Maia arson crimew

Swiss hacker (born 1999)

maia arson crimew
A selfie of crimew in 2022
Born (1999-08-07) August 7, 1999 (age 24)
Lucerne, Canton of Lucerne, Switzerland
NationalitySwiss
Other namesTillie Kottmann, deletescape
Occupation(s)Software developer, computer hacker
Known forNo Fly List leak, source code leaks, Verkada hack, Lawnchair Android launcher
Websitemaia.crimew.gay

Maia arson crimew[a] (born August 7, 1999), formerly known as Tillie Kottmann, is a Swiss developer and computer hacker. Crimew is known for leaking source code and other data from companies such as Intel and Nissan, and for discovering a 2019 copy of the United States government's No Fly List on an unsecured CommuteAir server. Crimew was also part of a group that hacked into Verkada in March 2021 and accessed more than 150,000 cameras. She is also the founding developer of the Lawnchair application launcher for Android.[4][5]

In March 2021, crimew was indicted by a grand jury in the United States on criminal charges related to her alleged hacking activity between 2019 and 2021. The charges were unrelated to the hack of Verkada. Her home and her parents' home were raided by the Swiss police at the request of United States authorities, and her electronic devices were seized. People used the hashtag "#freetillie" to express support for her in the aftermath of the raid, and the Swiss magazine Republik compared her to Jeremy Hammond and Aaron Swartz.

Early life

Crimew was born on August 7, 1999[6] in the Bruch district of Lucerne in the German-speaking region of Switzerland.[7][8] As a teenager, she worked in information technology.[9] She was the founding developer of the popular Android launcher "Lawnchair", which has been maintained by a different development team since February 2021.[4][5] A member of the Young Socialists Switzerland,[8] crimew was a candidate for Lucerne City Council in 2020.[9]

Early leaks

In July 2020, crimew posted source code from dozens of companies to a GitLab repository.[10] She was credited with originating the Nintendo Gigaleak by Bleeping Computer, but she later told Tom's Guide that Nintendo data was not included in the July leak, and that she had never posted Nintendo code to GitLab because the company was "notorious for quick takedowns".[11] On August 6, 2020, crimew uploaded more than 20 gigabytes of Intel's proprietary data and source code to Mega.[12] She obtained the data from another hacker who claimed to have breached Intel around May 2020,[13] and described it as a first installment which would be followed by more leaks related to Intel.[12][14] In January 2021, crimew was involved in a source code leak from Nissan, stating that she acquired the leaked code after learning from an anonymous source about a Bitbucket server[15] that was set up with the default username and password.[16][17]

Crimew said in March 2021 that most of her breaches did not require much technical skill.[18] In addition to leaking data herself, she maintained a Telegram channel called "ExConfidential"[19] where she shared details about leaks by others.[10][14] In March 2021, Distributed Denial of Secrets created a torrent of data from the channel after crimew's home was raided and her devices were seized.[20]

Verkada hack

On March 8, 2021, a group of hackers including crimew and calling themselves "APT - 69420 Arson Cats"[21][22] gained "super admin" rights in the network of Verkada, a cloud-based security camera company,[23] using credentials they found on the public internet.[24] The group had access to the network for 36 hours.[23] They collected about 5 gigabytes of data, including live security camera footage and recordings from more than 150,000 cameras in places like a Tesla factory, a jail in Alabama, a Halifax Health hospital, and residential homes.[25][26] The group also accessed a list of Verkada customers and the company's private financial information,[24] and gained access to the corporate networks of Cloudflare and Okta through their Verkada cameras.[25][27]

Crimew acted as the spokesperson for the group of hackers.[28] Her Twitter account was suspended for violating Twitter's terms of service after she used it to share multiple screenshots of live security camera feeds.[29] During the hack, crimew tweeted "What if we just absolutely ended surveillance capitalism in two days?"[29] She contacted a Bloomberg journalist shortly after the breach, who in turn contacted Verkada, which removed the hackers' access to the network.[30][31][32] She told Bloomberg that the hack exposed "just how broadly we're being surveilled, and how little care is put into at least securing the platforms used to do so, pursuing nothing but profit".[25] An acquaintance of crimew told zentralplus [de] that they thought she would have carried out the hack for fun regardless of her political views.[9]

Indictment

FBI banner on the website git.rip
Banner showing seizure of the git.rip domain by the FBI

In March 2021, crimew was indicted by a grand jury in the United States District Court for the Western District of Washington on charges related to several hacks she allegedly carried out between 2019 and 2021.[7][33] The twelve-page[28] indictment alleged that crimew hacked dozens of entities,[34] published proprietary information and code from more than 100 entities including government agencies,[35] and sold hacking-related merchandise such as t-shirts.[36] It charged her with counts of computer fraud and abuse, wire fraud, and identity theft. The indictment, and a raid by the Swiss police in which crimew's electronic devices were seized at the request of United States authorities, came shortly after she claimed involvement in the Verkada hack but did not contain charges related to it.[30][37][38] Seven police officers searched her home during the raid and fifteen searched the home of her parents.[31] The website git.rip, through which crimew and others allegedly shared data obtained by hacking, was seized by the FBI.[39] She later described this raid as a traumatizing experience, stating she felt she was "made an example of".[40]

As of March 19, 2021, crimew was being represented by lawyer Marcel Bosonnet in Switzerland.[34][41] A crowdfunding campaign was created in April 2021 to raise money for her to retain a lawyer in the United States.[42]

Public response

People used the hashtag "#freetillie" to express support for crimew after the raid of her home.[9][43] Hacking researcher Gabriella Coleman said that she expected crimew to gain more support in the hacker community as a result of the indictment, stating that the United States government has been overly aggressive in prosecuting hackers who pursue leftist and anti-authoritarian ideals and that "the hacker community has this in mind".[36] An article in Republik described crimew "in the tradition of hackers like Jeremy Hammond or Aaron Swartz."[31] Hernâni Marques, a board member of the Swiss chapter of Chaos Computer Club, called for "solidarity" with crimew.[44] Seattle prosecutors decried this support, with Tessa M. Gorman stating that "[w]rapping oneself in an allegedly altruistic motive does not remove the criminal stench from such intrusion, theft, and fraud".[36]

Possibility of extradition or trial in Switzerland

After the indictment, a United States Department of Justice spokesperson told Blick that proceedings had been suspended, explaining that the United States would not continue with the case unless crimew was present in the US and defended by a lawyer.[28] Crimew has expressed confidence that she will not be extradited to the United States.[7] Swiss lawyer Roman Kost stated that Swiss extradition law does not allow extradition of citizens without their consent, but that Swiss hackers "can be tried in Switzerland if there is sufficient suspicion and evidence, and if they are found guilty, they can be punished”.[36] Switzerland's Federal Department of Justice and Police confirmed to zentralplus that it does not extradite Swiss nationals against their will.[45] Swiss newspaper Le Temps reported that crimew would not be extradited and would instead be tried in Switzerland.[46]

20 Minuten reported that if crimew was tried in Switzerland, she would face a maximum of four and a half years in prison.[44] Hernâni Marques said that "much of what [she] did would not be punishable in Switzerland," pointing out that much of the data crimew leaked was publicly available on the internet and arguing that the hack of Verkada was "legitimate and useful for society" because of the privacy issue it exposed.[31] In March 2021, Blick reported that a potential warrant for crimew's arrest issued by the United States would likely be executed by all countries that share a border with Switzerland.[28] In September 2021, crimew told null41 that she was certain she would never be able to travel to certain countries again, and that even if she was able to travel in the future it would be risky because of the possibility of extradition from other countries. She noted that unlike Julian Assange, she was not relying on the goodwill of a country because the Swiss constitution prohibits her extradition.[47] In October 2021, Zeit Magazin reported that while Interpol does not publicize most of its investigations, it was likely that an international arrest warrant had been issued for crimew, which would potentially render her unable to leave Switzerland.[48]

Later works

Feelyou

In July 2022, crimew discovered and reported a vulnerability in the mental health app Feelyou, which exposed the email addresses of its nearly 80,000 users and allowed anyone to connect supposedly anonymous posts to the email addresses of the users who posted them.[49]

No Fly and Selectee Lists hack

On January 19, 2023, crimew reported that she had gained access to 2019 versions of the US government's No Fly List of 1.56 million entries and Selectee List of 250,000 entries posted by CommuteAir on an unsecured Amazon Web Services cloud server.[50][51][52][53] Crimew noted that "it's just crazy to me how big that Terrorism Screening Database is and yet there is still very clear trends towards almost exclusively Arabic and Russian sounding names throughout the million entries";[54] over 10% of the listed entries contained "Muhammad" in either the first or last name fields.[53]

Personal life and beliefs

Crimew lives in Switzerland.[7] She is non-binary[42] and uses it/its and she/her pronouns,[55] with a strong preference for it/its.[3] She is autistic[56] and identifies as both bisexual and a lesbian.[57] She is a member of the Young Socialists Switzerland,[8] and has run for political candidacy on socialist platforms.[9][43] Crimew has cited curiosity,[9] anti-capitalism, anarchism, and opposition to the concept of intellectual property as the motives for her hacking,[58][59] stating that "caring about literally nothing but profit definitely doesn't result in security".[18] She has additionally stated that she believes source code and documentation should be public, and that she thinks of herself as a hacktivist.[47] Crimew has stated that being queer and experiencing discrimination contributed to the development of her political views.[60][42]

Crimew has also been known as Tillie Kottman, deletescape, and tillie crimew.[33] In 2022, she legally changed her name to maia arson crimew, which is stylized in all lowercase.[61]

Notes

  1. ^ "Crimew" (/ˈkrˌmj/) is a portmanteau of the words crime and mew, as in the onomatopoeia of a cat's cry.[1] Crimew stylizes her name in all lowercase.[2] Crimew describes her pronouns as "it(/she)": She strongly prefers it/its, especially in informal contexts, and considers it "more maia coded", but is "totally fine" with she/her in more formal contexts, such as in her Wikipedia article.[3] For clarity, accessibility, and consistency, this article uses she/her pronouns throughout.

References

  1. ^ maia arson crimew [@_nyancrimew] (January 21, 2023). "for the record, crimew is a portmanteau of crime and mew (as in meow) and is pronounced like cri-mew" (Tweet). Archived from the original on January 21, 2023. Retrieved January 21, 2023 – via Twitter.
  2. ^ maia arson crimew [@cybertillie] (January 2, 2022). "some info about my name ("maia arson crimew") and how to stylize it: my name is correctly spelled in all lowercase and i prefer it if people use it like that. i dont *mind* it being capitalized, but all lowercase is more correct :)" (Tweet). Archived from the original on January 2, 2022. Retrieved January 2, 2022 – via Twitter.
  3. ^ a b crimew, maia arson (January 19, 2024). "idk if u would know why this is but whys ur wikipedia article use only she/her pronouns for u? they literally say at one point..." Tumblr. Retrieved January 19, 2024.
  4. ^ a b Wilde, Damien (February 22, 2021). "Development on Lawnchair Launcher resumes after break". 9to5Google. Archived from the original on May 23, 2021. Retrieved May 23, 2021.
  5. ^ a b Davenport, Corbin (February 21, 2021). "Lawnchair Launcher resumes development after year-long hiatus". Android Police. Archived from the original on May 23, 2021. Retrieved May 23, 2021.
  6. ^ crimew, maia arson (March 20, 2021). "@[email protected]". notbird.site. Archived from the original on March 24, 2021. Retrieved March 20, 2021. i hereby confirm that i was born on august 7th 1999 and that my pronouns are it/its fae/faer she/her they/them.
  7. ^ a b c d O'Brien, Matt (March 19, 2021). "U.S. charges Swiss 'hacktivist' for data theft and leaks". Associated Press. Archived from the original on March 19, 2021. Retrieved March 19, 2021.
  8. ^ a b c "So begründet die Luzerner Hackerin ihre Angriffe auf US-Firmen" [This is how the Lucerne hacker justifies her attacks on US companies]. zentralplus [de] (in Swiss High German). April 21, 2021. Archived from the original on May 25, 2021. Retrieved May 25, 2021.
  9. ^ a b c d e f Berger, Lena; Birnstiel, Claudio (March 16, 2021). "So tickt die Hackerin aus Luzern, die das FBI mit ihrem Angriff auf Trab hält" [This is how the hacker from Lucerne, who keeps the FBI busy with her attack, ticks]. zentralplus [de] (in Swiss High German). Archived from the original on May 25, 2021. Retrieved May 25, 2021.
  10. ^ a b Ilascu, Ionut (July 27, 2020). "Source code from dozens of companies leaked online". Bleeping Computer. Archived from the original on March 19, 2021. Retrieved March 20, 2021.
  11. ^ Fearn, Nicholas (July 28, 2020). "Disney, Microsoft, Nintendo and 50 more hit by massive source code leak [updated]". Tom's Guide. Archived from the original on July 28, 2020. Retrieved May 26, 2021.
  12. ^ a b Goodin, Dan (August 6, 2020). "More than 20GB of Intel source code and proprietary data dumped online". Ars Technica. Archived from the original on March 18, 2021. Retrieved March 20, 2021.
  13. ^ Moon, M (August 7, 2020). "20GB of Intel internal documents were leaked online". Engadget. Archived from the original on March 1, 2021. Retrieved March 20, 2021.
  14. ^ a b Cimpanu, Catalin (August 6, 2020). "Intel investigating breach after 20GB of internal documents leak online". ZDNet. Archived from the original on March 19, 2021. Retrieved March 20, 2021.
  15. ^ Orzel, Eran (May 12, 2021). "Lessons in Securing Development Environments". Security Boulevard. Archived from the original on May 12, 2021. Retrieved May 12, 2021.
  16. ^ Cimpanu, Catalin (January 6, 2021). "Nissan source code leaked online after Git repo misconfiguration". ZDNet. Archived from the original on March 19, 2021. Retrieved March 21, 2021.
  17. ^ Starks, Tim (January 6, 2021). "Nissan investigated source code exposure, says it plugged leak". CyberScoop. Archived from the original on March 21, 2021. Retrieved March 21, 2021.
  18. ^ a b Brewster, Thomas. "Swiss Verkada Camera Hacker Says Attacks Were "Easy, Fun Anarchism"—U.S. Files Charges Over Data Theft". Forbes. Archived from the original on March 20, 2021. Retrieved March 20, 2021.
  19. ^ "Indictment No. CR21-048 RAJ". Justice.gov. March 18, 2021. Archived from the original on April 28, 2021. Retrieved May 27, 2021.
  20. ^ Horne, Lorax B. (March 15, 2021). "Release: Tillie Kottmann (20 GB)". Distributed Email of Secrets. Archived from the original on May 18, 2021. Retrieved May 27, 2021.
  21. ^ Bajak, Frank; O'Brien, Matt (March 10, 2021). "Security camera hack exposes hospitals, workplaces, schools". Seattle Times. Archived from the original on April 10, 2021. Retrieved March 19, 2021.
  22. ^ Harwell, Drew (March 10, 2021). "Massive camera hack exposes the growing reach and intimacy of American surveillance". The Washington Post. Archived from the original on April 29, 2021. Retrieved April 24, 2021.
  23. ^ a b Patterson, Dan (March 10, 2021). "Hack of video security company Verkada exposes footage from 150,000 connected cameras". CBS News. Archived from the original on March 20, 2021. Retrieved March 21, 2021.
  24. ^ a b Gartenberg, Chaim (March 9, 2021). "Security startup Verkada hack exposes 150,000 security cameras in Tesla factories, jails, and more". The Verge. Archived from the original on March 19, 2021. Retrieved March 19, 2021.
  25. ^ a b c Turton, William (March 9, 2021). "Hackers Breach Thousands of Security Cameras, Exposing Tesla, Jails, Hospitals". Bloomberg News. Archived from the original on March 19, 2021. Retrieved March 19, 2021.
  26. ^ Goodin, Dan (March 10, 2021). "Hackers access security cameras inside Cloudflare, jails, and hospitals". Ars Technica. Archived from the original on March 18, 2021. Retrieved March 19, 2021.
  27. ^ Graham-Cumming, John (March 10, 2021). "About the March 8 & 9, 2021 Verkada camera hack". The Cloudflare Blog. Cloudflare. Archived from the original on March 10, 2021. Retrieved March 22, 2021.
  28. ^ a b c d Michel, Beat (March 19, 2021). "Schweizer Hackerin Tillie Kottmann (21) von US-Justiz angeklagt" [Swiss hacker Tillie Kottmann (21) charged by the US Justice Department]. Blick (in Swiss High German). Archived from the original on October 28, 2021. Retrieved October 28, 2021.
  29. ^ a b Murdock, Jason (March 10, 2021). "Twitter suspends Verkada hacker Tillie Kottman's account after Tesla security footage leak". Newsweek. Archived from the original on March 21, 2021. Retrieved March 21, 2021.
  30. ^ a b Turton, William; Gretler, Corinne (March 12, 2021). "Swiss Police Raid Apartment of Verkada Hacker, Seize Devices". Bloomberg News. Archived from the original on March 15, 2021. Retrieved March 19, 2021.
  31. ^ a b c d Ryser, Daniel (April 21, 2021). "Die Vereinigten Staaten gegen Tillie Kottmann" [The United States versus Tillie Kottmann]. Republik (in German). Archived from the original on April 24, 2021. Retrieved April 24, 2021.
  32. ^ "Firmen weltweit betroffen – Hacker zapfen 150'000 Kameras an – Opfer wurden Tesla, Spitäler und ein Gefängnis" [Hackers tap into 150,000 cameras – Tesla, hospitals and a prison were victims]. Tages-Anzeiger (in Swiss High German). March 10, 2021. Archived from the original on May 26, 2021. Retrieved May 26, 2021.
  33. ^ a b "Swiss Hacker indicted for conspiracy, wire fraud, and aggravated identity theft". Justice.gov. March 18, 2021. Archived from the original on March 18, 2021. Retrieved March 19, 2021.
  34. ^ a b Schneider, Joe; Turton, William (March 19, 2021). "Verkada Hacker Charged With Wire Fraud, Identity Theft in U.S." Bloomberg News. Archived from the original on March 19, 2021. Retrieved March 20, 2021.
  35. ^ "National Digest: Swiss hacker charged with computer intrusion, identity theft in U.S." The Washington Post. March 19, 2021. Archived from the original on August 24, 2022. Retrieved March 20, 2021.
  36. ^ a b c d Turton, William (March 19, 2021). "Swiss Hacker's Indictment Spotlights Ethics of Activist Attacks". Bloomberg News. Archived from the original on April 19, 2021. Retrieved April 19, 2021.
  37. ^ Miller, Maggie (March 19, 2021). "Justice Department indicts hacker connected to massive surveillance camera breach". The Hill. Archived from the original on March 19, 2021. Retrieved March 20, 2021.
  38. ^ Hollister, Sean (March 12, 2021). "A hacker who exposed Verkada's surveillance camera snafu has been raided". The Verge. Archived from the original on March 19, 2021. Retrieved March 19, 2021.
  39. ^ "USA klagen Schweizer Hackerin an" [USA accuses Swiss hacker]. Der Spiegel (in German). March 19, 2021. Archived from the original on April 23, 2021. Retrieved April 27, 2021.
  40. ^ crimew, maia arson (May 18, 2023). "god im fucked up - but i stay silly :3". maia.crimew.gay. Retrieved July 10, 2023.
  41. ^ Cameron, Dell (March 19, 2021). "U.S. Indicts 21-Year-Old Accused of Leaking Stolen Data of Disney, Nintendo, and More". Gizmodo. Archived from the original on March 19, 2021. Retrieved March 20, 2021.
  42. ^ a b c "Unterstützer sammeln Geld für Luzerner Hackerin" [Supporters collect money for Lucerne hacker]. zentralplus [de] (in Swiss High German). April 3, 2021. Archived from the original on April 24, 2021. Retrieved April 24, 2021.
  43. ^ a b "Verkada-Hack: Polizei durchsucht Wohnung von Tillie Kottmann in Luzern" [Verkada-Hack: Police search Tillie Kottmann's apartment in Lucerne]. Blick (in Swiss High German). March 19, 2021. Archived from the original on May 25, 2021. Retrieved May 25, 2021.
  44. ^ a b Rosser, Angela (April 21, 2021). "Luzerner Hackerin Tillie Kottmann wird von den USA angeklagt" [Swiss hacker is charged by the USA]. 20 Minuten (in German). Archived from the original on April 27, 2021. Retrieved April 27, 2021.
  45. ^ Berger, Lena (March 19, 2021). "Luzerner Hackerin wird in Amerika angeklagt" [Lucerne hacker is charged in America]. zentralplus [de] (in Swiss High German). Archived from the original on May 25, 2021. Retrieved May 25, 2021.
  46. ^ Seydtaghia, Anouch (March 19, 2021). "Traqué par les Etats-Unis, le hacker suisse risque 20 ans de prison" [Hunted by the United States, the Swiss hacker faces 20 years in prison]. Le Temps (in Swiss French). ISSN 1423-3967. Archived from the original on May 26, 2021. Retrieved May 26, 2021.
  47. ^ a b Schulthess, Anja Nora; Muffler, Robyn (September 6, 2021). "Die Luzerner Hackerin Tillie Kottmann im Interview" [An interview with Lucerne hacker Tillie Kottmann]. 041 - Das Kulturmagazin (in German). Archived from the original on October 5, 2021. Retrieved October 5, 2021.
  48. ^ Rusch, Marlon (October 20, 2021). "Hackerin Tillie Kottmann: Tillie gegen die Vereinigten Staaten" [Hacker Tillie Kottmann: Tillie versus the United States]. Zeit Magazin (in Swiss High German). Archived from the original on October 28, 2021. Retrieved October 28, 2021.
  49. ^ Thalen, Mikael (July 18, 2022). "Anonymous mental health app Feelyou accidentally exposed 70,000 personal emails". The Daily Dot. Archived from the original on July 20, 2022. Retrieved July 20, 2022.
  50. ^ arson crimew, Maia (January 19, 2023). "how to completely own an airline in 3 easy steps". maia.crimew.gay. maia arson crimew. Archived from the original on January 21, 2023. Retrieved January 21, 2023.
  51. ^ Reid, Channing (January 20, 2023). "Hacker Gets Access To The FBI's No Fly List". Simple Flying. Archived from the original on January 21, 2023. Retrieved January 21, 2023.
  52. ^ DeGeurin, Mack (January 20, 2023). "Hacker Reportedly Gets Hands on Massive No-Fly List of Alleged Terrorist Suspects". Gizmodo. Archived from the original on January 21, 2023. Retrieved January 21, 2023.
  53. ^ a b Hasbrouck, Edward. "The #NoFly list is a #MuslimBan list". PapersPlease.org. The Identity Project. Archived from the original on January 21, 2023. Retrieved January 20, 2023.
  54. ^ Thalen, Mikael; Covucci, David (January 19, 2023). "EXCLUSIVE: U.S. airline accidentally exposes 'No Fly List' on unsecured server". The Daily Dot. maia arson crimew. Archived from the original on January 31, 2023. Retrieved January 31, 2023.
  55. ^ crimew, maia arson. "maia :3". maia.crimew.gay. Archived from the original on April 30, 2022. Retrieved May 23, 2022.
  56. ^ "maia: (@[email protected])". crimew.gay. Retrieved July 10, 2023.
  57. ^ crimew, maia arson (January 24, 2023). "also like the fact that they keep telling me identifying as a bi lesbian is (somehow, allegedly) resulting in real life violence against lesbians but as soon as i point out theyre trying to get me killed discourse doesnt affect anyone materially anymore". Tumblr. Retrieved October 2, 2023.
  58. ^ Vincent, James (March 19, 2021). "'Anti-capitalist' Verkada hacker charged by US government with attacks on dozens of companies". The Verge. Archived from the original on March 19, 2021. Retrieved March 19, 2021.
  59. ^ Menn, Joseph (March 26, 2021). "New wave of 'hacktivism' adds twist to cybersecurity woes". Reuters. Archived from the original on March 27, 2021. Retrieved March 27, 2021.
  60. ^ Fabian, Vogt (April 21, 2021). "USA wollen sie dingfest machen: Jetzt redet die meistgesuchte Hackerin der Schweiz" [USA want to arrest them: Now the most wanted hacker in Switzerland is talking]. Blick (in Swiss High German). Archived from the original on May 25, 2021. Retrieved May 25, 2021.
  61. ^ maia arson crimew [@_nyancrimew] (May 17, 2022). "i am now legally maia arson" (Tweet). Archived from the original on June 1, 2022. Retrieved June 1, 2022 – via Twitter.

External links

  • Crimew's official website
  • v
  • t
  • e
Hacking in the 2020s
← 2010s Timeline 2030s →
Major incidents
2020
2021
2022
2023
2024
GroupsIndividuals
Major vulnerabilities
publicly disclosed
Malware
2020
2021
  • Predator
2022