Maia arson crimew: Difference between revisions

maia arson crimew
A selfie of crimew in 2022
Born	(1999-08-07) August 7, 1999 (age 25) Lucerne, Canton of Lucerne, Switzerland
Nationality	Swiss
Other names	Tillie Kottmann, Deletescape, Tillie crimew
Occupation(s)	Software developer, computer hacker
Known for	No Fly List leak, source code leaks, Verkada hack, Lawnchair Android launcher
Website	maia.crimew.gay

Maia arson crimew^[a] (born August 7, 1999), formerly known as Tillie Kottmann, is a Swiss developer and computer hacker. Crimew is known for leaking source code and other data from companies such as Intel and Nissan, and for discovering a 2019 copy of the United States government's No Fly List on an unsecured cloud server owned by CommuteAir. Crimew was also part of a group that hacked into Verkada in March 2021 and accessed more than 150,000 cameras. She is also the founding developer of the Lawnchair application launcher for Android.^[4][5]

In March 2021, crimew was indicted by a grand jury in the United States on criminal charges related to her alleged hacking activity between 2019 and 2021. The charges were unrelated to the hack of Verkada. Her home and her parents' home were raided by the Swiss police at the request of United States authorities, and her electronic devices were seized. People used the hashtag "#freetillie" to express support for her following the raid, and the Swiss magazine Republik compared her to Jeremy Hammond and Aaron Swartz.^[6]

Crimew was born on August 7, 1999^[7] in the Bruch district of Lucerne in the German-speaking region of Switzerland.^[8][9] As a teenager, she worked in information technology.^[10] She was the founding developer of the popular Android launcher "Lawnchair", which has been maintained by a different development team since February 2021.^[4][5] A member of the Young Socialists Switzerland,^[9] crimew was a candidate for Lucerne City Council in 2020.^[10]

In July 2020, crimew posted source code from dozens of companies to a GitLab repository.^[11] She was credited by Bleeping Computer with originating the Nintendo Gigaleak, but she later told Tom's Guide that Nintendo data was not included in the July leak, and that she had never posted Nintendo code to GitLab because the company was "notorious for quick takedowns".^[12] On August 6, 2020, crimew uploaded more than 20 gigabytes of Intel's proprietary data and source code to Mega.^[13] She obtained the data from another hacker who claimed to have breached Intel around May 2020,^[14] and described it as a first installment which would be followed by more leaks related to Intel.^[13][15] In January 2021, crimew was involved in a source code leak from Nissan, stating that she acquired the leaked code after learning from an anonymous source about a Bitbucket server^[16] that was set up with the default username and password.^[17][18]

Crimew said in March 2021 that most of her breaches did not require much technical skill.^[19] In addition to leaking data herself, she maintained a Telegram channel called "ExConfidential"^[20] where she shared details about leaks by others.^[11][15] In March 2021, Distributed Denial of Secrets created a torrent of data from the channel after crimew's home was raided and her devices were seized.^[21]

On March 8, 2021, a group of hackers including crimew and calling themselves "APT - 69420 Arson Cats"^[22][23] gained "super admin" rights in the network of Verkada, a cloud-based security camera company,^[24] using credentials they found on the public internet.^[25] The group had access to the network for 36 hours.^[24] They collected about 5 gigabytes of data, including live security camera footage and recordings from more than 150,000 cameras in places like a Tesla factory, a jail in Alabama, a Halifax Health hospital, and residential homes.^[26][27] The group also accessed a list of Verkada customers and the company's private financial information,^[25] and gained access to the corporate networks of Cloudflare and Okta through their Verkada cameras.^[26][28]

Crimew acted as the spokesperson for the group of hackers;^[29] during the hack, she tweeted "What if we just absolutely ended surveillance capitalism in two days?"^[30] Her Twitter account was suspended for violating Twitter's terms of service after she used it to share multiple screenshots of live security camera feeds.^[30] She contacted a Bloomberg journalist shortly after the breach, who in turn contacted Verkada, which removed the hackers' access to the network.^[31][6][32] She told Bloomberg that the hack exposed "just how broadly we're being surveilled, and how little care is put into at least securing the platforms used to do so, pursuing nothing but profit".^[26] An acquaintance of crimew told zentralplus [de] that they thought she would have carried out the hack for fun regardless of her political views.^[10]

In March 2021, crimew was indicted by a grand jury in the United States District Court for the Western District of Washington on charges related to several hacks she allegedly carried out between 2019 and 2021.^[8][33] The twelve-page^[29] indictment alleged that crimew hacked dozens of entities,^[34] published proprietary information and code from more than 100 entities including government agencies,^[35] and sold hacking-related merchandise such as t-shirts.^[36] It charged her with counts of computer fraud and abuse, wire fraud, and identity theft. The indictment, and a raid by the Swiss police in which crimew's electronic devices were seized at the request of United States authorities, came shortly after she claimed involvement in the Verkada hack, but did not contain charges related to it.^[31][37][38] Seven police officers searched her home during the raid and fifteen searched the home of her parents.^[6] The website git.rip, through which photos from the hacked Verkada cameras were originally shared,^[39] was seized by the FBI.^[40] She later described this raid as a traumatizing experience, stating she felt she was "made an example of".^[41]

As of March 19, 2021, crimew was being represented by lawyer Marcel Bosonnet in Switzerland.^[34][42] A crowdfunding campaign was created in April 2021 to raise money for her to retain a lawyer in the United States.^[43]

People used the hashtag "#freetillie" to express support for crimew after the raid of her home.^[10][44] Hacking researcher Gabriella Coleman said that she expected crimew to gain more support in "the hacker community" as a result of the indictment, stating that, in some cases, the United States government has been overly aggressive in prosecuting "hacktivists", who "[pursue] a variety of leftist and anti-authoritarian ideals", and that "the hacker community has this in mind".^[36] An article in Republik described crimew as "[following] in the tradition of hackers like Jeremy Hammond or Aaron Swartz."^[6] Hernâni Marques, a board member of the Swiss chapter of Chaos Computer Club, called for "solidarity" with crimew.^[45] Seattle prosecutors rebuked the view that the leak had "any redeeming quality", with U.S. Attorney Tessa M. Gorman stating that "publishing source code and proprietary and sensitive information on the web is not protected speech — it is theft and fraud," and that "[w]rapping oneself in an allegedly altruistic motive does not remove the criminal stench from such intrusion, theft, and fraud".^[36]

After the indictment, a United States Department of Justice spokesperson told Blick that proceedings had been suspended, explaining that the United States would not continue with the case unless crimew was present in the US and defended by a lawyer.^[29] Crimew has expressed confidence that she will not be extradited to the United States.^[8] Swiss lawyer Roman Kost stated that Swiss extradition law does not allow extradition of citizens without their consent, but that Swiss hackers "can be tried in Switzerland if there is sufficient suspicion and evidence, and if they are found guilty, they can be punished”.^[36] Switzerland's Federal Department of Justice and Police confirmed to zentralplus that it does not extradite Swiss nationals against their will.^[46] Swiss newspaper Le Temps reported that crimew would not be extradited and would instead be tried in Switzerland.^[47]

20 Minuten reported that if crimew was tried in Switzerland, she would face a maximum of four and a half years in prison.^[45] Hernâni Marques said that "much of what [she] did would not be punishable in Switzerland," additionally stating that much of the data crimew leaked was publicly available on the internet and arguing that the hack of Verkada was "legitimate and useful for society" because of the privacy issue it exposed.^[6] In March 2021, Blick reported that a potential warrant for crimew's arrest issued by the United States would likely be executed by all countries that share a border with Switzerland.^[29] In September 2021, crimew told null41 that she was certain she would never be able to travel to certain countries again, and that even if she was able to travel in the future, it would be risky because of the possibility of extradition from other countries. She noted that, unlike Julian Assange, she was not relying on the goodwill of a country, because the Swiss constitution prohibits her extradition.^[48] In October 2021, Zeit Magazin reported that, while Interpol does not publicize most of its investigations, it was likely that an international arrest warrant had been issued for crimew, which would potentially render her unable to leave Switzerland.^[49]

In July 2022, crimew discovered and reported a vulnerability in the mental health app Feelyou, which exposed the email addresses of its nearly 80,000 users and allowed anyone to connect supposedly anonymous posts to the email addresses of the users who posted them.^[50]

On January 19, 2023, crimew reported that she had gained access to 2019 versions of the US government's No Fly List of 1.56 million entries and Selectee List of 250,000 entries hosted by CommuteAir on an unsecured Amazon Web Services cloud server.^[51][52][53] Crimew noted that, despite the size of the Terrorism Screening Database, there were "very clear trends towards almost exclusively Arabic and Russian sounding names throughout the million entries";^[54] over 10% of the listed entries contained "Muhammad" in either the first or last name fields.^[53]

Crimew describes herself as a musician and DJ;^[55] she has performed on releases from music collectives involved in the hyperpop scene such as Sleepy.zone and Goop House,^[56][57] with the former listing her as a current member as of June 2024.^[58] She has also self-released tracks on SoundCloud.^[59]

Crimew lives in Switzerland.^[8] She is non-binary^[43] and uses it/its and she/her pronouns,^[60] with a strong preference for it/its.^[3] She is autistic^[61] and identifies as both bisexual and a lesbian.^[62] She is a member of the Young Socialists Switzerland,^[9] and has run for political candidacy on socialist platforms.^[10][44] Crimew has cited curiosity,^[10] anti-capitalism, anarchism, and opposition to the concept of intellectual property as motives for her hacking,^[63][64] stating that "caring about literally nothing but profit definitely doesn't result in security".^[19] She has additionally stated that she believes source code and documentation should be public, and that she thinks of herself as a hacktivist.^[48] Crimew has stated that being queer and experiencing discrimination contributed to the development of her political views.^[65][43]

Crimew has also been known as Tillie Kottmann, "deletescape", and "tillie crimew".^[33] In 2022, she legally changed her name to maia arson crimew, which is stylized in all lowercase.^[66]

• Crimew's official website