A former employee of a public New York-based technology company has pleaded guilty to "multiple federal crimes" that resulted in the loss of more than $4 billion in the firm's market capitalization, the U.S. Department of Justice announced earlier this month.
Nickolas Sharp, 37, of Portland, Oregon, entered guilty pleas in a Manhattan federal court to "one count of transmitting a program to a protected computer that intentionally caused damage, one count of wire fraud, and one count of making false statements to the FBI," the DOJ announced Feb. 2. The convictions stem from a scheme Sharp perpetrated against his former employer, identified as “Company‑1," involving the theft of confidential data and extortion for ransom, according to the announcement.
Sharp took "gigabytes of confidential files," the DOJ reports, then while "purportedly working to remediate the security breach for Company-1, Sharp extorted the company for nearly $2 million for the return of the files and the identification of a remaining purported vulnerability.
"Sharp subsequently re-victimized his employer by causing the publication of misleading news articles about the company’s handling of the breach that he perpetrated, which were followed by the loss of over $4 billion in Company-1’s market capitalization," according to the DOJ.
Sharp was employed as a senior developer by Company-1 from about August 2018 until about April 1, 2021, according to court documents, the DOJ reports. Sharp, who had access to credentials for Company-1’s Amazon Web Services (AWS) and GitHub Inc. (GitHub) servers, "repeatedly misused his administrative access" beginning in December 2020 to steal confidential data. In January 2021, while working on a team to fix the breach he perpetrated, Sharp sent an anonymous ransom note demanding 50 Bitcoin, which was worth approximately $2 million at the time, for the return of the stolen files.
When the company refused, Sharp published part of the stolen data online on a publicly accessible platform, the DOJ reports.
The FBI executed a search warrant on Sharp's home on March 24, 2021, after an internet outage during an illegal exportation of data revealed his home IP address, the report states. After the FBI rain, Sharp "caused false new stories to be published" about the data breach by posing as a whistleblower who had worked on remediating the breach.
"Following the publication of these articles, between March 30, 2021, and March 31, 2021, Company-1’s stock price fell approximately 20%, losing over $4 billion in market capitalization," the DOJ reports.
Damian Williams, the U.S. Attorney for the Southern District of New York who announced Sharp's guilty plea, said in the report that Sharp was trusted with confidential information "that he exploited and held for ransom.
“Adding insult to injury, when Sharp wasn’t given his ransom demands, he retaliated by causing false news stories to be published about the company, which resulted in his company’s market capitalization plummeting by over $4 billion," Williams said. "Sharp’s guilty plea today ensures that he will face the consequences of his destructive actions.”
Sharp faces up to 35 years in prison, the DOJ reports. He is to be sentenced on May 10.
