Man pleads guilty to hacking networks to pitch security services

A Kansas City man has pleaded guilty to hacking multiple organizations to advertise his cybersecurity services, the U.S. Department of Justice announced on Wednesday.

32-year-old Nicholas Michael Kloster was indicted last year for hacking into the networks of three organizations in 2024, including a health club and a Missouri nonprofit corporation.

According to court documents, Kloster accessed the systems of a health club that operates multiple gyms in Missouri after breaching a restricted area. Next, he sent an email to one of the gym chain's owners, claiming he had hacked their network and offering his services in the same message, seemingly seeking to secure a cybersecurity consulting contract with the company.

"I managed to circumvent the login for the security cameras by using their visible IP addresses. I also gained access to the GoogleFiber Router settings, which allowed me to use [redacted] to explore user accounts associated with the domain," Kloster said in the email. "If I can reach the files on a user's computer, it indicates potential for deeper system access."

He also said in that email that he had "assisted over 30 small to medium-sized industrial businesses in the Kansas City, Missouri area."

Besides submitting a contracting proposal to the gym owner, Kloster removed his photograph from the gym's database, reduced his monthly gym membership fee to only $1, and stole a staff member's name tag.

Weeks later, the defendant posted a screenshot on social media that displayed the gym's security camera system and indicated that he had gained control over it.

On May 20, Kloster also allegedly breached the restricted premises of a nonprofit organization, where he used a boot disk to bypass authentication requirements and stole sensitive information from a "protected computer," a system "used in or affecting interstate or foreign commerce or communication" as described by the DOJ.

Kloster used his access to the nonprofit's computer to install a virtual private network (VPN) and change the passwords of multiple user accounts.

The defendant is also accused of using stolen credit card information from a third company, a former employer who fired Kloster on April 30, 2024, after he used the stolen company credit cards to purchase 'hacking thumb drives' designed to exploit vulnerable systems.

If found guilty, Kloster is facing a potential sentence of up to five years in federal prison without parole, along with a fine of up to $250,000, three years of supervised release, and an order of restitution.