A Missouri man admitted to breaking into corporate networks, altering data, and stealing access, all while marketing his own consulting work.
What happened
Nicholas Michael Kloster, 32, has pleaded guilty to hacking the systems of three organizations in 2024 in an attempt to promote his own cybersecurity services. According to the U.S. Department of Justice, Kloster targeted a Missouri-based health club chain, a nonprofit organization, and a former employer, gaining unauthorized access and then offering to consult on the very vulnerabilities he exploited.
In one case, Kloster emailed a gym owner describing how he bypassed camera security systems and router settings, then proposed his services. He also altered records in the gym’s database to reduce his membership fees to $1, deleted his own photo, and stole a staff member's name tag.
Going deeper
Beyond the health club incident, Kloster is also accused of physically breaching a nonprofit organization’s premises on May 20. Using a boot disk, he bypassed login protections and accessed what the DOJ classifies as a “protected computer,” meaning it is used in or affects interstate or foreign commerce. While inside, he installed a VPN, changed user account passwords, and exfiltrated sensitive data.
His activity extended to a third organization, his former employer, where he used stolen credit card details to buy hacking tools, including USB drives designed to exploit system vulnerabilities. The employer had terminated Kloster’s contract in April 2024.
What was said
In his email to the gym owner, Kloster explained the steps he took to compromise their network, noting that his ability to reach user files “indicates potential for deeper system access.” He also claimed to have previously helped over 30 businesses in the Kansas City area. Later, he shared screenshots of the gym’s security system on social media as apparent proof of access.
The DOJ has charged Kloster under federal computer crime statutes. He now faces up to five years in prison, a $250,000 fine, and three years of supervised release, in addition to potential restitution.
The big picture
The case shows how individuals can misuse cybersecurity expertise to create demand for services through unauthorized intrusion. It brings attention to the legal and ethical limits of security testing, particularly when performed without consent. Although some organizations engage ethical hackers to uncover vulnerabilities, acting without approval remains a federal offense. The incident also points to the need for strong physical security measures, access controls, and internal safeguards, especially for smaller organizations that may not anticipate being targeted.
FAQs
What’s the difference between ethical hacking and criminal hacking?
Ethical hackers are authorized by a company to test its systems for weaknesses. Criminal hackers act without permission, even if their goal is to show those weaknesses.
Can someone legally offer cybersecurity services after committing a breach?
No. Offering services after unauthorized access is considered extortion or fraud and violates multiple federal laws, regardless of intent.
What is a ‘protected computer’ under U.S. law?
A protected computer is any device used in or affecting interstate or international commerce, including most internet-connected systems in the U.S.
How can organizations prevent unauthorized access like this?
Physical security protocols, strict access controls, regular audits, and employee offboarding procedures are all needed to reduce risk.
Are hacking tools like USB drives illegal to own?
Not inherently. They become illegal when used without authorization to exploit or access protected systems. Intent and context are necessary in legal interpretations.
Farah Amod
