKOLAS SHARP pleaded guilty today to multiple federal crimes in Manhattan federal court in connection with a conspiracy to secretly steal gigabytes of public file storage in New York City. Basic Technology Company (“Company-1”) where he worked. While working to remediate the security breach for Company-1, SHARP extorted nearly $2 million from the company to recover files and expose the remaining vulnerability. SHARP later retaliated against his employer by publishing misleading news articles about the company’s handling of the breach, which cost Company-1 more than $4 billion in market capitalization. Before US District Judge Katherine Polk Failla, SHARP made false statements to the Federal Bureau of Investigation (“FBI”) for intentionally damaging a protected computer; SHARP admitted to wireless fraud and misrepresentation.
U.S. Attorney Damian Williams said: “Nickolas Sharp’s company exploited him and entrusted him with confidential information held for ransom. When Sharp added insult to injury, When Sharp didn’t pay his ransom demands, he retaliated by publishing false news about the company, causing his company’s market capitalization to drop by more than $4 billion. Sharp’s guilty plea today ensures he will face the consequences of his destructive actions.”
As charged in court.
at all times relating to the filing of charges; Company-1 is a technology company headquartered in New York that manufactures and sells wireless communication products and whose shares are traded on the New York Stock Exchange. NICKOLAS SHARP was employed by Company-1 on or about August 2018 or on or about April 1, 2021. SHARP is Company-1’s Amazon Web Services (“AWS”) and GitHub Inc. or a senior developer. “GitHub”) servers.
Around December 2020 SHARP repeatedly abused his administrative privileges to download gigabytes of confidential data from his employer. For most of this cybersecurity incident (the “Incident”), SHARP used a registered virtual private network (“VPN”) service from a company called Surfshark to hide his Internet Protocol (“IP”) address when accessing Company-1’s AWS and GitHub infrastructure without permission. At one point while extracting Company-1 data. After a temporary internet outage at SHARP’s home, SHARP’s home IP address was not masked.
In the process, SHARP compromised Company-1’s computer systems by changing log retention policies and other files to hide its unauthorized activity on the network. On or about January 2021; While working on a team that remediates the effects of an incident; SHARP sent a ransom note to Company-1 posing as an unknown attacker claiming to have unauthorized access to Company-1’s computer networks. 50 Bitcoin in exchange for recovering the stolen data and identifying a simulated “backdoor” or vulnerability; The ransom note was a cryptocurrency, equivalent to approximately $1.9 million based on the exchange rate prevailing at the time. to Company-1’s computer systems. After Company-1 refused the request. SHARP published a portion of the stolen files on a publicly accessible online platform.
On or about March 24, 2021, FBI agents in Portland, A search warrant was executed at SHARP’s home in Oregon and some electronic equipment belonging to SHARP was seized. During that search, SHARP told FBI agents that it was not the perpetrator of the scandal and that it had not used Surfshark VPN before the scandal was discovered. When faced with records proving that SHARP purchased the Surfshark VPN service in July 2020; SHARP misrepresented that he had to use someone else’s PayPal account to make the purchase.
Several days after the FBI executed a search warrant at SHARP’s home. SHARP published false news about the Incident and Company-1’s response and related disclosures. In those stories, SHARP identified an anonymous informant within Company-1 who worked on the incident resolution. in particular, SHARP falsely claimed that it was hacked by an unknown perpetrator who fraudulently obtained root administrative access to Company-1’s AWS accounts. In fact, As SHARP knows well, SHARP obtained Company-1’s data using his credentials as an AWS cloud administrator of Company-1, and SHARP used that data in an unsuccessful attempt to extort Company-1 out of millions. dollar.
After the publication of these articles, March 30 Between 2021 and March 31, 2021; Company-1’s stock price has lost more than $4 billion in market capitalization, falling about 20%.
* * *
SHARP, 37, of Portland, Oregon, damage; He pleaded guilty today to one count of wire fraud and one count of intentionally transmitting a program that made a false statement to the FBI. The offenses are punishable by a total of 35 years in prison.
Because each defendant’s sentence will be determined by a judge, the maximum possible sentences are set by Congress and are provided here for informational purposes only. SHARP was sentenced by Judge Failla on May 10. 2023, Sentencing is scheduled for 3:00 p.m.
Mr. Williams praised the FBI’s outstanding investigative work.
The case is being handled by the office’s complex fraud and cybercrime unit. Assistant U.S. Attorneys Vladislav Vainberg and Andrew K. Chan are in charge of the prosecution.
