A Perth-based hacker, Michael Clapsis, received a sentence of over seven years in prison for deploying rogue Wi-Fi networks mimicking Qantas services at airports and on aircraft.
The 44-year-old’s “evil twin” attacks, uncovered in April 2024, exposed a broader pattern of cyber offenses, including the theft of intimate images from multiple victims.
District Court Judge Darren Renton highlighted the crimes’ potential to damage Qantas’s reputation and the deep humiliation inflicted on victims.
The incident surfaced when Qantas staff detected an unauthorized Wi-Fi network during a domestic flight.
Clapsis had configured a Wi-Fi Pineapple Nano a compact Hak5 device popular among penetration testers for wireless auditing to impersonate the airline’s legitimate free Wi-Fi portal.
This setup exploited passengers’ trust in familiar service set identifiers (SSIDs), such as “Qantas Free Wi-Fi.”
In an evil twin attack, the rogue access point broadcasts an identical SSID to the real network, tricking devices into connecting to it via stronger signal strength or deauthentication floods.
Once associated, victims encounter a phishing-laden captive portal mimicking Qantas’s login page.
Clapsis diverted users to this fake interface, capturing credentials, session cookies, and other data transmitted in plaintext or weakly encrypted forms.
Such tactics thrive in high-density environments like aircraft cabins and airport lounges, where users prioritize connectivity over security verification.
Forensic analysis by the Australian Federal Police (AFP) revealed Clapsis modified the Pineapple Nano with custom modules, likely including the PineAP suite for automated SSID cloning and credential harvesting.
The device logs handshake captures for offline WPA2 cracking via tools like Hashcat and relays traffic through a man-in-the-middle (MitM) proxy.
Deployments occurred across Perth Airport terminals and onboard flights, risking interception of sensitive aviation data alongside personal information.
Post-arrest at Perth Airport, Clapsis attempted digital erasure: remotely wiping his phone and deleting 1,752 files from his laptop, predominantly stolen intimate media.
He even accessed his employer’s laptop to spy on AFP briefings.
This led to revelations of “systemic” image theft spanning six years, targeting 17 women and girls including a minor and a police officer via credential stuffing on online accounts dating back to 2015.
Over 700 nude photos and sex videos were copied without consent.
Judge Renton imposed a sentence of seven years and four months, with parole eligibility in 2030, citing violations of privacy laws and aviation security protocols. Victims described profound exposure and unsafety.
Clapsis’s defense noted autism spectrum disorder and non-distribution of images, but the court emphasized premeditated harm.
This case underscores Wi-Fi vulnerabilities in transit hubs, urging airlines to implement WPA3, certificate pinning, and network segmentation. Qantas now routinely scans for rogue APs.
PortSwigger has leveled up Burp Suite's scanning arsenal with the latest Active Scan++ extension, version…
Unit 42 researchers at Palo Alto Networks exposed serious flaws in the Model Context Protocol…
Polish police have arrested three Ukrainian men traveling through Europe and seized a cache of…
Google has launched its most significant Chrome update ever, embedding Gemini AI across the browser…
Attackers exploit this vulnerability through the router's web interface components, specifically "cgibin" and "hnap_main," by…
Security researchers have uncovered a severe flaw in Apache Tika, a popular open-source toolkit for…