Verkada hacker charged in the US for hacking more than 100 companies

The US Department of Justice has charged today a Swiss national for hacking into more than 100 companies and leaking proprietary data online on their personal website.

The hacker, Till (more commonly known as Tillie) Kottmann, 21, of Lucerne, Switzerland, is also the individual who breached cloud-based surveillance firm Verkada earlier this month and leaked security camera footage from some of its customers —including streams from companies like Tesla, Cloudflare, Okta, but also jails, schools, and hospitals.

But according to court documents published by the DOJ today, the charges predate Kottmann's Verkada hack and pertain to the Swiss hacktivist's activity dating back to 2019, when they began scouring the internet for misconfigured source code repositories owned by major corporations and government organizations.

Authorities say Kottmann found these repositories, but instead of notifying the affected organizations, it connected to the exposed applications, downloaded intellectual property, and hosted the stolen content on their website, located at git.rip.

Since 2019, the website listed data for more than 100 companies, the DOJ said, a list that included some of the world's biggest corporations, such as Intel, Mercedes-Benz, Nissan, Pepsi, Toyota, GitHub, Microsoft, Adobe, Lenovo, AMD, Qualcomm, Motorola, Hisilicon, Mediatek, GE Appliances, Nintendo, Roblox, Disney, Fastspring, React Mobile, Axial, and many others.

As Kottmann told this reporter in multiple previous interviews across 2020, the Swiss hacktivist claimed they found the source code repositories due to misconfigurations.

Kottmann said they collected data from GitLab and Bitbucket Git servers, but also from SonarQube source code management apps.

In November 2020, following a series of leaks by Kottmann on their git.rip portal, which the hacktivist linked to leaks via SonarQube instances, the FBI sent out an industry alert [PDF] to the US private sector urging companies to secure their SonarQube servers. Among victims, the FBI also listed government agencies, not just private companies.

In conversations with journalists and via messages posted on their Twitter profile, officials said that Kottmann often tried to explain their actions as hacktivism against companies that possessed an anti-intellectual-property ideology.

However, in a statement today, the DOJ disagreed with Kottmann's approach.

"Stealing credentials and data, and publishing source code and proprietary and sensitive information on the web is not protected speech–it is theft and fraud," said Acting US Attorney Tessa M. Gorman.

"These actions can increase vulnerabilities for everyone from large corporations to individual consumers. Wrapping oneself in an allegedly altruistic motive does not remove the criminal stench from such intrusion, theft, and fraud," Gorman added.

Swiss authorities raided Kottmann's apartment last week, days after news broke about the hacktivist's latest intrusion (the Verkada hack). The DOJ seized the git.rip website a day later, on Saturday, March 13.

Kottmann is still at large. If extradited, trialed, and found guilty in the US, the Swiss hacker would face from two to 20 years in prison.