Security Experts:

Connect with us

Hi, what are you looking for?



Former Ubiquiti Employee Who Posed as Hacker Pleads Guilty

Former Ubiquiti employee Nickolas Sharp has admitted in court to abusing company-provided credentials to steal data and then attempting to extort Ubiquiti.

Former Ubiquiti employee Nickolas Sharp has admitted in court to abusing company-provided credentials to steal data and then attempting to extort the company, the Department of Justice announced.

Sharp, 37, of Portland, Oregon, worked at the New York City-based IoT device maker between August 2018 and April 2021, as a senior developer who had access credentials for Ubiquiti’s AWS and GitHub servers.

In December 2020, he abused his administrative credentials to download confidential data using the Surfshark VPN to hide his IP address. However, during an outage at his home, the IP address became unmasked, court documents reveal.

To hide his unauthorized activity, Sharp modified log retention policies and other files.

In January 2021, Ubiquiti alerted users of a data breach at one of its third-party cloud providers, saying that it had no indication of user data being accessed during the incident.

Around the same time, Sharp, who was helping with the investigation into the data breach, sent a ransom note to Ubiquiti, claiming he was an anonymous attacker who had access to the company’s network.

In the ransom note, he was asking the company to pay 50 bitcoin (roughly $1.9 million at the time) in exchange for the stolen data and for revealing the backdoor he purportedly had installed on Ubiquiti’s network. After the company refused to pay, he published some of the stolen data online.

In March 2021, the FBI searched Sharp’s home and seized electronic devices containing evidence of his actions. When confronted with the evidence, Sharp lied about accessing the company’s data without authorization and about purchasing a VPN to hide his activity.

Several days after the search, claiming to be an anonymous whistleblower within Ubiquiti, Sharp provided investigative journalist Brian Krebs with false information about the incident, claiming that a hacker had gained root administrator access to Ubiquiti’s AWS accounts.

In fact, it was Sharp who used credentials he had access to as a Ubiquiti employee to steal company data. The DoJ announced charges against Sharp in December 2021.

The company’s shares fell approximately 20% following the publication of the false information about the incident, causing a loss of $4 billion in market capitalization.

Sharp pleaded guilty to the breach, to wire fraud, and to making false statements to the FBI. If found guilty, he faces up to 35 years in prison. His sentencing is scheduled for May 10, 2023.

The DoJ’s indictment and press release do not mention Ubiquiti specifically, but it’s clear that Sharp admitted to being the perpetrator behind the Ubiquiti incident.

Related: Canadian NetWalker Ransomware Affiliate Pleads Guilty in US

Related: Mexican Businessman Pleads Guilty in U.S. to Brokering Hacking Tools

Related: California Man Pleads Guilty Over Role in $50 Million Fraud Scheme

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...