The United States Supreme Court is the highest court in the land. Its electronic filing system β used by attorneys, litigants, and court staff to submit and manage legal documents β is a piece of federal government infrastructure by any reasonable definition.
On April 17, 2026, the man who broke into that system dozens of times over several months, also hacked two other federal government networks, and then posted victim data publicly on Instagram was sentenced to one year of probation.
No prison time. No custodial sentence. Twelve months of probation.
Nicholas Moore is 24. He lives in Springfield, Tennessee. And the contrast between what he did and what he received has become the latest flashpoint in an ongoing debate about how the American justice system prices the crime of unauthorised computer access against government infrastructure.
What Moore Actually Did
Between August 29 and October 22, 2023, Moore accessed the Supreme Courtβs Case Management and Electronic Case Filing system without authorisation. He did not do this once. He accessed the system across 25 separate days β sometimes returning to the site multiple times within the same day. The method was not technically sophisticated: Moore used the stolen credential of an authorised user to log in. He did not exploit a zero-day vulnerability or defeat advanced authentication. He had someone elseβs login, and he used it, repeatedly, over nearly two months.
The Supreme Courtβs electronic filing system is not classified infrastructure. But it contains sensitive case documents, attorney communications, and court records associated with active litigation at the highest level of the federal judiciary. Unauthorised access to that system β particularly sustained, repeated access over months β represents a genuine security failure with real implications for the integrity of proceedings managed through it.
Moore did not stop at the Supreme Court. He also accessed AmeriCorpsβ computer servers without authorisation, obtaining records from the federal volunteer service agency. He accessed a Department of Veterans Affairs electronic platform as well β a network that handles data associated with American military veterans, including health information and service records.
Three federal government networks. One was the judicial branch at its apex. One served veterans. All accessed using stolen credentials. All accessed by the same individual across the same period.
The Instagram Problem
If the intrusions alone made this case notable, Mooreβs decision to document and publicise them made it extraordinary.
Moore bragged about the hacks on Instagram under the handle @ihackedthegovernment. He posted victim data β information extracted from the systems he accessed β publicly on the platform. He was not attempting to operate in the shadows. He announced what he had done and showed evidence of it.
This matters legally and contextually. It suggests that the intrusions were motivated at least in part by notoriety rather than financial gain or espionage. Moore does not appear to have sold the data he obtained. He appears to have wanted credit for obtaining it.
That context is relevant to sentencing, but it cuts both ways. On one hand, a teenager seeking attention is less dangerous than a sophisticated actor monetising stolen government data. On the other hand, publicly posting victim data extracted from federal systems β including veteransβ information from the VA β causes real harm to real people regardless of the motivation behind it.
The victims whose data appeared on Mooreβs Instagram did not choose to have their information posted publicly by someone who had broken into government systems to obtain it.
The Charge and Why It Constrained the Sentence
Moore pleaded guilty to a single count of fraud and related activity in connection with computers. The specific charge was a Class A misdemeanor under 18 U.S.C. Β§ 1030 β the Computer Fraud and Abuse Act.
That charge classification is the key to understanding the sentence. A Class A misdemeanor under federal law carries a maximum custodial penalty of one year. The judge sentenced Moore to probation, which is within the sentencing range available under the charge to which he pleaded guilty.
The deeper question is why the charge was a misdemeanor at all. The CFAA contains both misdemeanor and felony provisions. Felony charges under the CFAA typically attach when the intrusion causes or could cause significant damage, when it involves intent to defraud, when it compromises critical infrastructure, or when the value of information obtained exceeds certain thresholds.
The specific charging decision β a single misdemeanor count rather than felony charges across the three intrusion targets β was a prosecutorial choice. Mooreβs guilty plea was to that charge. The probation sentence is legal and consistent with what the misdemeanor charge permits. But the charging decision upstream of the plea is where the substantive judgment about the appropriate criminal weight of Mooreβs conduct was made.
Whether that judgment correctly reflects the severity of sustained, repeated, publicised unauthorised access to three federal government systems β including the Supreme Court and VA β is a question the cybersecurity and legal communities are debating.
The Sentencing Disparity Problem
Mooreβs probation sentence arrives in a landscape where the sentencing outcomes for computer crime are notoriously inconsistent and frequently disconnected from intuitive assessments of harm.
Tyler Buchanan, the Scattered Spider member who pleaded guilty the same day Moore was sentenced, faces up to 22 years for wire fraud conspiracy and aggravated identity theft involving the theft of $8 million in cryptocurrency. The financial harm in Buchananβs case was concrete and quantifiable. The harm in Mooreβs case β repeated unauthorised access to government judicial and veteransβ systems, with victim data posted publicly β is real but harder to price in dollar terms.
Noah Urban, another Scattered Spider member sentenced in 2025, received 10 years and $13 million in restitution for cryptocurrency theft. The contrast with Mooreβs probation is stark, though the charges were substantively different β Urban faced felony wire fraud, not a misdemeanor CFAA count.
The pattern across computer crime sentencing is that financially quantifiable harm maps more reliably to serious criminal consequences than access-based harm. Stealing $8 million is legible to a criminal justice system designed around financial restitution frameworks. Accessing the Supreme Courtβs filing system 25 times without authorisation and posting federal government data on Instagram is harder to translate into the metrics the system is calibrated to price.
This is not unique to Mooreβs case. It is a structural feature of how computer crime law developed β largely in response to financial fraud, identity theft, and ransomware rather than access-for-notoriety cases of this type.
What It Means for Government System Security
The method Moore used β stolen credentials belonging to an authorised user β is worth dwelling on. He did not need to find a vulnerability. He needed a valid username and password. Once he had that, the Supreme Courtβs filing system let him in, repeatedly, over 25 days.
This is a detection and monitoring failure as much as an access control failure. A legitimate userβs credential being used across 25 days of repeated access β sometimes multiple sessions per day β should surface in behavioural analytics as anomalous. If the authorised user whose credential Moore was using was not themselves accessing the system at the same rate, the pattern should be detectable.
It raises the question of what authentication and session monitoring the Supreme Courtβs filing system had in place in 2023, and what changes followed the discovery of the intrusion. The court has not published details of its remediation steps.
For government systems broadly: the Moore case is a reminder that credential theft β not sophisticated zero-day exploitation β is the most common entry point for unauthorised access. The Supreme Court is not a uniquely careless institution. Credential-based intrusion works against most systems because most systems do not have robust anomaly detection layered on top of authentication. Logging a valid login is easy. Flagging that a valid credential is being used in a pattern inconsistent with its legitimate owner is harder, and less commonly implemented.
A Year of Probation
Moore will serve a year of probation. He will not go to prison. The Supreme Courtβs filing system, AmeriCorps, and the VA will update their security postures β or they will not, and the next person with a stolen credential will find the same doors open.
The Instagram handle @ihackedthegovernment has presumably been taken down or deactivated. The federal governmentβs data that appeared on it has not been un-posted. The veterans whose information Moore extracted from the VA cannot un-expose their records.
One year of probation is the legal outcome. Whether it is the appropriate one is a question the Computer Fraud and Abuse Actβs misdemeanor provisions do not answer β they only define the ceiling that prosecutors and judges must work within. The ceiling was set. Mooreβs conduct fit under it. That is the system operating as designed.
Whether the design is right is a separate conversation.
Nicholas Moore was sentenced on April 17, 2026 to one year of probation after pleading guilty to one misdemeanor count of fraud in connection with computers. Moore had accessed the US Supreme Courtβs electronic filing system, AmeriCorps servers, and a VA platform using stolen credentials across 25 days between August and October 2023, and publicly posted victim data on Instagram.
