Share this article on:
The Swiss hacktivist who gained access to the security cameras of the California startup Verkada in March 2021 has been indicted by the US government for computer crimes from 2019 to present, including accessing and publicly disclosing source code and proprietary data of corporate and government victims in the United States and beyond.
Till Kottmann, 21, aka ‘tillie crimew’ and ‘deletescape’ resides in Lucerne, Switzerland and is a member of a hacking collective self-named APT 69420 / Arson Cats. Most recently, Kottman admitted accessing the Verkada surveillance cameras used by many large enterprises, including Tesla, Okta, Cloudflare, Nissan, as well as schools, correctional facilities, and hospitals. Live streams of surveillance camera and archived footage were accessed between March 7 and March 9, 2021, screenshots and videos of which were published online.
Ethical hackers often exploit vulnerabilities and gain access to systems and their efforts often result in vulnerabilities being addressed before they can be exploited by bad actors. The vulnerabilities are reported to the entities in question, and steps are taken to fix the vulnerabilities before details are publicly disclosed. In the case of Kottmann, responsible disclosure procedures were not followed. Sensitive information obtained from victims’ networks was publicly disclosed, with no attempts made to notify the breached entities directly prior to the disclosure of stolen data.
On March 18, 2021, Kottmann was indicted by a grand jury in the Western District of Washington for a string of computer intrusion and identity and data theft activities from 2019 to present. The indictment, which only names Kottmann, includes charges of one count of conspiracy to commit computer fraud and abuse, several counts of wire fraud, one count of conspiracy to commit wire fraud, and one count of aggravated identity theft.
Conspiracy to commit computer fraud and abuse carries a maximum jail term of 5 years, the wire fraud and conspiracy to commit wire fraud charges have a maximum jail term of 20 years, and the aggravated identity theft charge has a mandatory 24-month jail term, which runs consecutively to other sentences.
According to the indictment, Kottmann and co-conspirators hacked the systems of dozens of companies and government entities and published data stolen from more than 100 companies on the Internet. Kottmann most often targeted git and other source code repositories, and cloned the source code, files, and other confidential information, which often included access codes, and hard-coded credentails, and other means of gaining access to corporate networks. Kottmann then used the stolen credentials for further intrusions, often copying additional information from victims’ networks before leaking the stolen data online.
According to the indictment, Kottmann would speak with the media and publish information on social media networks about her role in the hacks “to recruit others, grow the scheme, and further promote the hacking activity and Kottmann’s own reputation in the hacking community.”
The FBI’s cyber task force led the investigation into Kottmann, with Swiss law enforcement executing a search warrant of Kottmann’s property in Lucerne on March 12, 2021 that resulted in computer equipment being seized. The FBI recently seized a domain that was operated by Kottmann and used to publicly disclose stolen data.
“Stealing credentials and data, and publishing source code and proprietary and sensitive information on the web is not protected speech–it is theft and fraud,” said Acting U.S. Attorney Tessa M. Gorman. “These actions can increase vulnerabilities for everyone from large corporations to individual consumers. Wrapping oneself in an allegedly altruistic motive does not remove the criminal stench from such intrusion, theft, and fraud.”