A 44-year-old Western Australian man has been sentenced to seven years and four months in prison for operating fraudulent “evil twin” WiFi networks to steal personal data from travelers at airports and on domestic flights across Australia1. The case, which was uncovered in April 2024 after airline staff reported a suspicious network during a flight, highlights a significant machine-in-the-middle attack vector that exploits the trust users place in public WiFi4. The defendant, Michael Clapsis, 42, from Perth, was arrested following a search of his luggage, which yielded a portable wireless access device, a laptop, and a mobile phone allegedly used in the scheme7. This prosecution by the Australian Federal Police (AFP) serves as a stark reminder of the risks associated with untrusted wireless networks in high-traffic transit locations.
Attack Methodology and Technical Execution
The core of the attack involved the creation of fake WiFi access points with Service Set Identifiers (SSIDs) identical to legitimate public networks offered at airports and on flights1. Clapsis used a portable wireless access device to broadcast these “evil twin” networks, which would often present a stronger signal than the legitimate one, tricking user devices into automatically connecting7. Once connected, users were directed to a fake captive portal that mimicked a standard login page, requesting credentials such as an email address or social media account details to access the “free” internet4. Any information entered into these portals was captured and saved by the attacker, providing a direct pipeline to personal data including bank account details, private messages, and photographs. The technical simplicity of this setup, requiring only a small, portable device, demonstrates a low-barrier-to-entry attack with a high potential for credential harvesting. The discovery of this specific campaign was initiated by vigilant airline staff, underscoring the importance of environmental monitoring for anomalous network activity.
Legal Proceedings and Charges
Following his arrest, Michael Clapsis faced multiple cybercrime charges. The AFP initially cited seven charges, while other reports indicated he was expected to face a total of nine3. The specific charges included unauthorized impairment of electronic communication, possession or control of data with intent to commit a serious offence, unauthorized access or modification of restricted data, and dishonestly obtaining or dealing in personal financial information10. Clapsis appeared in the Perth Magistrates Court on June 28, 2024, where he was released on strict bail conditions including a A$20,000 surety, the surrender of his passport, and restrictions on his internet use for non-personal matters4. His next court appearance was scheduled for August 2024, culminating in the recent sentencing. The locations of the alleged attacks, identified through data on seized devices, included airports in Perth, Melbourne, and Adelaide, as well as on domestic flights and venues linked to his previous employment1.
Cybersecurity Context of “Evil Twin” Attacks
An “evil twin” attack is a form of machine-in-the-middle attack where a malicious actor deploys a rogue access point that closely mimics a legitimate one7. These attacks are particularly effective in locations with a high density of potential victims who are likely to seek out free WiFi, such as airports, coffee shops, and hotels. The attack leverages the default behavior of many mobile devices, which are configured to automatically connect to known networks or to the strongest available signal with a familiar SSID. From a network defense perspective, detecting these rogue access points can be challenging because they are designed to be transient and can be set up and dismantled quickly. The success of such an attack does not rely on exploiting a software vulnerability but rather on manipulating standard wireless protocols and human behavior, making it a persistent threat.
Practical Defensive Recommendations
For security professionals and organizations, mitigating the risk of “evil twin” attacks involves a combination of user education, technical controls, and network monitoring. The following measures, compiled from cybersecurity expert recommendations, can significantly reduce the attack surface7, 9. First, users should be instructed to disable auto-connect features for WiFi networks on their devices. On Android, this can be done via Settings > Network & Internet > Wi-Fi > Wi-Fi Preferences by turning off “Connect to public networks.” On iOS, users can go to Settings > Wi-Fi, tap the info icon next to a network, and turn off “Auto-Join.” Second, organizations should promote the use of a trusted Virtual Private Network (VPN), which encrypts all traffic between the user’s device and the VPN server, rendering intercepted data unusable to an attacker. A third and highly effective measure is the use of a personal mobile hotspot, which provides a more controlled and secure connection than public WiFi. Additionally, security teams should consider deploying wireless intrusion detection systems (WIDS) capable of identifying rogue access points based on MAC address, signal strength anomalies, and duplicate SSIDs within a protected environment.
The sentencing of Michael Clapsis to a seven-year prison term marks a significant legal outcome for a cybercrime involving wireless network deception. This case establishes a notable precedent for the prosecution of “evil twin” attacks, which have often been considered difficult to attribute and prove in court. For the security community, the incident reinforces the need for continuous user awareness training regarding the dangers of public WiFi and the critical importance of basic security hygiene, such as using VPNs. As wireless technology continues to evolve and integrate into daily life, the techniques used by threat actors will also advance, requiring equally adaptive defensive strategies from both individuals and enterprises. The successful investigation and prosecution by the AFP demonstrate that collaboration between industry stakeholders and law enforcement can lead to tangible consequences for cybercriminals.
