A Kansas City man has been indicted for allegedly hacking into computer networks and using this access to promote his cybersecurity services.
According to the Department of Justice, Nicholas Michael Kloster, 31, of Kansas City, Missouri, breached two computer networks, a health club business and a nonprofit organization.
According to the indictment unsealed on Friday, Kloster had been involved in at least three incidents investigated by the FBI against an equal number of organizations not named in the document.
The first incident occurred on April 26, 2024, around midnight, when Kloster breached the premises of a health club that operates multiple gyms in the state and gained access to its systems.
Next, he sent an email to one of the gym’s owners claiming he had hacked their computers and promoted his services in the same message, apparently seeking to get hired by the company for security consulting services.
“I managed to circumvent the login for the security cameras by using their visible IP addresses. I also gained access to the GoogleFiber Router settings, which allowed me to use [redacted] to explore user accounts associated with the domain,” reads the email shared in the indictment.
“If I can reach the files on a user’s computer, it indicates potential for deeper system access.”
In addition to the contracting proposal to the gym owner, the U.S. Department of Justice says Kloster reduced his monthly gym membership fee to just $1, deleted his photograph from the gym’s database, and stole a staff member’s name tag.
Weeks later, the suspect posted a screenshot on social media showing the gym’s security camera system under his control.
Later, on May 20, the indictment says Kloster physically breached a nonprofit organization and accessed a restricted area where he used a boot disk to bypass authentication requirements and gain access to sensitive information.
Kloster allegedly installed a virtual private network (VPN) on the nonprofit’s computer and changed account passwords.
The DOJ says his actions caused an estimated data of $5,000 to the nonprofit, which had to remediate the intrusion and secure their systems following Kloster’s intrusion.
Finally, Kloster is accused of using stolen credit card information from his former employer, a third company, to purchase ‘hacking thumb drives’ designed to exploit vulnerable systems.
If proven guilty, Kloster could face sentences of up to 15 years in prison (5 years for unauthorized access + 10 years for reckless damage), fines, and restitution to the victims for financial losses.