Feds Indict Hacktivist Behind Verkada Surveillance Camera Breach

The US has indicted the Swiss hacktivist who breached surveillance camera provider Verkada and gained access to thousands of live video feeds.

On Thursday, the US Justice Department charged 21-year-old Tillie Kottman with computer fraud, wire fraud, and identity theft.

However, the indictment applies to data breaches Kottman allegedly committed over the past two years, before the hack on Verkada was publicized.

“According to the indictment, since 2019, Kottman and co-conspirators have hacked dozens of companies and government entities and posted the private victim data of more than 100 entities on the web,” the DOJ alleges.  

Kottman made waves last week for the Verkada breach, which both highlighted the company’s poor IT security, and the vast scale of its surveillance apparatus.

According to Bloomberg, Kottman's hacking group easily achieved access to 15,000 Verkada cameras based in hospitals, schools, bars, stores, and private companies, including Tesla and Cloudflare. 

Kottman told Bloomberg the hack “exposes just how broadly we’re being surveilled, and how little care is put into at least securing the platforms used to do so, pursuing nothing but profit.”

To break into the company, Kottman’s hacking group found a username and password for a Verkada administrative account that was publicly exposed on the internet, making it trivial to bypass the company’s IT security.

The group also downloaded Verkada’s customer lists, which Kottman shared with journalists. 

Prior to the Verkada breach, Kottman published confidential files from various companies, including Intel and Nissan.

The files were mainly leaked on misconfigured servers or systems protected with weak passwords.

Kottman, who uses they/them pronouns, has previously said hardware and firmware should be free and open source 

Federal officials view Kottman’s activities as a crime.

“Stealing credentials and data, and publishing source code and proprietary and sensitive information on the web is not protected speech—it is theft and fraud,” said Acting US Attorney Tessa Gorman.  “These actions can increase vulnerabilities for everyone from large corporations to individual consumers."

Security researchers often find vulnerabilities in products and websites.

But rather than publicly expose them, they notify the companies in order to give them time to privately patch the flaw.

In return, the companies will sometimes distribute a reward in the form of a “bug bounty."

However, Kottman appears to be against the bug bounty approach.  “The whole hacker thing, in my opinion, should be more about trying to improve the world...doing bug bounties for the Pentagon isn’t really making the world any better,” Kottman told Forbes earlier this month. 

Kottman could not be reached for comment.

Last week, following the Verkada breach, law enforcement raided Kottman’s apartment in Switzerland and seized their social media accounts.

They now face up to 27 years in jail if convicted of all charges.

But whether the US will try to extradite Kottman remains unclear.

The US has indicted the Swiss hacktivist who breached surveillance camera provider Verkada and gained access to thousands of live video feeds.

On Thursday, the US Justice Department charged 21-year-old Tillie Kottman with computer fraud, wire fraud, and identity theft.

However, the indictment applies to data breaches Kottman allegedly committed over the past two years, before the hack on Verkada was publicized.

“According to the indictment, since 2019, Kottman and co-conspirators have hacked dozens of companies and government entities and posted the private victim data of more than 100 entities on the web,” the DOJ alleges.  

Kottman made waves last week for the Verkada breach, which both highlighted the company’s poor IT security, and the vast scale of its surveillance apparatus.

According to Bloomberg, Kottman's hacking group easily achieved access to 15,000 Verkada cameras based in hospitals, schools, bars, stores, and private companies, including Tesla and Cloudflare. 

Kottman told Bloomberg the hack “exposes just how broadly we’re being surveilled, and how little care is put into at least securing the platforms used to do so, pursuing nothing but profit.”

To break into the company, Kottman’s hacking group found a username and password for a Verkada administrative account that was publicly exposed on the internet, making it trivial to bypass the company’s IT security.

The group also downloaded Verkada’s customer lists, which Kottman shared with journalists. 

Prior to the Verkada breach, Kottman published confidential files from various companies, including Intel and Nissan.

The files were mainly leaked on misconfigured servers or systems protected with weak passwords.

Kottman, who uses they/them pronouns, has previously said hardware and firmware should be free and open source 

Federal officials view Kottman’s activities as a crime.

“Stealing credentials and data, and publishing source code and proprietary and sensitive information on the web is not protected speech—it is theft and fraud,” said Acting US Attorney Tessa Gorman.  “These actions can increase vulnerabilities for everyone from large corporations to individual consumers."

Security researchers often find vulnerabilities in products and websites.

But rather than publicly expose them, they notify the companies in order to give them time to privately patch the flaw.

In return, the companies will sometimes distribute a reward in the form of a “bug bounty."

However, Kottman appears to be against the bug bounty approach.  “The whole hacker thing, in my opinion, should be more about trying to improve the world...doing bug bounties for the Pentagon isn’t really making the world any better,” Kottman told Forbes earlier this month. 

Kottman could not be reached for comment.

Last week, following the Verkada breach, law enforcement raided Kottman’s apartment in Switzerland and seized their social media accounts.

They now face up to 27 years in jail if convicted of all charges.

But whether the US will try to extradite Kottman remains unclear.