The government of the U.S. has accused Swiss computer hacker Tillie Kottmann of several accounts of wire fraud, conspiracy, and identity theft. The indictment accuses Tillie Kottmann and co-conspirators of hacking “dozens of corporations and public bodies” and publishing online personal data and the source code of over 100 companies.
The 21-year-old Tillie Kottmann, who uses pronouns from them, was most recently associated with a security violation of U.S. company Verkada, which revealed films from more than 150,000 company monitoring cameras. But the charges filed this week date back to 2019 when Kottmann and associates have accused themselves of targeting, ripping, and posting their material on a website that Kottmann created and managed called Git. Rip.
Since then, Git. Rip has taken over the FBI but has exchanged code and data from many companies, including Microsoft, Intel, Nissan, Nintendo, Disney, AMD, Qualcomm, Motorola, Adobe, Lenovo, Roblox, and many more (though no firms are explicitly named in the indictment). In each case, the very existence of these data differed. The source code for valuable, intelligent car components, for instance, was found in hundreds of code repositories run by German automaker Daimler AG. At the same time, an infringement of Nintendo’s programs, which Kottmann said did not originate directly with them, but were reshared through a Telegram channel, gave players unique insights into unreleased features from old games.
In interviews with previous violations, Kottmann consistently stated that the data they found were generally exposed to weak security standards by the companies themselves. “I always only search for interesting GitLab instances, often with simple Google dorks, when I get bored and I am always amazed that there seems to be little thought on defense,” Kottmann said in May 2020 to ZDNet. (“Google dorks” or “Google Dorking” refers to the use of sophisticated search strings to detect vulnerabilities on Google’s public servers).
Kottmann and his partners reportedly found “Super Admin” credentials in the case of the Verkada breach, which gave them unrestricted access to the systems of the company, which had been “publicly exposed on the internet.” These connections allowed hackers to view live feeds of over 150,000 internet-connected cameras. These cameras were mounted in jails, hospitals, warehouses, and Tesla factories.
Kottmann said hacktivism’s spirit guided them: they wanted to reveal companies’ shoddy safety work before malicious actors could lead to more significant damage. Kottmann said to BleedingComputer last June that they did not often contact businesses before exposing their data but tried to avoid direct damage. “I am trying to do my best to keep any big things from being released directly,” they said.
Following the violation of the Verkada, Kottmann told Bloomberg that “much interest, freedom of information and intellectual property, big doses of anti-capitalism, a touch of anarchy—and it’s just too much fun not to do that” was the reason behind their hacking.
Not surprisingly, the U.S. government takes a dimmer view of these practices. “Stealing credentials and data and posting on the web source code, confidential and sensitive information is not free speech — it is theft and fraud,” U.S. lawyer Tessa M. Gorman, acting attorney, said in his press release. “These activities will raise everybody’s vulnerabilities to individual customers from large firms. Sticking with a supposedly altruistic excuse does not eradicate the illegal stench from such intruder, robbery and fraud.”
The charges include multiple tweets and messages sent by Kottmann using manuals such as @deletescape and @antiproprietary as proof. These include a tweet sent on 17 May 2020 saying, “I love to help businesses open source their code;” a letter to an anonymous associate asking for “access to all sensitive data, records, binaries or source code;” and a tweet sent on 21 October saying that stealing and publishing” company data “is the right thing to do morally.”
Kottmann is currently in Lucerne, Switzerland, where the Swiss authorities have recently invaded their premises and confiscated their appliances. It is unknown whether or not they are extradited to the U.S. Bloomberg notes that Zurich lawyer Marcel Bosonnet, previously representing Edward Snowden, retained the services of Kottmann. The charges against Kottmann are punishable by up to 20 years in jail.