The Tennessee man also admitted to hacking into AmeriCorps and the VA system, using stolen credentials.
Nicholas Moore, a 24-year-old from Tennessee, hacked into multiple US organizations, namely the Supreme Court, AmeriCorps, and the Department of Veterans Affairs. He used stolen credentials to access the databases and steal personal data. According to the Justice Department, he was able to repeatedly access various systems using stolen credentials from authorized users.
Unique to this case, Moore chose to post the data on Instagram, using the handle @ihackthegovernment, rather than attempt to sell the data or hold it for ransom. Computer fraud is generally a misdemeanor charge with a maximum sentence of one year. Considering the data’s value and his multiple attacks, it’s possible prosecution may push for a harsher sentencing.
According to an investigation, the breach started with the Supreme Court’s filing platform, which quickly became a gateway for Moore to access AmeriCorps and the VA. Moore allegedly used credential stuffing and phishing tactics to obtain login details. After successfully accessing the databases, Moore went through databases to find personally identifiable information, including names, addresses, birth dates, phone numbers, citizenship information, veteran status, and Social Security numbers. According to the Justice Department, he accessed the Supreme Court’s filing system many times, sometimes multiple times a day, between Aug. 29, 2023, and Oct. 22, 2023.
Moore has only pleaded guilty to one single count of computer fraud, meaning that the penalty he faces (up to one year of prison time, alongside a $100,000 fine and possible victim restitution) could be relatively light. Court watchers have noted that some cyberattack-related charges, like identity theft and wire fraud, can be difficult to prove, making sentencing lighter.
The incident has sparked calls for government agencies to bolster their cybersecurity practices. Bitget News has suggested that the Supreme Court may undergo additional audits to ensure an incident like this can be prevented in the future. Moore will be sentenced by Judge Beryl A. Howell on April 17.
Credential stuffing is an automated cyber attack method where a malicious actor uses previously stolen credentials (usually tied to a different service or website) to infiltrate another system. This method relies on the idea that users may have the same credentials (username and password) across multiple platforms.
Moore’s motives in this breach remain unclear. Many threat actors are financially motivated, using the dark web or ransom threats to receive payment. In this case, Moore may have been politically motivated or attempting to make a social statement about the security of the systems he infiltrated.