The U.S. government acted swiftly last week, indicting a Swiss hacker a little more than a week after they took credit for hacking into systems belonging to Verkada, a California-based enterprise security camera company.

Verkada, a startup from San Mateo, confirmed a hack of its customer footage earlier this month, reporting it to the Federal Bureau of Investigation. The cloud-based company reportedly had 150,000 camera feeds, of hospitals, schools, and offices - including high level names like Tesla and Cloudflare, exposed as part of the breach.

The company shared news of the hack with the public on March 10 and said it hoped the incident would be resolved quickly. Verkada said at the time that the attacker managed to infiltrate its systems by targeting a Jenkins server used by its support team. Jenkins servers are open source automation servers that allow developers to build and test software. In this case, the server was used by Verkada to perform maintenance. Attackers commandeered it for three days, from March 7 to 9; by doing so the attacker also secured credentials that allowed them to bypass the company's authorization system, including two-factor authentication.

Verkada, for its part, said disabled all internal administrator accounts to prevent further unauthorized access after news of the hack broke.

The Department of Justice said last Thursday, eight days after Verkada announced the breach, that it was filing charges against a hacker from Switzerland, Till Kottmann, 21.

According to the DOJ, Verkada is far from the first company Kottmann and company - coconspirators per the indictment - have broken into; since 2019 they've hacked dozens of companies and government entities and afterwards, posted private victim data belonging to at least 100 entities online.

While Verkada isn't named in the indictment - it pins a series of other hacks to Kottmann - Kottmann did take credit for that hack.

Last year, Kottmann - who uses they/them pronouns - also broke into and stole proprietary data from an unnamed security device manufacturer, illegally accessed source code belonging to a tactical equipment manufacturer, and hacked a Washington state agency and a U.S. government contractor and stole source code related to various web applications.

As recent as this year, in addition to Verkada, Kottmann broke into an automobile manufacturer and financial investment company and published data from the hacks online. They also used social media to promote the hacks.

For most attacks Kottmann and company targeted git and source code repositories belonging to public and private sector companies.

Once inside, the attackers “cloned the source code, files, and other confidential and proprietary information, which at times included hard-coded administrative credentials, access keys, and other means of further system or network access.”

According to a letter to customers earlier this month, Verkada’s CEO, Filip Kaliszan said that while the hackers didn't steal passwords or anything that would compromise its financial or business systems, the attackers managed to steal the following:

• Video and image data from a limited number of cameras from a subset of client organizations
• A list of our client account administrators, including names and email addresses. This list did not include passwords or password hashes.
• A list of Verkada sales orders. Sales order information is used by our Command system to maintain the license state of our customers. This information was obtained from our Command system and not from other Verkada business systems.

Just stealing and publishing the data wasn't enough, Kottmann and others also communicated with journalists and over social media about their hacks and even sold shirts to market their crimes based on hacking and "anti-intellectual-property ideology."

While Kottmann and others have previously called their hacking protected speech, or hacktivism, Acting U.S. Attorney Tessa Gorman rejected those claims last week.

“Stealing credentials and data, and publishing source code and proprietary and sensitive information on the web is not protected speech–it is theft and fraud,” Gorman said in a statement last week. “These actions can increase vulnerabilities for everyone from large corporations to individual consumers.  Wrapping oneself in an allegedly altruistic motive does not remove the criminal stench from such intrusion, theft, and fraud.”