The @ihackedthegovernment Instagram Account Creator Avoids Prison Time After US Systems Breach

The infamous @ihackedthegovernment Instagram account has officially been shut down after its creator, a 25-year-old Tennessee man, pleaded guilty to accessing highly sensitive US government systems. Nicholas Moore avoided prison time and was sentenced to one year of probation after using stolen login credentials to breach the US Supreme Court, AmeriCorps, and the Veterans Administration Health System. Rather than monetizing the stolen data, Moore publicly posted screenshots of the users' personal information to his social media profile.

Moore's unauthorized access occurred between August and October 2023. According to government court filings, he used stolen credentials to log into the US Supreme Court’s electronic filing system at least 25 times, occasionally returning multiple times in a single day. He obtained a user's full name, email address, phone number, home address, date of birth, and private answers to three security questions. On July 29, August 18, and November 28, 2023, Moore posted screenshots to his Instagram profile, making the victim's name and a list of all current and past electronic filing records clearly visible to the public.

The data exposure extended far beyond the judicial branch. Moore breached a My AmeriCorps account, publicly posting the user's name, date of birth, email address, home address, phone number, citizenship status, veteran status, service history, and the last four digits of their Social Security number. Furthermore, he accessed the Department of Veterans Affairs 'My HealtheVet' platform on five different days using the stolen login credentials of a US Marine Corps veteran. On October 13, 2023, Moore disclosed the veteran's individually identifiable health information, including prescribed medications, blood type, and service branch.

During a remote sentencing hearing, Moore expressed remorse to US District Judge Beryl Howell, stating, "I made a mistake. I am truly sorry. I respect laws, and I want to be a good citizen." The US government did not seek prison time or financial restitution, noting that Moore's victims did not sustain financial losses. Prosecutors described him as a vulnerable young man with long-term disabilities and mental health struggles, emphasizing that he acted primarily to show off to online acquaintances rather than for financial gain. Judge Howell handed down the 12-month probation sentence, joking that his potential is apparent given the ease with which he breached three government systems.

Because this breach relied entirely on stolen login credentials rather than sophisticated zero-day exploits, it highlights the critical need for fundamental account security. Users and organizations must implement strict access controls to prevent unauthorized entry.

• Enable Multi-Factor Authentication (MFA): Always require a secondary verification method, such as an authenticator app or hardware security key, to block attackers even if they obtain your password.
• Audit Active Sessions: Regularly check your account settings for active login sessions and immediately revoke access for any unrecognized devices or locations.
• Use Unique Passwords: Utilize a dedicated password manager to generate and store complex, unique passwords for every service, ensuring that a breach on one platform does not compromise others.

This case highlights a growing and concerning trend in modern cybersecurity: the shift from financially motivated cybercrime to clout-driven social engineering. Moore's actions were not driven by ransomware payouts or selling data on the dark web. Instead, the primary objective was digital notoriety, evidenced by his "toxic" online social life and the blatant boasting on a public platform. This psychological motivation makes threat modeling increasingly difficult for government agencies, as attackers seeking attention often behave more erratically than those seeking profit.

The fact that a 25-year-old with limited financial means and virtually no employment experience could repeatedly access the US Supreme Court’s electronic filing system and the Veterans Administration Health System is a glaring indictment of current federal access controls. While the government recommended probation conditions such as computer monitoring and a prohibition on anonymizing software, the broader takeaway is that federal infrastructure remains highly vulnerable to basic credential stuffing and stolen login abuse. Until zero-trust architectures are universally enforced across all government portals, clout-chasing hackers will continue to find easy targets.