Sometimes the cybersecurity stories write themselves. Nicholas Moore, 24, used the Instagram handle "ihackedthegovernment" to brag about his exploits. Then he pleaded guilty to actually hacking government systems. The opsec here is legendarily bad, but it highlights a real issue: government systems remain vulnerable to relatively unsophisticated attacks.

Moore breached three major government platforms: the U.S. Supreme Court's electronic filing system (which he accessed at least 25 times over two months), AmeriCorps accounts, and the Department of Veterans Affairs' MyHealtheVet platform. He wasn't using sophisticated zero-day exploits or advanced persistent threat tactics. He was logging in with stolen usernames and passwords.

Let that sink in. The Supreme Court's filing system. The VA's health portal. Multiple government platforms compromised by someone reusing stolen credentials. This isn't a failure of cutting-edge security—it's a failure of basic credential hygiene.

The attacks happened throughout 2023, with Moore sometimes accessing the same system multiple times in a single day. He didn't monetize the access or deploy ransomware. He didn't leak classified information or sell data to foreign actors. He just... bragged about it on Instagram using a handle that literally advertised what he was doing.

The judge apparently joked during sentencing that Moore demonstrated high potential for legitimate security work, given how easily he penetrated government systems. That's actually not a joke—it's a damning indictment of federal cybersecurity.

Moore received one year of probation. Prosecutors declined to seek jail time, citing his vulnerable status, limited resources, and the fact that he didn't cause material harm with the access. He was showing off to online acquaintances, not conducting espionage.

But here's what should terrify everyone: if someone brazen enough to call themselves "ihackedthegovernment" can successfully breach multiple federal systems, what are sophisticated state actors doing? Moore's tradecraft was terrible. He announced his activities publicly. He reused the same tactics. He left obvious trails.

Real attackers don't make these mistakes. Nation-state operators and serious criminal groups maintain persistent access to critical systems for months or years without detection. They don't brag about it on Instagram. They don't leave obvious forensic evidence. They're careful, patient, and professional.

The credential stuffing attack Moore used—trying lists of previously compromised usernames and passwords against different services—is among the most basic attack vectors. It works because people reuse passwords and because systems don't implement adequate protections against automated login attempts.

The fact that Supreme Court and VA systems were vulnerable to this attack in 2023 suggests fundamental security failures. We're talking about multi-factor authentication, rate limiting on login attempts, credential monitoring—basic security hygiene that should have been implemented years ago.

Every federal system should require MFA. Period. The technology is mature, the implementations are well-understood, and the protection it provides against credential-based attacks is significant. If government systems aren't using MFA in 2023, someone should be fired.

Moore's case is almost funny in how badly he failed at operational security. But the underlying security failures that enabled his attacks aren't funny at all. Government systems protecting sensitive information should not be vulnerable to automated credential stuffing by someone advertising their activities on social media.

The sentence—one year probation with no jail time—sends its own message. Moore didn't cause serious damage and clearly wasn't sophisticated. But it also suggests the government doesn't take these intrusions seriously enough to pursue meaningful deterrence.

If you can hack the Supreme Court's filing system, brag about it on Instagram, and walk away with probation, why wouldn't someone try? The risk-reward calculation is absurdly favorable to attackers.

This story should be a wake-up call. If basic attacks succeed against high-profile government systems, the security posture across the entire federal infrastructure is probably worse than we think. Moore was just dumb enough to get caught. Competent attackers are still in there.