Please E-mail suggested additions, comments and/or corrections to Kent@MoreLaw.Com.
Case Number: 1:21-cr-00714
Judge: Katherine Polk Failla
Court: United States District Court for the Southern District of New York (Manhattan County)
Plaintiff's Attorney: United States Attorney’s Office in New York City
Description: New York City, New York criminal defense lawyer represented Defendant charged with stealing gigabytes of Company 1's data.
In December 2020, SHARP secretly stole gigabytes of Company-1’s data. While purportedly working to remediate the security breach he created, SHARP extorted the company, as an anonymous hacker, for nearly $2 million for the return of the files and the identification of a remaining purported vulnerability. SHARP subsequently re-victimized his employer by causing the publication of misleading news articles as a purported anonymous whistleblower about the company’s handling of the breach that he perpetrated, which were followed by the loss of over $4 billion in Company-1’s market capitalization. SHARP previously pled guilty to intentionally damaging a protected computer, wire fraud, and making false statements to the Federal Bureau of Investigation (“FBI”).
Company-1 was a technology company headquartered in New York that manufactured and sold wireless communications products and whose shares were traded on the New York Stock Exchange. SHARP was employed by Company-1 from in or about August 2018 through on or about April 1, 2021. SHARP was a senior developer who had access to credentials for Company-1’s Amazon Web Services (“AWS”) and GitHub Inc. (“GitHub”) servers.
In about December 2020, while interviewing for a position at another company, SHARP repeatedly misused his administrative access to download gigabytes of confidential data from his employer. During the course of this cybersecurity incident (the “Incident”), SHARP caused damage to Company-1’s computer systems by altering log retention policies and other files in order to conceal his unauthorized activity on the network. SHARP modified session file names to attempt to make it appear as if other coworkers were responsible for his malicious sessions.
In or about January 2021, while working on a team remediating the effects of the Incident, SHARP sent a ransom note to Company-1, posing as an anonymous attacker who claimed to have obtained unauthorized access to Company-1’s computer networks. The ransom note sought 50 Bitcoin — which was the equivalent of approximately $1.9 million, based on the prevailing exchange rate at the time — in exchange for the return of the stolen data and the identification of a purported “backdoor,” or vulnerability, to Company-1’s computer systems. After Company-1 refused the demand, SHARP published a portion of the stolen files on a publicly accessible online platform.
On or about March 24, 2021, FBI agents executed a search warrant at SHARP’s residence in Portland, Oregon, and seized certain electronic devices belonging to SHARP, including a laptop SHARP had used to steal Company-1’s data. During the execution of that search, SHARP made numerous false statements to FBI agents.
Several days after the FBI executed the search warrant at SHARP’s residence, SHARP caused false news stories to be published about the Incident and Company-1’s response to the Incident. In those stories, SHARP identified himself as an anonymous whistleblower within Company-1 who had worked on remediating the Incident and falsely claimed that Company-1 had been hacked by an unidentified perpetrator who maliciously acquired root administrator access to Company-1’s AWS accounts. In fact, as SHARP well knew, SHARP himself had taken Company-1’s data using credentials to which he had access, and SHARP had used that data in a failed attempt to extort Company-1 for millions of dollars.
Following the publication of these articles, between approximately March 30, 2021, and March 31, 2021, Company-1’s stock price fell approximately 20%, losing over $4 billion in market capitalization. SHARP also attempted to cause domestic and foreign regulators to investigate Company-1 based on his false allegations about the security breach he secretly caused.
* * *
SHARP, 37, of Portland, Oregon, pled guilty on February 2, 2023, to one count of transmitting a program to a protected computer that intentionally caused damage, one count of wire fraud, and one count of making false statements to the FBI. In addition to the prison sentence, SHARP was sentenced to three years of supervised release and ordered to pay restitution of $1,590,487 and to forfeit personal property used or intended to be used in connection with these offenses.
Mr. Williams praised the outstanding investigative work of the FBI.
This case is being handled by the Office’s Complex Frauds and Cybercrime Unit. Assistant U.S. Attorneys Vladislav Vainberg and Andrew K. Chan are in charge of the prosecution.
Outcome: Defendant was sentenced to six years in prison.