A Swiss computer hacker named Tillie Kottmann has been charged by the US government with multiple accounts of wire fraud, conspiracy, and identity theft. The indictment accuses Kottmann and co-conspirators of hacking “dozens of companies and government entities,” and posting private data and source code belonging to more than 100 firms online.
The 21-year-old Kottmann, who uses they / them pronouns, was most recently connected to the security breach of US firm Verkada, which exposed footage from more than 150,000 of the companies’ surveillance cameras. But the charges filed this week date back to 2019, with Kottmann and associates accused of targeting online code repositories (known as “gits”) belonging to major private and public sector entities, ripping their contents and sharing them to a website they founded and maintained named git.rip.
Git.rip has since been seized by the FBI, but previously shared code and data belonging to numerous companies including Microsoft, Intel, Nissan, Nintendo, Disney, AMD, Qualcomm, Motorola, Adobe, Lenovo, Roblox, and many others (though no firms are explicitly named in the indictment). The exact nature of this data varied in each case. A rip of hundreds of code repositories maintained by German automaker Daimler AG contained the source code for valuable smart car components, for example, while a breach of Nintendo’s systems (which Kottmann said did not originate from them directly but which they reshared through a Telegram channel) offered gamers rare insight into unreleased features from old games.
In interviews about earlier breaches, Kottmann noted repeatedly that the data they found was usually exposed by companies’ own poor security standards. “I often just hunt for interesting GitLab instances, mostly with just simple Google dorks, when I’m bored, and I keep being amazed by how little thought seems to go into the security settings,” Kottmann told ZDNet in May 2020. (“Google dorks” or “Google dorking” refers to the use of advanced search strings to find vulnerabilities on public servers using Google.)
In the case of the Verkada breach, Kottmann and their associates reportedly found “super admin” credentials that gave them unfettered access to the company’s systems that were “publicly exposed on the internet.” These logins allowed the hackers to look through the live feeds of more than 150,000 internet-connected cameras. These cameras were installed in various facilities including prisons, hospitals, warehouses, and Tesla factories.
Kottmann said they were motivated by a hacktivist spirit: wanting to expose the poor security work of corporations before malicious actors could cause greater damage. Kottmann told BleedingComputer last June that they didn’t always contact companies before exposing their data, but that they attempted to prevent direct harm. “I try to do my best to prevent any major things resulting directly from my releases,” they said.
After the Verkada breach, Kottmann told Bloomberg their reasons for hacking were “lots of curiosity, fighting for freedom of information and against intellectual property, a huge dose of anti-capitalism, a hint of anarchism — and it’s also just too much fun not to do it.”
The US government, not surprisingly, takes a dimmer view of these activities. “Stealing credentials and data, and publishing source code and proprietary and sensitive information on the web is not protected speech — it is theft and fraud,” Acting U.S. Attorney Tessa M. Gorman said in a press statement. “These actions can increase vulnerabilities for everyone from large corporations to individual consumers. Wrapping oneself in an allegedly altruistic motive does not remove the criminal stench from such intrusion, theft, and fraud.”
The indictment includes as evidence, numerous tweets and messages sent by Kottmann using handles including @deletescape and @antiproprietary. These include a tweet sent on May 17, 2020 saying “i love helping companies open source their code;” messages to an unnamed associate soliciting “access to any confidential info, documents, binaries or source code;” and tweets sent on October 21 in which Kottmann said that “stealing and releasing” corporate data was “the morally correct thing to do.”
Kottmann is currently located in Lucerne, Switzerland, where their premises were recently raided by Swiss authorities and their devices seized. Whether or not they will be extradited to the US is unclear. Bloomberg reports that Kottmann has retained the services of Zurich lawyer Marcel Bosonnet, who previously represented Edward Snowden. The charges against Kottmann carry up to 20 year prison sentences.
Update, Sunday March 21, 3:37PM ET: The story has been updated to reflect Kottmann’s preferred use of the name Tillie throughout.