Man accused of hilariously bad opsec as alleged cybercrime spree detailed
Complaint claims he trespassed, gave himself discounts, and sorted CCTV access…
A Kansas City man who stands accused of having a disregard for basic opsec made his first court appearance on Friday over a series of alleged cybercrimes.
Nicholas Michael Kloster, 31, is alleged to have embarked on a confusing three-month Missouri crime spree that involved breaking and entering into a gym, causing $5,000 worth of damage to a non-profit, and abusing a credit card belonging to a company shortly after it hired him, according to the indictment [PDF].
The complaint claims Kloster was hired by what it refers to as "Company Victim 1" in March 2024 and that he quickly used the company credit card to make various purchases for himself. Only one of these was detailed in the indictment: a thumb drive that prosecutors say was advertised as one that could help users break into computers.
According to the document, Kloster was fired on April 30 – which would make for a short stint of employment – and allegedly attacked "Victim 2," a health club chain, shortly before that termination.
On April 26, or so the complaint claims, Kloster allegedly broke into one of the chain's health clubs shortly before midnight and the following day began telling the owner via email exactly what he had done.
Note, dear reader, that prosecutors allege Kloster used his Victim 1 company email account to do this.
The email detailed in the indictment read: "I managed to circumvent the login for the security cameras by using their visible IP addresses… I also gained access to the Google Fiber Router settings, which allowed me to use [redacted] to explore user accounts associated with the domain… If I can reach the files on a user's computer, it indicates potential for deeper system access."
- Another 'major cyber incident' at a UK hospital, outpatients asked to stay away
- Supply chain management vendor Blue Yonder succumbs to ransomware
- China has utterly pwned 'thousands and thousands' of devices at US telcos
- Andrew Tate's site ransacked, subscriber data stolen
Kloster allegedly went on to forward a copy of his resume, which the indictment said "greatly differed" from the one he used to secure employment at Victim 1. He claimed to have assisted more than 30 SMBs in the region, seemingly peddling his so-called security services in some sort of guerrilla pitch for a new job.
Prosecutors say health club staff noticed that Kloster's gym membership cost had allegedly been reduced to $1 following the intrusion, that he had allegedly stolen a staff member's name tag, and his account photograph had been erased.
To round things off, Kloster is then alleged to have posted an image to social media of what appeared to be a stream of the gym's CCTV cameras weeks later, captioning it: "How to get a company to use your security service."
Then, less than a month later, on May 20, or so the indictment claims, he entered a non-public restricted area of the nonprofit ("Victim 3") and used a boot disk on a computer, allowing him to access it using multiple user accounts, all while circumventing password protections, according to the indictment.
Kloster then allegedly changed the passwords of multiple users and installed what prosecutors said was a virtual private network on the machine. The non-profit told authorities it spent around $5,000 to undo Kloster's actions.
Kloster faces a two-count charge, one for accessing and obtaining information from "Victim 2's" protected computer, and another for accessing and causing reckless damage to "Victim 3's" protected computer.
The scheduling conference for Kloster's trial is set for April 1, 2025. Kloster's representation was not immediately available for comment ®