Today, the US Department of Justice has charged a Swiss citizen with hacking over 100 businesses and leaking confidential data through their personal website.
Hacker Till (more popularly referred to as Tillie) Kottmann, 21, from Lucerne, Switzerland, is also the one who broke into cloud-based surveillance company Verkada in the last month and released security camera footage from a few of its clients, including streaming from companies such as Tesla, Cloudflare, Okta and prisons, schools and hospitals.
However, according to court documents released from the DOJ today, the allegations go back to the Kottmann’s Verkada hack and relate to the Swiss hacktivist’s work beginning in 2019, when they began searching the web for a misconfigured repository of source code owned by large companies and government agencies.
Verkada hacker is charged by the US for hacking over 100 businesses
Authorities claim Kottmann discovered these repositories; however, instead of contacting the affected organizations, it connected to the exposed apps, downloaded intellectual property, and stored the stolen material on their website in git.rip.
Since the beginning of 2019, the website has provided data for more than 100 businesses. According to the DOJ stated, the list included some of the largest companies, including Intel, Mercedes-Benz, Nissan, Pepsi, Toyota, GitHub, Microsoft, Adobe, Lenovo, AMD, Qualcomm, Motorola, Hisilicon, Mediatek, GE Appliances, Nintendo, Roblox, Disney, Fastspring, React Mobile, Axial, and numerous others.
As Kottmann said to this reporter in previous interviews in 2020, the Swiss hacktivist claimed that they discovered the repository of source code because of misconfigurations.
Kottmann claimed that they collected information from GitLab and Bitbucket Git servers, but additionally from SonarQube software for managing source code.
In November of 2020, following the leaks made of Kottmann in his git. Rip portal, which hackers connected to leaks through SonarQube instances and the FBI issued an industry-wide alert pdf to members of the US private sector, urging businesses to protect their SonarQube servers. As a list of those affected by the attack, the FBI also identified government agencies, not only private firms.
In conversations with journalists and via messages posted on their Twitter profile, officials said that Kottmann often tried to explain their actions as hacktivism against companies that possessed an anti-intellectual-property ideology.
In the announcement today, the DOJ opposed Kottmann’s strategy.
“Stealing credentials and data publishing source code, and sensitive and confidential information on the internet is not protected speech. It is fraud and theft,” declared the acting US Attorney Tessa M. Gorman.
“These actions could increase the vulnerability for everyone , from big corporations to individuals. Insuring oneself with an charitable motive is not enough to take away the smell of crime of such theft, intrusion and fraud.” Gorman added.
Swiss authorities raided Kottmann’s residence this week, just days after the first news of the hacktivist’s latest attack (the Verkada hack). The DOJ took over the git. rip website a day later, on Saturday, March 13.
Kottmann remains at large. If he were extradited, tried or found to be guilty in the US Kottmann, the Swiss hacker would face a sentence of 2 to 20 years in prison.