Share this article on:
The Swiss hacktivist who gained access to California startup Verkada’s security cameras in March 2021 has been indicted by the US government for computer crimes from 2019 to present, including accessing and publicly disclosing source code and proprietary data from victimized companies and governments in the United States and beyond.
Till Kottmann, 21, aka ’tillie crimew’ and ‘deletescape’ resides in Lucerne, Switzerland and is a member of a self-named hacking collective APT 69420 / Arson Cats. More recently, Kottman admitted to accessing Verkada surveillance cameras used by many large companies, including Tesla, Okta, Cloudflare, Nissan, as well as schools, correctional facilities and hospitals. Live feeds from surveillance cameras and archived footage were viewed between March 7 and March 9, 2021, of which screenshots and videos have been posted online.
Ethical hackers often exploit vulnerabilities and gain access to systems and their efforts often result in fixing vulnerabilities before they can be exploited by malicious actors. Vulnerabilities are reported to the entities in question and steps are taken to patch vulnerabilities before details are publicly disclosed. In Kottmann’s case, responsible disclosure procedures were not followed. Sensitive information obtained from the victims’ networks was publicly disclosed, with no attempt made to notify relevant entities directly prior to the disclosure of the stolen data.
On March 18, 2021, Kottmann was indicted by a grand jury in the Western District of Washington for a series of computer intrusion and identity and data theft activities from 2019 to present. The indictment, which names only Kottmann, includes counts of conspiracy to commit computer fraud and abuse, multiple counts of wire fraud, one count of conspiracy to commit wire fraud and one count of aggravated impersonation.
Conspiracy to commit computer fraud and abuse is punishable by up to 5 years imprisonment, charges of wire fraud and conspiracy to commit computer fraud are punishable by imprisonment maximum of 20 years, and the charge of aggravated impersonation carries a mandatory 24-month prison term, which runs consecutively to other sentences.
According to the indictment, Kottmann and his co-conspirators hacked into the systems of dozens of companies and government entities and released data stolen from more than 100 companies on the Internet. Kottmann most often targeted git and other source code repositories, and cloned source code, files, and other confidential information, which often included access codes, hard-coded credentials, and other means of accessing corporate networks. Kottmann then used the stolen credentials for further intrusions, often copying additional information from the victims’ networks before releasing the stolen data online.
According to the indictment, Kottmann would speak with the media and post on social media about his role in the hacks “to recruit others, grow the program, and further promote the hacking activity and own reputation.” of Kottmann in the hacking community”.
The FBI Cyber Task Force led the investigation into Kottmann, with Swiss law enforcement executing a search warrant of Kottmann’s property in Lucerne on March 12, 2021, which resulted in the seizure of computer equipment. The FBI recently seized a domain operated by Kottmann and used to publicly disclose stolen data.
“Stealing credentials and data, and posting source code and proprietary and sensitive information on the web is not protected speech – it’s theft and fraud,” he said. Acting US Attorney Tessa M. Gorman. “These actions can increase vulnerabilities for everyone from large corporations to individual consumers. Wrapping oneself up in a supposedly altruistic motive does not remove the criminal stench of such intrusion, theft and fraud.