It’s April 2024, and there's a domestic flight flying somewhere over Australia. A flight attendant just finished doing their rounds; walking through the cabin, checking buckled seatbelts, and collecting trash. When they finish, they go to the back, and check their phone. But they notice something weird when they try to connect to the wifi.

They see the airline's WiFi network, but there's also another one.. with the same exact name. Character for character, this other network is identical. So two networks both claiming to be the airline’s Guest WiFi.

It was strange enough that the flight attendant felt the need to report it. And good on her, because that report began an investigation that would bring down a 6 year long digital crime and intrusion of privacy.

So the plane lands in Perth, and the Australian Federal Police are already waiting at the gate. They begin searching crew members bags and checking the carry ons of everyone on the flight.

They finally reach a man named Michel Clapsis.

And in his carry-on bag, they find a laptop, a phone, and a little device about the size of a small router.

It's called a WiFi Pineapple.

Now, a WiFi Pineapple is actually a legit tool. It's made by this company called Hak5 and has been around since like 2008. Security professionals use it to test networks and find other security vulnerabilities. You can literally just buy one online. Hundred bucks. Totally legal.

It's basically a platform. It gives you the tools to monitor wireless traffic, see what devices are nearby, and what networks that those devices are looking for. You can even create your own access points. But you have to set all of that up yourself. The device isn't doing anything shady on its own-it's just hardware. The person using it decides what to do with it.

So, Michael configured his Pineapple to broadcast a network with whatever name matched where he was. "Airline_Guest_WiFi" when he was on a plane. "Free_Airport_Wifi" when he was at a gate terminal. This is called an evil twin attack. He built the fake login pages himself. Set up the whole system to capture credentials when people typed them in.

And think about where this guy was doing this. Airports. Airplanes. Places where everyone is bored and desperate for internet. You're sitting at the gate with an hour to kill. You see airport WiFi, you connect, and a login page pops up asking for your email. You type it in without thinking. Why would you think about it? But that login page could be fake. It could be running on a wifi Pineapple. And whatever you type in goes straight to whoever's running it. Michael set it up to look like standard captive portals that said "Sign in with Facebook or Instagram" to continue. And people would enter their usernames and passwords, thinking they're just logging into WiFi.

So the police grab his devices and start going through them. And what they found, was.. a lot.

Thousands of intimate photos and videos. All the private stuff that people had stored in their accounts. Over six years, this guy had collected more than 700 photos and videos from 17 different victims. A lot of it was explicit content. Personal stuff that was never meant for anyone else to see. One of the victims was only seventeen years old. Another was a cop. Some of them actually knew him personally. But most had no idea anything was wrong until investigators reached out to tell them.

The day after police search his stuff, Michael started panicking. He deleted almost 2000 files from his cloud storage trying to remotely wipe his phone, but the phone was already in police custody, so that didn’t work. Then, he found a way to hack into his old job’s laptop, and he used it to access confidential meetings between his company and the cops investigating him. He was trying to figure out what they knew about him. It didn't help.

On May 8th, 2024, police show up at his house with another search warrant and officially arrest him. The court case was rough. Victim impact statements talked about feeling violated, exposed, and unsafe. One person said even though Clapsis never physically touched them, it felt like their body had been violated.

The judge called it "systemic offending", and it showed planning, persistence, and willingness to obstruct justice. His defense tried to explain it by saying he had autism, and he never shared the images with anyone. But that didn't really change anything. On November 2024, Michael Clapsis was sentenced to seven years and four months in prison.

So what does this mean for you? Practically. What should you do? Is public wifi safe? The thing is, public WiFi isn't as dangerous as people make it sound. And that's because of HTTPS, which stands for Hypertext Transfer Protocol Secure.

You see it at the beginning of most URLs. HTTPS encrypts everything between you and the website. So even if you're on some sketchy network and someone's watching your traffic, all they see is scrambled data. They can see you're going to “instagram.com”, but they can't see what you're doing there. Can't see your password. Can't see your DMs. It's fully encrypted end-to-end.

And the good news is almost every site uses HTTPS now. Your email, your social media accounts, your banking apps, and even shopping sites. It's pretty much standard at this point. So just being on public WiFi doesn't automatically mean someone can steal your info. The real danger in what Michael was doing was the fake login pages.

See, HTTPS protects you once you're on a legit site. But if someone tricks you into typing your password on a fake page before you even get to the real site? HTTPS can't help you there. Bad guys are really good at making a page look like the real one. So that's what you actually need to watch out for.

When you connect to public WiFi and a login page pops up, look at what it's asking for. Normal wifi portals might ask you to accept terms of service. Maybe enter an email for a confirmation. Basic stuff.

But if a WiFi login page is asking for your Instagram password? Your Gmail login? Your Facebook credentials? That's not normal. Real networks don't need your social media passwords to let you browse the internet. What you’re looking at is most likely a phishing page. Close it. Don't enter anything, and just find another way to surf the web.

Clapsis ran this for six years before anyone noticed. And the only reason he got caught was because one crew member looked at their phone and thought "huh, that's weird".

But how many other setups like this are running right now? At airports, coffee shops, hotels, conferences? Just harvesting and collecting passwords from people who will never put the pieces together and connect the dots that their now hacked accounts are actually linked back to that random WiFi they connected to last month?

I hear stories from people all the time. They got hacked, and they have no idea how. It could've been so many different things that they’re just unaware of. Most people don’t know what the threats are. But that’s why we're here.

To tell you stories like this.

So listen and learn & dontgetgot.