A hacker who breached the U.S. Supreme Court’s electronic filing platform posted victims’ personal information on Instagram, according to a newly unsealed court filing. The defendant, identified in court records as Nicholas Moore of Tennessee, admitted to repeatedly accessing restricted systems and then publicizing stolen data on an account using the handle @ihackthegovernment.
The filing, first flagged by Court Watch researcher Seamus Hughes, adds key details to the guilty plea, revealing that the Supreme Court breach was part of a broader campaign that also targeted AmeriCorps and the Department of Veterans Affairs. Investigators say Moore used stolen logins to impersonate legitimate users, a tactic that allowed him to quietly slip past access controls and exfiltrate sensitive information.
What Newly Unsealed Court Records Reveal About Breach
Prosecutors say Moore leveraged compromised credentials to enter the Supreme Court’s electronic filing system—separate from the PACER platform used by lower federal courts—and then posted a victim’s name and a history of their filing activity. In a separate intrusion, the filing states that Moore accessed AmeriCorps servers and boasted about it online while publishing a victim’s name, date of birth, contact details, citizenship and veteran status, service history, and the last four digits of their Social Security number.
The VA breach, according to the filing, crossed into protected health information. Moore allegedly shared a screenshot from the My HealtheVet portal showing a patient’s identity and prescribed medications. Exposing medical details in this way can trigger obligations under HIPAA and raises long-term risks for the affected individual.
The court document notes that the offense carries a maximum sentence of one year in prison and a fine of up to $100,000. While sentencing guidelines consider factors like criminal history and cooperation, the case underscores how credential misuse can lead to high-impact compromises even without sophisticated malware or zero-day exploits.
How Stolen Credentials Fueled the Breach
The intrusions follow a familiar pattern: logins harvested or bought from criminal marketplaces are reused to access government portals that still allow password-based entry. Security researchers and incident responders routinely see “credential stuffing,” where attackers test known username–password pairs against multiple services, capitalizing on password reuse and weak authentication policies.
Federal cybersecurity guidance has increasingly focused on shutting this door. The Office of Management and Budget’s zero trust strategy requires agencies to adopt phishing-resistant multi-factor authentication—such as FIDO2 security keys—across users and systems. CISA has also directed agencies to reduce attack surface and patch known exploited vulnerabilities through binding operational directives, while promoting continuous monitoring to detect anomalous logins. The events described in the filing illustrate why these measures are now table stakes.
Beyond login hardening, agencies can blunt the impact of account takeovers with least-privilege access, session-based risk scoring, and rapid disablement of tokens after suspicious activity. Routine password audits, credential exposure checks, and automated takedown of attacker-operated social media accounts further limit damage and deter copycats.
Risks to Victims and Agencies from Credential Breaches
For individuals, the mix of personally identifiable information and health data posted online can open the door to identity theft, targeted phishing, and extortion. AmeriCorps volunteers and alumni may be particularly vulnerable to fraud attempts that leverage service histories or partial Social Security numbers. The VA patient whose records were exposed faces the additional burden of potential medical identity misuse.
For institutions, the episode highlights the reputational and operational costs of credential-based breaches. The Supreme Court’s e-filing infrastructure is a critical workflow tool; any compromise can chill participation or force emergency safeguards that slow the pace of litigation. Agencies that handle citizen services—like AmeriCorps and the VA—must also contend with notification, credit monitoring, and incident response demands that divert resources from mission work.
Platforms and Enforcement Challenges in Data Leaks
Instagram’s rules prohibit sharing others’ confidential or personal information, and Meta routinely removes posts and cooperates with law enforcement in cases involving doxxing or criminal activity. In practice, however, takedown speed can vary, and even brief exposure can allow data to be copied and redistributed. That creates a race between platforms, investigators, and opportunistic data brokers.
Digital evidence—from account activity logs to screenshots—often becomes central to prosecutions involving leaked data. The court filing in this case links posts on @ihackthegovernment to specific intrusions, weaving social media into the evidentiary chain. While the charge carries a limited statutory maximum, the public disclosure of highly sensitive information is likely to weigh heavily at sentencing.
The case is a stark reminder that attackers do not need elite tooling to create outsized harm. A single reused password and a social media megaphone can jeopardize courts, public-service agencies, and the people who rely on them. Agencies that fully implement phishing-resistant MFA, zero trust segmentation, and rapid content takedowns will be best positioned to keep the next “brag dump” from going viral.