US Federal Networks: Credential Abuse by Instagram Braggart

A 24-year-old named Nicholas Moore has pleaded guilty to unauthorized access of multiple US federal government networks, including the US Supreme Court, AmeriCorps, and the Department of Veterans Affairs, after publicly documenting the intrusions on an Instagram account called "ihackedthegovernment." According to court filings, Moore logged into the Supreme Court's filing infrastructure at least 25 times across a two-month window in 2023 using stolen credentials, and exfiltrated sensitive records including veteran healthcare data from the MyHealtheVet portal.

What Happened

Throughout 2023, Moore repeatedly authenticated into three separate federal systems using stolen usernames and passwords, accessing them multiple times per day in a pattern prosecutors described as systematic rather than opportunistic. Rather than maintain operational secrecy, Moore posted screenshots and stolen materials to Instagram under a handle that openly advertised his activity. The public posts transformed what might have been a covert, long-dwell intrusion into a self-documented evidence trail that investigators used to build the federal case that led to his guilty plea.

What Was Taken

The compromised data spans three federal institutions with varying sensitivity levels. From the Department of Veterans Affairs' MyHealtheVet platform, Moore accessed protected health information belonging to at least one veteran, publishing personal medical details to social media. AmeriCorps accounts were also infiltrated, exposing participant and program data. The Supreme Court intrusions, totaling at least 25 logins over two months, targeted the court's electronic filing infrastructure, which routinely contains sealed filings, sensitive case materials, and personally identifying information of parties before the court.

Why It Matters

This case highlights a persistent structural weakness in federal identity architecture: valid stolen credentials still serve as a master key across multiple unrelated agency systems. Moore was not exploiting a zero-day or custom malware, he was logging in. The incident underscores the continued lag in federal adoption of phishing-resistant multifactor authentication, particularly for citizen-facing and lower-profile portals like MyHealtheVet and AmeriCorps. It also demonstrates that opportunistic, ego-driven actors can inflict real harm on high-value systems when credential hygiene fails, even without sophisticated tradecraft.

The Attack Technique

Court documents describe credential-based intrusions using usernames and passwords that had been acquired through unauthorized means, consistent with credential stuffing, infostealer log resale, or phishing-derived credential theft. No exploitation of software vulnerabilities was alleged. Moore reused the stolen credentials across repeated sessions, with activity patterns showing multiple daily logins per target, suggesting that neither anomalous-login detection nor session-frequency analytics flagged his behavior in time to disrupt access. Detection ultimately came from open-source intelligence, specifically his own Instagram posts, rather than from internal telemetry at any of the victim agencies.

What Organizations Should Do

Enforce phishing-resistant MFA (FIDO2, PIV, or equivalent) on all federal and citizen-facing portals, including lower-profile platforms such as benefits and healthcare systems.
Monitor impossible-travel, unusual-hours, and high-frequency login patterns per account; a credential logging in 25+ times across two months from anomalous infrastructure should trigger step-up authentication.
Integrate commercial infostealer and credential-dump feeds into identity controls to force password resets when agency-issued credentials surface in criminal marketplaces.
Apply risk-based session controls to sensitive filing and healthcare portals, including device binding and re-authentication for privileged data views.
Incorporate OSINT monitoring of social platforms for brand, system, and screenshot leakage indicators tied to agency interfaces.
Conduct post-incident credential-exposure audits across shared identity providers to identify whether stolen credentials grant access to additional federal tenants.

Sources: Young hacker's Instagram boasts lead to guilty plea in US government breach - thrustflagwire