Former Ubiquiti employee Nickolas Sharp admitted to the company that he stole gigabytes of private data from the company's network while he was overseeing the company's cloud technology team. During this period, he misrepresented himself as an anonymous hacker and whistleblower to avoid detection. Ubiquiti's GitHub repositories and AWS servers were breached in December 2020 by Sharp, a 36-year-old software engineer from Portland, Oregon.
Sharp agreed that he would plead guilty to three charges, including making false statements to the FBI, wire fraud, and sending a malicious computer program to a protected computer. Those who commit either of these offenses will be punished with a maximum sentence of 35 years in prison as punishment.
As a consequence of the data theft incident reported by Ubiquiti in January 2021, the company reported a security incident.
Using the cover of being an anonymous hacker and pretending to target the company, Sharp tried to extort them. There were 50 bitcoins demanded in the ransom note, which was approximately equal to about $1.9 million at the time the note was written. It was a condition of the agreement to recover the data in exchange for disclosing the weakness in the network that allowed the hack to take place. While Ubiquiti could have paid the ransom by paying the ransom, it chose to change every employee's login information rather than pay the ransom. A second security breach was also discovered in the business's systems, which was found and eliminated before the business notified the government of the breach on December 11.
A single hour after Sharp was identified as the hacker behind the attack, Ubiquiti's UWS infrastructure and GitHub repositories were cloned using his cloud administrator credentials via SSH (on December 10, 2020) and private files were stolen (on December 21 and 22).
Despite using the Surfshark VPN service to conceal his IP address while collecting data, he could determine the data collector's location. This was after a short outage of the Internet caused his location to be discovered. He also changed the Log Retention Rules on Ubiquiti's servers along with other data that would have revealed his identity during the investigation. This was done to conceal his identity.
As a result of a search by the FBI, Nicholas Sharp's residence was searched on March 24, 2021, and electronic equipment belonging to him was seized. He gave several false statements to FBI officials when he was being interrogated.
His explanations included that he was not the one who committed the crime and that he had never previously used a VPN service of this type. As per records, Sharp purchased the Surfshark VPN service about six months before the incident occurred, in July 2020. It was obtained three months beforehand. Because of this fraud, he alleged that another party had accessed his PayPal account to complete this transaction, so he made the fraudulent allegation that they did so.
In a media interview after the extortion attempt failed, Sharp, in the false identity of a whistleblower, alleged that Ubiquiti downplayed the breach to avoid retribution. It was after he challenged Ubiquiti's assertion about the impact of the January hack that the company acknowledged its involvement in an extortion attempt and said that there was no indication that any of its users' accounts had been hacked that the firm acknowledged that it was the target of an extortion attempt following that incident.
He also claimed that Ubiquiti did not have a logging mechanism to enable them to determine whether or not the "attacker" had accessed any systems or data, and that would have prevented them from determining what had occurred. Despite his assertions, the information provided by the Justice Department indicates that he altered the company's logs and the system was compromised.