The recent unsealing of a grand jury multi-count indictment for Nikolas Sharp provides a unique and convoluted series of criminal events. It seems Sharp undertook to put approximately $2 million into his pocket via a data theft and extortion effort, with a twist of \u201cwhistleblower\u201d claims thrown in to confuse investigators in an attempt at self-exoneration.As with many criminal enterprises, they reach their point of collapse when everything goes toes up. When Sharp\u2019s employer Ubiquiti Networks essentially told the criminal extorting them to pound sand, they no doubt felt this grand scheme was dying a fast death. \u00a0\u00a0According to Sharp\u2019s LinkedIn page, he had the role of \u201ccloud lead\u201d for Ubiquiti from August 2018 to March 2021. By all accounts, he was a trusted member of the Ubiquiti team.Insider threat, there is a patternEvery insider threat risk mitigation team will tell you the most probable time when an employee is likely to violate the processes and procedures put in place to protect the intellectual property or trade secrets of a company is the days immediately prior to their departure from the company. \u00a0On December 9, 2020, Sharp began shaping his departure with an application for a position at a California technology company. That same evening Sharp allegedly began his foray into his employer\u2019s infrastructure and data stores and began running searches. Minutes later, the first of the \u201cattacks\u201d takes place and exfiltration of company data begins. \u00a0What the FBI and U.S. attorney say about SharpThe redacted indictment of Sharp details his alleged crimes, which FBI Assistant Director Michael J. Driscoll sums up nicely: \u201cWe allege Mr. Sharp created a twisted plot to extort the company he worked for by using its technology and data against it. Not only did he allegedly break several federal laws, he orchestrated releasing information to media when his ransom demands weren't met. When confronted, he then lied to FBI agents.\u201dU.S. Attorney Damian Williams added, \u201cNickolas Sharp exploited his access as a trusted insider to steal gigabytes of confidential data from his employer, then, posing as an anonymous hacker, sent the company a nearly $2 million ransom demand.\u00a0 As further alleged, after the FBI searched his home in connection with the theft, Sharp, now posing as an anonymous company whistleblower, planted damaging news stories falsely claiming the theft had been by a hacker enabled by a vulnerability in the company\u2019s computer systems.\u201dDriscoll observed, \u201cMr. Sharp may have believed he was smart enough to pull off his plan, but a simple technical glitch ended his dreams of striking it rich.\u201dThe alleged convoluted series of actions The court documents allege Sharp leveraged his authorized access to his employer\u2019s GitHub and AWS servers to download gigabytes of confidential Ubiquiti data. While we have no way of knowing whether this was Sharp\u2019s first foray into the world of cybercrime. His alleged actions point toward an above-average awareness on the need to be anonymous when committing a cybercrime. To that end, Sharp allegedly used the Surfshark virtual private network (VPN) service to mask the IP address associated the locale for when he accessed his employer\u2019s data.On December 9, 2020, and again multiple times through December 28, 2020, Sharp allegedly cloned and stole his company\u2019s data by misusing his administrative access. He exfiltrated the data via his Surfshark VPN account (acquired in July 2020) to an unidentified location. Unidentified, that was until the internet did what the internet does: It glitched and suffered an outage. During this outage, the IP address associated with Sharp\u2019s Portland, Oregon, residence was temporarily unmasked.On December 28 a colleague discovered anomalous activity having occurred and a team begins investigating the unauthorized exfiltration of data. Sharp joined this incident response effort.Sharp as a member of the \u201cincident\u201d team is in position to know what efforts were being undertaken to identify the intruder and attempt to deflect attention away from anything that might point the finger at him. It is alleged that these efforts weren\u2019t passive and that he would adjust logs and shift data in an attempt to hide his role.Sharp also allegedly lowered the hammer of his personal greed. He sent anonymous ransom emails to senior Ubiquiti employees, demanding bitcoins in exchange for the return of the gigabytes of data and revelation of where the vulnerability within company\u2019s network existed. Sharp would anonymously communicate via Keybase chat with Ubiquiti.The company demurred on paying the ransom; Sharp allegedly published some of the content online.On 29 January, Sharp wipes and resets his computer.On 24 March, the FBI arrives at Sharp\u2019s residence to execute a search warrant and interview Sharp. Sharp dissembles during his interview with the FBI special agents. Sharp doesn\u2019t realize it, but it wasn\u2019t the first rodeo for the special agents of the FBI.\u201cRighteous whistleblower\u201d attempts to derail investigationWith the extortion effort fizzled and the FBI having interviewed him, Sharp allegedly attempted to further obfuscate his criminal conduct. He attempted to rebrand himself, albeit anonymously, as a member of the remediation team who as a righteous whistleblower must share information. Sharp allegedly sends out emails to both media and regulatory entities with false information designed to paint the company as hip-deep in a cover up of \u201ccatastrophic\u201d proportions. The emails painted Ubiquiti as undertaking a full-blown coverup. The allegations were plausible and thus the printing presses began to churn. The headlines in March and April 2021 were merciless. \u00a0The Verge - \u201cUbiquiti is accused of covering up a \u2018catastrophic data breach \u2013 and it\u2019s not denying it\u201dKrebsonSecurity \u2013 \u201cWhistleblower: Ubiquiti Breach \u2018Catastrophic\u2019\u201dLightreading \u2013 \u201cUbiquiti\u2019s latest hack highlights trouble security path for operators\u201dBleeping Computer \u2013 \u201cUbiquiti cyberattack may be far worse than originally disclosed\u201dThe effect was predictable, as detailed in the indictment, the value of Ubiquiti fell 20% causing a loss of over $4 billion in market capitalization value.Ubiquiti\u2019s response: Investigate and prosecuteTo its credit Ubiquiti stuck to its guns and allowed the process to proceed. Its forensics showed what had occurred on their network: The SurfShark VPN and the Sharp IP addresses as being one and the same.Turning the incident over to the FBI for investigation and the Department of Justice for prosecution ensures the wheels of justice are given the opportunity to turn. And turn they did. On November 18, 2021, the grand jury returned an indictment, which was sealed and only upon Sharp\u2019s arrest December 1 was it unsealed. His conditions for release include no device or internet access without U.S. Pretrial Services approval, and his travel is limited to Oregon and to the Southern District of New York for trial without prior approval.Nikolas Sharp is to appear in court on December 15, 2021.