Swiss Hacker’s Indictment Spotlights Ethics of Activist Attacks

The indictment of a 21-year-old Swiss hacker who claimed credit for exposing the flaws in a surveillance camera company’s system is likely to stir debate about whether attacks by activists for social or political causes are criminal behavior.

Tillie Kottmann, who uses they/them pronouns, was indicted Thursday in Seattle and charged with crimes including wire fraud and identity theft. Kottmann made headlines last week when they claimed credit for gaining access to the 150,000 security cameras sold by San Mateo, California-based Verkada Inc. While the charges don’t involve the Verkada incident, Kottmann previously said they hacked Nissan Motor Co., and leaked documents from chipmaker Intel Corp.

Swiss Hacker’s Indictment Spotlights Ethics of Activist Attacks

Kottmann, in a previous interview, said their hacking is inspired by an anti-intellectual property and anti-capitalist world view. For decades, underground hackers have pushed the limits of the law under the banner of “hacktivism,” pursuing a variety of leftist and anti-authoritarian ideals. In some cases, the U.S. government has been overly aggressive in their prosecution of those hackers, said Gabriella Coleman, a professor at McGill University in Montreal who has extensively researched hacker culture.

“The hammer went down on hackers so heavily from the ’80s to the present, so the hacker community has this in mind,” Coleman said, adding she expects Kottmann to garner even more support in hacker circles following the indictment.

Coleman said the Verkada break-in may be viewed differently than the hacks included in the indictment because Kottmann spoke to a journalist to publicly expose the video cameras’ flaws.

“Some people would see that they did something in the public interest, and some of the escapades from prior were sort of useful hacking escapades,” Coleman said. “A lot of security researchers working for big name companies can identify with that, because their past was also about exploring these systems, and messing around, and sometimes messing up, as well.”

Prosecutors in Seattle, however, sharply rebuked the view that the hacks had any redeeming quality.

“Stealing credentials and data, and publishing source code and proprietary and sensitive information on the web is not protected speech -- it is theft and fraud,” Acting U.S. Attorney Tessa Gorman said in a statement announcing Kottmann’s indictment. “Wrapping oneself in an allegedly altruistic motive does not remove the criminal stench from such intrusion, theft, and fraud.”

The U.S. accused Kottmann of hacking dozens of companies and government agencies, and said Kottmann operated a website, called “git.rip,” that published the internal documents and source code of more than 100 entities. The named victims include the state of Washington and the Washington Department of Transportation, as well as a microchip processor or manufacturer and a maker of tactical equipment.

According to an archive of the “git.rip,” website, it included leaks from the U.S. Air Force Research Laboratory, Toyota Motor Corp., Adobe Inc., General Electric Co., GitHub and more. The site now displays a message stating it has been seized by the Federal Bureau of Investigation.

Scott Nawrocki, a 21-year FBI veteran who investigated cybercases, said the charges against Kottmann are serious whatever the motivations.

“These kinds of individuals have to be held responsible,” said Nawrocki, now managing director of digital investigations and cyber defense at investigations firm Nardello & Co.. “Regardless of ideology, this is not white-hat hacking,” describing those who report computer bugs to companies so they can be fixed. “This is potentially inviting others to conduct hacking operations. To me, that’s criminal activity.”

Nawrocki said there probably would be efforts to extradite Kottmann, and the indictment could limit Kottmann’s travel outside Switzerland because U.S. allies would arrest them.

Swiss lawyer Roman Kost said it’s unlikely Kottmann will be sent to face criminal charges in the U.S., citing Swiss law that allows its citizens not to be extradited without their consent, but they may be punished inside Switzerland.

Swiss hackers “can be tried in Switzerland if there is sufficient suspicion and evidence, and if they are found guilty, they can be punished,” Kost said in an email.

Prosecutors allege that Kottmann sold hacking inspired merchandise, and that they sought contact from journalists in order to promote their data leaks and themselves. Kottman’s T-shirts included the phrases: “venture anticapitalist,” “no gender, only crime,” and “I would never do cybercrime.”

Kottmann, citing the advice of their lawyer, declined to comment on the indictment. Swiss lawyer Marcel Bosonnet confirmed he represents Kottmann, but declined to comment further. The Justice Department also declined to comment.

©2021 Bloomberg L.P.

BQ Install

Bloomberg Quint

Add BloombergQuint App to Home screen.