Nicholas Michael Kloster, a 31-year-old man from Kansas City, is facing serious accusations for his involvement in a series of cybercrimes characterized by exceptionally poor operational security. The extensive indictment, which spans just three months in 2024, outlines a string of unlawful activities allegedly orchestrated by Kloster against several organizations in Missouri.
According to the indictment, Kloster began his stint at an unspecified company, referred to as “Company Victim 1,” in March 2024. It wasn’t long before he allegedly misused the company’s credit card for personal purchases, including buying a thumb drive marketed for computer break-ins. His employment was terminated by the end of April 2024 due to these unauthorized actions.
Before his termination, Kloster reportedly targeted a health club chain, labeled as “Victim 2.” The complaint notes that on April 26, Kloster infiltrated one of the chain’s health clubs just before midnight and brazenly used his Company Victim 1 email account to inform the health club owner about how he defeated their security systems. This email detailed his ability to bypass security camera logins, access router settings, and domain user accounts, indicating a deeper reach into system files.
In what appears to be a misguided attempt at self-promotion, Kloster then sent a revised resume to the health club, claiming to have assisted over 30 small-to-medium businesses (SMBs) in the area with his supposed security expertise. Suspicious actions linked to his tampering include the gym membership fee being reduced to $1, the theft of a staff member’s name tag, and the erasure of his account photograph. He also posted a photo on social media of the gym’s CCTV feed, bragging about convincing companies to use his security services.
Kloster’s cybercrime spree continued less than a month later on May 20, when he gained access to a restricted area of a nonprofit organization, dubbed “Victim 3.” Here, he allegedly employed a boot disk to bypass password protections and access multiple user accounts. He is also accused of changing several user passwords and installing a virtual private network (VPN) on one of the nonprofit’s computers. The nonprofit organization reported incurring around $5,000 in costs to reverse Kloster’s actions.
Kloster faces two primary charges: one for unauthorized access and obtaining information from Victim 2’s computer, and another for unauthorized access and causing damage to Victim 3’s computer. His court date is set for April 1, 2025. Attempts to reach his legal representation for comments were unsuccessful.
This case sheds light on Kloster’s apparent negligence and lack of caution in committing his alleged cybercrimes. His actions were both audacious and reckless, making it easy for authorities to trace the crimes back to him due to identifiable communication methods and outright self-incrimination. The entire series of events underlines the crucial importance of robust operational security practices to avoid detection and legal pitfalls in illegal activities.
In summary, the poorly executed actions allegedly carried out by Kloster, marked by amateur mistakes and a clear trail of evidence, caused significant financial damage to the affected Missouri organizations and resulted in his legal charges. The case stands as a stark reminder of how inadequate operational security can lead to quick identification and severe consequences for cybercriminals.
