Former Employee Of Technology Company Sentenced To Six Years In Prison For Stealing Confidential Data And Extorting Company For Ransom

Damian Williams, the United States Attorney for the Southern District of New York, announced that NICKOLAS SHARP, a former employee of a public New York-based technology company (“Company‑1”) was sentenced today to six years in prison.  In December 2020, SHARP secretly stole gigabytes of Company-1’s data.  While purportedly working to remediate the security breach he created, SHARP extorted the company, as an anonymous hacker, for nearly $2 million for the return of the files and the identification of a remaining purported vulnerability.  SHARP subsequently re-victimized his employer by causing the publication of misleading news articles as a purported anonymous whistleblower about the company’s handling of the breach that he perpetrated, which were followed by the loss of over $4 billion in Company-1’s market capitalization.  SHARP previously pled guilty to intentionally damaging a protected computer, wire fraud, and making false statements to the Federal Bureau of Investigation (“FBI”) before U.S. District Judge Katherine Polk Failla, who imposed today’s sentence.

U.S. Attorney Damian Williams said: “Nickolas Sharp was paid close to a quarter million dollars a year to help keep his employer safe.  He abused that trust by stealing a massive amount of sensitive data, attempting to implicate innocent employees in his attack, extorting his employer for ransom, obstructing law enforcement, and spreading false news stories that harmed the company and anyone who invested into the company.  Sharp now faces serious penalties for his callous crimes.”

According to the Indictment, court filings, and statements made in court:

At all times relevant to the Indictment, Company-1 was a technology company headquartered in New York that manufactured and sold wireless communications products and whose shares were traded on the New York Stock Exchange.  SHARP was employed by Company-1 from in or about August 2018 through on or about April 1, 2021.  SHARP was a senior developer who had access to credentials for Company-1’s Amazon Web Services (“AWS”) and GitHub Inc. (“GitHub”) servers.

In about December 2020, while interviewing for a position at another company, SHARP repeatedly misused his administrative access to download gigabytes of confidential data from his employer.    During the course of this cybersecurity incident (the “Incident”), SHARP caused damage to Company-1’s computer systems by altering log retention policies and other files in order to conceal his unauthorized activity on the network.  SHARP modified session file names to attempt to make it appear as if other coworkers were responsible for his malicious sessions. 

In or about January 2021, while working on a team remediating the effects of the Incident, SHARP sent a ransom note to Company-1, posing as an anonymous attacker who claimed to have obtained unauthorized access to Company-1’s computer networks.  The ransom note sought 50 Bitcoin — which was the equivalent of approximately $1.9 million, based on the prevailing exchange rate at the time — in exchange for the return of the stolen data and the identification of a purported “backdoor,” or vulnerability, to Company-1’s computer systems.  After Company-1 refused the demand, SHARP published a portion of the stolen files on a publicly accessible online platform.

On or about March 24, 2021, FBI agents executed a search warrant at SHARP’s residence in Portland, Oregon, and seized certain electronic devices belonging to SHARP, including a laptop SHARP had used to steal Company-1’s data.  During the execution of that search, SHARP made numerous false statements to FBI agents.

Several days after the FBI executed the search warrant at SHARP’s residence, SHARP caused false news stories to be published about the Incident and Company-1’s response to the Incident.  In those stories, SHARP identified himself as an anonymous whistleblower within Company-1 who had worked on remediating the Incident and falsely claimed that Company-1 had been hacked by an unidentified perpetrator who maliciously acquired root administrator access to Company-1’s AWS accounts.  In fact, as SHARP well knew, SHARP himself had taken Company-1’s data using credentials to which he had access, and SHARP had used that data in a failed attempt to extort Company-1 for millions of dollars.

Following the publication of these articles, between approximately March 30, 2021, and March 31, 2021, Company-1’s stock price fell approximately 20%, losing over $4 billion in market capitalization.  SHARP also attempted to cause domestic and foreign regulators to investigate Company-1 based on his false allegations about the security breach he secretly caused.

*                *                *

SHARP, 37, of Portland, Oregon, pled guilty on February 2, 2023, to one count of transmitting a program to a protected computer that intentionally caused damage, one count of wire fraud, and one count of making false statements to the FBI.  In addition to the prison sentence, SHARP was sentenced to three years of supervised release and ordered to pay restitution of $1,590,487 and to forfeit personal property used or intended to be used in connection with these offenses.

Mr. Williams praised the outstanding investigative work of the FBI.

This case is being handled by the Office’s Complex Frauds and Cybercrime Unit.  Assistant U.S. Attorneys Vladislav Vainberg and Andrew K. Chan are in charge of the prosecution.