Hacker Pleads Guilty: Breached Orgs to Promote Cybersecurity Services, Faces Prison

Nicholas Michael Kloster, a resident of Kansas City, has found himself at the center of a high-profile criminal case, culminating in his guilty plea to a series of cybercrimes. According to the U.S. Department of Justice, the 32-year-old man breached at least three organizations in 2024, allegedly with the intention of offering them his cybersecurity services. However, the methods he employed to capture the attention of prospective clients were in clear violation of the law.

Investigators report that Kloster’s first target was a fitness company operating a network of gyms across Missouri. He infiltrated a restricted area and gained unauthorized access to the company’s internal systems. Shortly thereafter, he emailed one of the owners to boast about bypassing their security and promptly offered his services as a cybersecurity consultant.

In his email, Kloster detailed how he accessed the gym surveillance system via publicly exposed camera IP addresses and manipulated settings in the GoogleFiber router. This allowed him to view user accounts associated with the company’s domain. According to him, his ability to reach user files was evidence of critical vulnerabilities demanding immediate remediation.

Kloster further claimed to have assisted over 30 small and mid-sized industrial firms in Kansas City in enhancing their digital security. Yet, his actions extended far beyond a mere unsolicited proposal. He altered his profile photo in the gym’s membership database, reduced his subscription fee to a symbolic one dollar, and stole an employee’s access badge.

Weeks after the intrusion, Kloster shared a screenshot of the gym’s surveillance system on social media, showcasing his total control over it—continuing to promote his services while flagrantly violating federal law.

His next target was a Missouri-based nonprofit organization. On May 20, Kloster unlawfully entered a restricted area within the foundation and used a bootable disk to circumvent authentication protocols on several computers. He exfiltrated sensitive data from a device legally designated by the Justice Department as a “protected computer” due to its involvement in interstate or international communications.

After breaching the foundation’s systems, Kloster installed a VPN service and changed passwords for multiple user accounts, effectively seizing complete control over the organization’s digital infrastructure. This too appeared to be an effort to showcase his “professional capabilities” in cybersecurity.

Another charge stems from an incident involving Kloster’s former employer, whose name remains undisclosed. After his termination on April 30, 2024, Kloster used stolen corporate credit cards to purchase specialized USB devices commonly employed in cyberattacks. These so-called “hacker flash drives” are designed to bypass basic security defenses and facilitate swift, unauthorized access to networks.

Kloster now faces up to five years in federal prison without the possibility of parole. In addition, the court may impose a fine of up to $250,000, a mandatory three-year supervised release, and restitution payments to the affected organizations.

The case has sparked considerable discussion within the cybersecurity community. Law enforcement officials emphasize that the emerging trend of using cybercrime as a self-promotional “portfolio” remains unequivocally criminal—regardless of any altruistic justification offered by perpetrators.