An Australian man has been sentenced to more than seven years in jail on charges that he created ‘evil twin’ WiFi networks to hack into women’s online accounts to steal intimate photos and videos.
The Australian Federal Police (AFP) didn’t name the man in announcing the sentencing, but several Australian news outlets identified him as Michael Clapsis, 44, of Perth, an IT professional who allegedly used his skills to carry out the attacks.
He was sentenced to seven years and four months in Perth District Court on November 28, and will be eligible for parole after serving half that time, according to the Sydney Morning Herald.
The AFP said Clapsis pled guilty to 15 charges, ranging from unauthorised access or modification of restricted data to unauthorised impairment of electronic communication, failure to comply with an order, and attempted destruction of evidence, among other charges.
‘Evil Twin’ WiFi Network Detected on Australian Domestic Flight
The AFP investigation began in April 2024, when an airline reported that its employees had identified a suspicious WiFi network mimicking a legitimate access point – known as an “evil twin” – during a domestic flight.
On April 19, 2024, AFP investigators searched the man’s luggage when he arrived at Perth Airport , where they seized a portable wireless access device, a laptop and a mobile phone. They later executed a search warrant “at a Palmyra home.”
Forensic analysis of data and seized devices “identified thousands of intimate images and videos, personal credentials belonging to other people, and records of fraudulent WiFi pages,” the AFP said.
The day after the search warrant, the man deleted more than 1,700 items from his account on a data storage application and “unsuccessfully tried to remotely wipe his mobile phone,” the AFP said.
Between April 22 and 23, 2024, the AFP said the man “used a computer software tool to gain access to his employer’s laptop to access confidential online meetings between his employer and the AFP regarding the investigation.”
The man allegedly used a portable wireless access device, called a “WiFi Pineapple,” to detect device probe requests and instantly create a network with the same name. A device would then connect to the evil twin network automatically. The network took people to a webpage and prompted them to log in using an email or social media account, where their credentials were then captured.
AFP said its cybercrime investigators identified data related to use of the fraudulent WiFi pages at airports in Perth, Melbourne and Adelaide, as well as on domestic flights, “while the man also used his IT privileges to access restricted and personal data from his previous employment.”
“The man unlawfully accessed social media and other online accounts linked to multiple unsuspecting women to monitor their communications and steal private and intimate images and videos,” the AFP said.
Victims of Evil Twin WiFi Attack Enter Statements
At the sentencing, a prosecutor read from emotional impact statements from the man’s victims, detailing the distress they suffered and the enduring feelings of shame and loss of privacy.
One said, “I feel like I have eyes on me 24/7,” according to the Morning Herald.
Another said, “Thoughts of hatred, disgust and shame have impacted me severely. Even though they were only pictures, they were mine not yours.”
The paper said Clapsis’ attorney told the court that “He’s sought to seek help, to seek insight, to seek understanding and address his way of thinking.”
The case highlights the importance of avoiding free public WiFi when possible – and not accessing sensitive websites or applications if one must be used. Any network that requests personal details should be avoided.
“If you do want to use public WiFi, ensure your devices are equipped with a reputable virtual private network (VPN) to encrypt and secure your data,” the AFP said. “Disable file sharing, don’t use things like online banking while connected to public WiFi and, once you disconnect, change your device settings to ‘forget network’.”