6 years for $2m inside job crypto-jack attempt.

May 16 2023

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that keeps on coming, like Robert De Niro on his 7th child at age 79 ????????????

Today’s hottest cyber security stories:

  • ex-Ubiquiti employees gets 6 years for $2m inside job crypto-jack attempt
  • CLR SqlShell malware targets ‘poorly managed’ MS SQL servers. #victimblaming
  • U.S. DoJ crypto tsar targets DeFi (Decentralised Finance) hackers


Ransom-where (hehe ????) did this developer get the balls to try and ransomware his own company?

That’s right, this mad bastard tried to pull a fast one on his own company and even went so far as to throw his own colleagues under the bus in a desperate attempt to frame them for crimes he committed. Not cool, man.

Here’s the story of how Oregon-based Nickolas Sharp, 37, earned himself a six year prison sentence.

So, he’s working away as a senior developer with access to the deepest, darkest secrets of Ubiquiti, a popular American company whose main product is network management software.

Meanwhile, he keeps reading about these ‘ransomware’ attacks. For those who don’t know, a ransomware attack is a cyberattack wherein usually a business or large organisation has its private files and data either locked or stolen and the perpetrator then demands a ransom to return access. Diabolical.

So, anyway, our guy Nik is reading about all these attacks and the thing that’s really getting his motor running is the fact that, in a lot of cases, the targeted companies end up paying the ransom! And often we’re talking hundreds of thousands, if not millions of dollars worth of cryptocurrency.

With that kind of moolah, he could pay off his student loan in one fell swoop; alas, he simply couldn’t resist.

He began using his insider access as a senior developer to steal confidential data and then, posing as a hacker and a whistleblower, sent an anonymous email asking the network technology provider to pay 50 bitcoin (about $2 million at the time ????) in exchange for the syphoned information.

Unfortunately for Sharp, Ubiquiti didn’t cave. Instead, they blew the whistle on the supposed whistleblower and it didn’t take long for the boys in blue to track him down by tracing a VPN connection to a Surfshark account purchased with his own PayPal account. D’oh!

Sharp was arrested in December, 2021 but has just now been sentenced.

It came out that he even “modified session file names to attempt to make it appear as if other coworkers were responsible for his malicious sessions”, according to the DoJ.

Trying to frame his own coworkers? Now that’s low.

In addition to the six year prison term, Sharp was “sentenced to three years of supervised release and ordered to pay restitution of $1,590,487 and to forfeit personal property used or intended to be used in connection with these offences.”

Nice to have a cybercrime story where crime doesn’t pay for once, eh folks? Good riddance to bad rubbish!


Attention, those of you who run Microsoft SQL servers that have been found wanting!

Your ‘poorly managed’ servers are being targeted by devious devils who use their malevolent malware to mine cryptocurrency and even carry out ransomware attacks.

We’re not kidding folks. Shape up or ship out, SQL servers!

This malware strain, dubbed SqlShell, is no joke, but don’t just take our word for it…

“Similar to web shell, which can be installed on web servers, SqlShell is a malware strain that supports various features after being installed on an MS SQL server, such as executing commands from threat actors and carrying out all sorts of malicious behaviour,” AhnLab Security Emergency response Center (ASEC) said in a report published last week.

The attack method discovered by the South Korean cybersecurity firm entails the use of CLR stored procedure to install the malware in MS SQL servers using the xp cmdshell command, which spawns a Windows command shell and passes an instruction as input for execution.

“SqlShell can install additional malware such as backdoors, coin miners, and proxyware, or it can execute malicious commands received from threat actors”, ASEC said.

Scary stuff, y’all. Like we said, mine how you go ????


For too long North-Korean threat actors have been defying the efforts of the US DoJ. At least, that’s how Eun Young Choi, the (relatively) newly appointed director of the Justice Department’s National Cryptocurrency Enforcement Team (NCET), feels.

He’s saying: NCET on my watch, fellas. Don’t even Choi it! ???? Nah seriously, he seems like a good dude who means business.

And who can blame him for wanting to crack the whip? North Korean hackers alone stole between $630 million and $1 billion (cue Dr. Evil laugh) of crypto assets in 2022.

Indeed, the pesky, often state-sponsored, North Korean hackers have established themselves as main offenders in cybercrime involving DeFi (Decentralised Finance).

Choi has made it clear that the department intends to focus its efforts on tackling thefts and hacks involving DeFi and “particularly chain bridges.”

FYI, a chain bridge enables an exchange of information, cryptocurrency or NFTs from one blockchain network to another.

The DoJ announced Choi — a prosecutor with nearly a decade of experience in the agency — as the first director of the NCET in February 2022.

And you know what they say: if at first you don’t succeed, Choi, Choi again. 

Cheers folks, we’ll be here all week!

So long and thanks for reading all the phish!

Recent articles