The following are two reports on one criminal case. The first is from the U.S. Attorney’s Office:
A Kansas City, Mo., man has pleaded guilty for hacking into the computer system at an area nonprofit.
Nicholas Michael Kloster, 32, admitted during his plea that he caused reckless damage to a protected computer owned by an area nonprofit during unauthorized access. Kloster admitted that he entered the premises of a nonprofit corporation on May 20, 2024. Kloster entered an area that is not available to the public and accessed a computer with access to the company’s network.
Kloster specifically admitted that he utilized a boot disk to access the computer through multiple user accounts. By accessing the computer in this manner, Kloster was able to circumvent the password requirements by changing the password assigned to one or more users. Kloster was then able to install a virtual private network on this computer. Since Kloster’s intrusion into its computer and its network, the company has sustained significant losses in an attempt to remediate the effects from this intrusion.
The second is from a Russian cybercrime forum, which focused on the indictment:
According to investigators, Kloster first hacked the network of a sports club that owns a chain of gyms in the state of Missouri. He penetrated a closed area and gained access to the company’s systems. He then sent an email to one of the owners, where he said that he had successfully bypassed their protection and immediately offered his cybersecurity consulting services.
In the email, he detailed how he gained access to the gym’s surveillance system using public IP addresses of cameras, as well as how he penetrated the settings of a GoogleFiber router. There, he was able to study user accounts associated with the company’s domain. According to him, if it was possible to get to user files, it means that the vulnerabilities in the system are serious and require urgent elimination.
Kloster also claimed that he had already helped more than 30 small and medium-sized industrial companies in Kansas City improve their digital security. However, his actions were not limited to the letter. He personally changed his own photo in the fitness club’s database, reduced his monthly membership fee to a symbolic dollar, and stole an employee’s name badge.
A few weeks after the hack, Kloster posted a screenshot of the club’s video surveillance system on social networks, demonstrating full control over it. In this way, he continued to advertise his services, while violating federal law.
Kloster’s next target was a Missouri non-profit foundation. On May 20, he illegally entered the organization’s closed premises and used a boot disk to bypass authentication on the computers. There, he stole confidential information from a device that the Justice Department classified as a “protected computer” because it is used in interstate or international communications.
Having gained access to the foundation’s systems, Kloster installed a VPN service and changed passwords for several accounts, thereby taking complete control over the organization’s infrastructure. This approach was apparently also aimed at demonstrating his “professional capabilities” in the field of cybersecurity.
Another episode incriminated to Kloster involved an incident with his former employer. The company, whose name has not been disclosed, fired him on April 30, 2024. It was then discovered that Kloster had used stolen corporate bank cards to purchase special USB devices designed to hack vulnerable systems. The so-called “hacker flash drives” help bypass basic security measures and quickly gain unauthorized access to the network.
Kloster now faces up to five years in federal prison without the possibility of parole. In addition, the court may fine him up to $250,000, subject him to mandatory three-year supervision after his release, and pay compensation to the affected organizations.
Information about the case has caused a wide resonance in the professional community. Law enforcement officials emphasize that this practice – when cybercrimes are used as a kind of “portfolio” for self-promotion – is becoming more and more common. However, such actions remain a criminal offense, despite attempts to justify them with good intentions.
