A Kansas City man has admitted to hacking multiple organizations with the intent of advertising his cybersecurity services, according to a U.S. Department of Justice announcement on June 26, 20251. Nicholas Michael Kloster, 31, altered system data, stole credentials, and emailed victims offering his services after compromising their networks. The case highlights a growing trend of attackers exploiting breaches for financial gain under the guise of “ethical” assistance.
TL;DR: Key Facts
- Defendant: Nicholas Michael Kloster (Kansas City, MO)
- Tactics: Modified gym membership fees to $1, deleted his photo from systems, stole staff credentials
- Evidence: Posted screenshots of compromised security cameras with captions soliciting business
- Charges: Unauthorized access and reckless damage (U.S. Attorney’s Office, Western District of Missouri)
- Parallel Cases: Similar incidents include the PowerSchool breach by Matthew Lane (62M records exposed)2
Technical Analysis of the Attacks
Kloster targeted a health club chain and a nonprofit, exploiting weak access controls. He manipulated his gym membership fee to $1 and deleted his profile photo from the system—indicating direct database access or API vulnerabilities1. The theft of a staff nametag suggests physical social engineering or insider threats. Screenshots of compromised security cameras shared online revealed unpatched IoT devices or default credentials, common in small businesses.
Post-breach, Kloster emailed victims offering cybersecurity services—a tactic resembling ransomware groups that provide “decryption support.” This approach blurs legal boundaries, as victims may unknowingly engage with perpetrators. The DOJ indictment emphasizes the recklessness of his actions, which caused operational disruptions beyond mere data access.
Broader Industry Implications
The case mirrors historical patterns where hackers create problems to sell solutions. Tech Wolf’s Damon Watford criticized this as a predatory practice during LinkedIn discussions3. Unlike legitimate penetration testers who operate under signed agreements, Kloster’s unsolicited breaches violated 18 U.S. Code § 1030 (Computer Fraud and Abuse Act).
| Case | Tactics | Legal Outcome |
|---|---|---|
| Kloster (2025) | Unauthorized access, data alteration | Pleaded guilty (sentencing pending) |
| Matthew Lane (PowerSchool) | Credential theft, extortion | 9-year sentence (aggravated identity theft) |
Mitigation Strategies
Organizations can adopt these measures to prevent similar incidents:
- Access Controls: Implement role-based permissions and review departing employee access
- Monitoring: Deploy SIEM rules for unusual database modifications (e.g., price changes)
- Third-Party Audits: As recommended by the Bloomingdale Chamber of Commerce3
Retired FBI agent Scott Augenbaum advises proactive measures: “Freeze credit, update passwords, and monitor dark web activity”3. For IoT devices like security cameras, changing default credentials and segmenting networks are critical.
Conclusion
Kloster’s case underscores the need for clear boundaries between ethical hacking and criminal activity. While cybersecurity professionals often identify vulnerabilities, doing so without authorization remains illegal. The DOJ’s prosecution reinforces that exploiting breaches for profit—even under the pretense of assistance—will face strict penalties.
References
- “DOJ: Man hacked networks to pitch cybersecurity services,” BleepingComputer, Nov. 2024.
- “Alleged hacker in largest breach of U.S. children’s data agrees to plead guilty,” NBC News, May 2025.
- “Kansas City man admits hacking gym, nonprofit to sell security services,” Kansas City Star, Jun. 2025.
