Who was Steve Waithe, and how was he involved?

Steve Waithe was a former Northeastern University track coach who hired Svara to hack the Snapchat accounts of female student-athletes he coached, leading to his conviction and a five-year prison sentence in March 2024.

What are the potential legal consequences for Svara?

Svara faces charges including aggravated identity theft, wire fraud, computer fraud, and making false statements related to child pornography, with potential sentences ranging from two to twenty years in prison.

Illinois Man's Phishing Scheme Compromises Hundreds of Women's Snapchat Accounts

Discover how a sophisticated phishing attack led to the unauthorized access of nearly 600 women's Snapchat accounts, highlighting the critical need for enhanced cybersecurity measures.

Published: February 7, 2026

Share this on:

Executive Summary

Between May 2020 and February 2021, Kyle Svara, a 26-year-old from Illinois, orchestrated a phishing campaign targeting nearly 600 women to gain unauthorized access to their Snapchat accounts. By impersonating Snap Inc. representatives, he solicited security codes from over 4,500 individuals, successfully compromising at least 59 accounts to steal and distribute private images. Notably, Svara collaborated with former Northeastern University track coach Steve Waithe, who hired him to hack accounts of female student-athletes. Waithe was sentenced to five years in prison in March 2024 for related offenses. (bleepingcomputer.com)

This incident underscores the persistent threat of social engineering attacks and the exploitation of personal data for malicious purposes. Organizations must remain vigilant against such tactics, emphasizing the importance of user education and robust security measures to protect sensitive information.

Why This Matters Now

The rise in social engineering attacks targeting personal data highlights the urgent need for enhanced cybersecurity awareness and protective measures to safeguard individuals' privacy.

Attack Path Analysis

The attacker initiated the attack by sending phishing messages to victims, impersonating Snap representatives to obtain access codes. Using the acquired credentials, the attacker accessed victims' Snapchat accounts without authorization. The attacker then exfiltrated private photos from the compromised accounts. Subsequently, the attacker sold or traded the stolen content online, causing significant harm to the victims.

Kill Chain Progression

Initial Compromise

High

Privilege Escalation

High

Lateral Movement

Mediuminferred

Command & Control

Mediuminferred

Exfiltration

High

Impact

High

Initial Compromise

Description

The attacker sent phishing messages to victims, impersonating Snap representatives to obtain access codes.

Confidence:

High

MITRE ATT&CK® Techniques

Techniques identified for SEO/filtering; may be expanded with full STIX/TAXII enrichment later.

Initial Access

T1566.001

Spearphishing Attachment

Initial Access

T1566.002

Spearphishing Link

Resource Development

T1586.002

Compromise Accounts: Email Accounts

Lateral Movement

T1534

Internal Spearphishing

Initial Access

T1656

Impersonation

Potential Compliance Exposure

Mapping incident impact across multiple compliance frameworks.

PCI DSS 4.0 – Security Awareness Training

Control ID: 6.4.3

The incident highlights the need for comprehensive security awareness training to educate users on recognizing and avoiding phishing attempts, as mandated by PCI DSS 4.0.

NYDFS 23 NYCRR 500 – Cybersecurity Awareness Training

Control ID: 500.14(b)

The breach underscores the importance of regular cybersecurity awareness training for personnel to mitigate risks associated with social engineering attacks, in compliance with NYDFS regulations.

DORA – ICT Risk Management Framework

Control ID: Article 13

The incident demonstrates the necessity for a robust ICT risk management framework to identify and address vulnerabilities exploited through phishing and account compromise, as required by DORA.

CISA Zero Trust Maturity Model 2.0 – Multi-Factor Authentication

Control ID: Identity Pillar

The attack emphasizes the critical role of implementing multi-factor authentication to prevent unauthorized access resulting from credential theft, aligning with CISA's Zero Trust principles.

NIS2 Directive – Cybersecurity Risk Management Measures

Control ID: Article 21

The breach highlights the need for comprehensive risk management measures, including user education and access controls, to protect against social engineering attacks, as stipulated by the NIS2 Directive.

Sector Implications

Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.

Higher Education/Acadamia

Universities face severe social engineering risks targeting student accounts, requiring enhanced identity protection and egress security to prevent data exfiltration and sextortion schemes.

Computer Software/Engineering

Social media platforms must strengthen authentication mechanisms and implement zero trust segmentation to prevent phishing attacks and unauthorized account access at scale.

Sports

Athletic organizations vulnerable to targeted account compromise campaigns by malicious actors exploiting coach-athlete relationships for sextortion and image theft purposes.

Legal Services

Law enforcement and legal professionals handling cybercrime cases require enhanced threat detection capabilities to investigate social engineering attacks and digital evidence collection.

Sources

Man pleads guilty to hacking nearly 600 women’s Snapchat accountshttps://www.bleepingcomputer.com/news/security/man-pleads-guilty-to-hacking-nearly-600-womens-snapchat-accounts/
Verified

Avoiding Social Engineering and Phishing Attackshttps://www.cisa.gov/news-events/news/avoiding-social-engineering-and-phishing-attacks

Verified

You Got Phished? Of Course! You're Human...https://www.bleepingcomputer.com/news/security/you-got-phished-of-course-youre-human/

Verified

Frequently Asked Questions

Svara employed social engineering by impersonating Snap Inc. representatives, sending messages to victims requesting their security codes, which allowed him to access their accounts.

Cloud Native Security Fabric Mitigations and ControlsCNSF

Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and controlled egress policies.

Initial Compromise

Control: Cloud Native Security Fabric (CNSF)

Mitigation: While Aviatrix CNSF primarily focuses on network-level controls, its integration with identity-aware policies could have limited unauthorized access attempts.

Privilege Escalation

Control: Zero Trust Segmentation

Mitigation: Zero Trust Segmentation would likely have limited the attacker's ability to escalate privileges by enforcing strict access controls.

Lateral Movement

Control: East-West Traffic Security

Mitigation: East-West Traffic Security could have constrained the attacker's lateral movement by monitoring and controlling internal traffic.

Command & Control

Control: Multicloud Visibility & Control

Mitigation: Multicloud Visibility & Control would likely have provided insights into unauthorized access patterns, aiding in the detection of command and control activities.

Exfiltration

Control: Egress Security & Policy Enforcement

Mitigation: Egress Security & Policy Enforcement could have limited data exfiltration by controlling outbound traffic.

Impact (Mitigations)

While Aviatrix CNSF could have constrained earlier stages of the attack, the impact stage highlights the residual risk and underscores the importance of comprehensive security measures.

Impact at a Glance

Affected Business Functions

User Account Security
Data Privacy Compliance

Operational Disruption

Estimated downtime: N/A

Financial Impact

Estimated loss: N/A

Data Exposure

Personal and sensitive images of approximately 570 individuals.

Recommended Actions

• Implement multi-factor authentication (MFA) to prevent unauthorized access even if credentials are compromised.
• Educate users on recognizing phishing attempts to reduce the risk of credential theft.
• Deploy anomaly detection systems to identify unusual access patterns indicative of account compromise.
• Enforce least privilege access controls to limit the potential impact of compromised accounts.
• Regularly monitor and audit account activities to detect and respond to unauthorized access promptly.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Stop Advanced Threats Get a Free Workload Attack Path Assessment Under Active Attack?

Illinois Man's Phishing Scheme Compromises Hundreds of Women's Snapchat Accounts

Executive Summary

Why This Matters Now

Attack Path Analysis

Kill Chain Progression

Initial Compromise

Description

MITRE ATT&CK® Techniques

Spearphishing Attachment

Spearphishing Link

Compromise Accounts: Email Accounts

Internal Spearphishing

Impersonation

Potential Compliance Exposure

PCI DSS 4.0 – Security Awareness Training

NYDFS 23 NYCRR 500 – Cybersecurity Awareness Training

DORA – ICT Risk Management Framework

CISA Zero Trust Maturity Model 2.0 – Multi-Factor Authentication

NIS2 Directive – Cybersecurity Risk Management Measures

Sector Implications

Higher Education/Acadamia

Computer Software/Engineering

Sports

Legal Services

Sources

Frequently Asked Questions

Cloud Native Security Fabric Mitigations and ControlsCNSF

Impact at a Glance

Affected Business Functions

Recommended Actions

Key Takeaways & Next Steps

Secure the Paths Between Cloud Workloads