maia arson crimew

maia arson crimew (formerly known as Tillie Kottmann) is a Swiss hacker and software developer from Lucerne, Switzerland, who led the hacker collective APT69420 (Arson Cats) and is known for a series of high-profile data disclosures including the 2021 Verkada security-camera breach, the January 2023 leak of the U.S. No Fly List from a misconfigured CommuteAir server, and the June 2026 publication of the membership directory of Peter Thiel's secret society Dialog. crimew was indicted by a U.S. federal grand jury in the Western District of Washington in March 2021 on charges of conspiracy, wire fraud, and aggravated identity theft related to the 2019-2021 source-code-leak activity, but has not been sentenced because Switzerland does not extradite its own citizens.¹²³

crimew produced the 2026 leak that generated the first primary record of Dialog's membership, and the disclosure extends a documented pattern of high-impact releases of sensitive institutional data held by inadequately secured servers. crimew occupies a specific role in the disclosure ecosystem: not a whistleblower with internal access but an external intruder who exploits misconfigured infrastructure, and whose releases are selected for political and public-interest effect rather than for financial gain.

The Verkada Breach and APT69420

crimew led the hacker collective APT69420 (styled Advanced Persistent Threat 69420, a parody of nation-state threat-actor naming conventions), which in March 2021 breached the U.S. security-camera company Verkada. The breach accessed live and archived surveillance footage from approximately 150,000 cameras deployed across hospitals, schools, prisons, police departments, corporate offices, and Tesla facilities, including cameras inside a Tesla warehouse, the Halifax Health medical center, and the Madison County Jail in Alabama. The access was obtained through a super admin account found exposed on the company's internal network.²⁴

A single compromise of the Verkada platform operator exposed footage from thousands of geographically dispersed and functionally unrelated installations. crimew and the APT69420 collective published selected footage and shared access with journalists, framing the release as an exposure of the surveillance infrastructure that organizations had built without adequate awareness of its concentration. The breach prompted Verkada to restructure its access controls and drew regulatory attention to the surveillance-camera-as-a-service industry.⁴

The No Fly List Leak

In January 2023 crimew disclosed that, while "bored" in late 2022, they had accessed the U.S. government's No Fly List on an unsecured CommuteAir server (a misconfigured AWS instance operated by the regional airline). The list, a 2019 version containing approximately 1.5 million entries of individuals barred from boarding commercial flights into or within the United States, was shared with the journalism publication Daily Dot and subsequently published on a hacking forum. crimew noted in the release that the list "trends towards almost exclusively Arabic sounding names," a finding that became part of the public record of the documented racial and religious disproportion in the watchlisting system.³⁵

The No Fly List leak placed a copy of a previously secret government watchlist in the public domain and permitted independent analysis of its composition. The release fed into ongoing litigation over the due-process deficiencies of the federal watchlisting system and into academic and journalistic analysis of the list's demographics. The legal status of the list itself remains contested; crimew's release, by making it analyzable, converted a secret instrument of administrative control into a public artifact.⁵

Federal Indictment and the Extradition Bar

In March 2021 crimew was indicted by a U.S. federal grand jury in the Western District of Washington on charges of conspiracy to commit computer fraud and abuse, wire fraud and conspiracy to commit wire fraud, and aggravated identity theft, related to alleged hacking activity between 2019 and 2021 (the source-code-leak cases including Intel, Nissan, and other firms, not the later Verkada or No Fly List disclosures). The conspiracy-to-commit-computer-fraud count carries a maximum of five years; the wire-fraud and aggravated-identity-theft counts carry additional penalties.¹

crimew has not been sentenced and is not in U.S. custody, because Switzerland does not extradite its own citizens under its federal constitution. The practical effect is a lifetime travel restriction: crimew cannot leave Switzerland without risk of arrest and extradition to the United States from any third country that does extradite. crimew has spoken publicly about the restriction and continues to live and work in Switzerland. The case is one of a recurring pattern in which European hackers indicted under U.S. computer-fraud statutes remain outside U.S. custody due to national extradition limits, and the pattern is part of the broader jurisdictional friction the U.S. Computer Fraud and Abuse Act produces when applied extraterritorially.¹⁶

The Dialog Disclosure

In June 2026 crimew published a membership directory of the Dialog secret society that had been embedded in the source code of the Dialog website, reflecting the site's access controls. The published list named approximately 113 affiliates. A source separately provided the complete 2026 retreat registration list (222 names) to WIRED, which published the combined reporting. crimew's release was the website-source disclosure; the registration list came through a different channel.⁷

The Dialog disclosure used the same method as the prior releases: external access to inadequately secured infrastructure (the website source code containing the membership directory), a release selected for its political and public-interest weight, and framing language that emphasizes the disclosure function. The target differed from Verkada and the No Fly List: a private convening network rather than a surveillance vendor or a government watchlist, and a network whose secrecy posture had been reinforced by the Thiel-funded Gawker litigation.⁷