Skip to main content

A single VPN drop-out exposed breach scandal that cost Ubiquiti $4bn

Image depicting a hand on a scanner
(Image credit: Pixabay)
Audio player loading…

A brief VPN (opens in new tab) outage has led to the arrest of a former Ubiquiti developer, who has reportedly been charged with stealing data and trying to extort his employer while pretending to be a whistleblower.

Internet of Things (IoT) (opens in new tab) specialist Ubiquiti disclosed a network breach in January 2021 (opens in new tab), the scope of which was questioned by an anonymous whistleblower (opens in new tab) a couple of months later. 

However, according to KrebsOnSecurity (opens in new tab), it has now emerged that both incidents were the handiwork of the same individual, Nickolas Sharp, a senior developer at Ubiquiti, who has been charged for the crimes.

According to the indictment, after securing a job at another company, Sharp allegedly used his still functional privileged access to Ubiquiti’s systems at Amazon’s AWS cloud service to download large amounts of proprietary data.

Going for the kill

To cover his tracks, Sharp had used a SurfShark (opens in new tab) VPN connection to mask his real IP address. He then sent a ransom note to Ubiquiti using the same cover, demanding 25 bitcoin (opens in new tab) in exchange for a promise not to share the data. 

However, investigators were able to trace the downloads to Sharp because his flaky internet connection briefly failed multiple times, exposing his real IP address. And, he forgot to turn on the Kill Switch on his SurfShark VPN. By default, this is off.  

“You might think your VPN connection is really, really stable, but it only takes a single drop - maybe as you switch from one Wi-Fi network to another - to give away your identity,” suggests Mike Williams, TechRadar's security expert. He added that Sharp would have gotten away with it, had he enabled the kill switch for the VPN connection, which would have terminated the downloads as soon as the connection was interrupted.

Furthermore, according to The Record (opens in new tab), investigators were also able to link the attacker’s VPN connection to a SurfShark account purchased with Sharp’s PayPal account. 

Sharp refutes the charges, and continues to maintain that he doesn’t own the SurfShark account, and that someone else must have used his Paypal (opens in new tab) account to purchase it.

After being confronted with the charges, investigators claim that Sharp didn't help his cause by posing as an anonymous whistleblower to question the severity of the "breach" by raising false flags, which led to Ubiquiti's stock price plummeting about 20%, wiping out over $4 billion in market capitalization. 

Mayank Sharma
Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.