Anarchist hacker exposes the TSA's 1.5 million-name no-fly list

image of a pokemon in front of a laptop screen displaying process of hacking and uncovering No Fly List
(Image credit: maia arson crimew)

First reported by the Daily Dot, an activist and hacker who goes by the name maia arson crimew uncovered a version of the United States government's No-Fly List dated to 2019 on an unsecured server owned by regional US airline, CommuteAir (formerly CommutAir). The glimpse at this well-known, but not publicly available, US government registry is the latest in a cavalcade of major corporate security breaches in recent months.

Crimew, an independent hacker and researcher, discovered the list via a variant of Shodan, a cybersecurity-focused search engine that allows users to find unsecured servers on the net. Crimew found one such server owned by CommuteAir, a partner of United Airlines specializing in short-range flights. In addition to the list itself, preposterously named NoFly.csv, crimew uncovered detailed employee records for CommuteAir, as well as credentials to allow her access to "navlblue APIs for refuelling, cancelling, and updating flights, swapping out crew members, and so on."

Crimew has not published the No-Fly List in full, but has made it available by request for journalists. Crimew described it to Kotaku as being over 1.56 million entries long, containing names, birthdates, and aliases for targeted individuals. Crimew told the Daily Dot that "it's just crazy to me how big that Terrorism Screening Database is and yet there is still very clear trends towards almost exclusively Arabic and Russian sounding names throughout the million entries."

CommuteAir confirmed that the database was genuine and dated to 2019, while the TSA told the Daily Dot that it was "aware of a potential cybersecurity incident with CommuteAir," and that it was "investigating in coordination with [its] federal partners."

Although the US government maintained a small list of individuals with a "no transport" flag prior to 2001, the No-Fly list exploded in size and scope following the September 11 attacks. Critics argue the list is an opaque overreach of the security state that has disproportionately affected Muslims. The list includes some American citizens.

In 2016, Senator Diane Feinstein disclosed that the list covered 81,000 people, while in 2005, the TSA admitted that it had received 30,000 complaints from people who had been added to the list by mistake. It is unclear how many of the 1.5 million entries on NoFly.csv are aliases, accounting for common misspellings, or other forms of repeat entry for the same individual, while the Daily Dot mentions the possibility that this leak could reflect the wider and less restrictive Terrorism Screening Database as opposed to the narrower and harsher No-Fly List.

This is not crimew's first act of hacktivism. She has previously leaked data from Intel, Nissan, and cloud-based security firm Verkada. Crimew had her home raided by Swiss police in relation to charges from the US government over these breaches, but she is protected from extradition to the United States by the Swiss constitution. Crimew maintains a personal website and active Twitter account.

Associate Editor

Ted has been thinking about PC games and bothering anyone who would listen with his thoughts on them ever since he booted up his sister's copy of Neverwinter Nights on the family computer. He is obsessed with all things CRPG and CRPG-adjacent, but has also covered esports, modding, and rare game collecting. When he's not playing or writing about games, you can find Ted lifting weights on his back porch.

Read more
An FBI wanted poster for alleged hacker Zhou Shuai.
US Justice Dept announces $10 million bounty on at-large 'hacker-for-hire' cabal it says targeted China critics, religious missionaries, and the Treasury
Kinzie, in an FBI jacket, uses a computer with the logo of the Third Street Saints on it
Have I Been Pwned adds over 284 million compromised passwords from latest breach
 In this photo illustration a novelty Bitcoin token is photographed on a US Dollar bank note, on January 4, 2025 in Bath, England. The Cryptocurrency market has recently received a significant boost by the election of Donald Trump with hopes of the start of a policy framework that could see Bitcoin as a strategic asset
Man charged with $65,000,000 worth of cryptocurrency heists was reportedly discovered through chatting on Discord with a company they allegedly stole from
Image manipulated symbolic alegory pointing into the mystery of being.
Deep trouble: Infosec firm finds a DeepSeek database 'completely open and unauthenticated' exposing chat history, API keys, and operational details
Team Fortress Spy being shocked
An FPS studio pulled its game from Steam after it got caught linking to malware disguised as a demo, but the dev insists it was actually the victim of a labyrinthine conspiracy
A drone flies overhead in a purple alien sky
The manufacturer of 90% of the world's consumer drones will no longer automatically stop its products flying over US airports, power plants and prisons
Latest in Gaming Industry
SUQIAN, CHINA - OCTOBER 6, 2024 - Illustration Tencent's plan to buy Ubisoft, Suqian, Jiangsu province, China, October 6, 2024. (Photo credit should read CFOTO/Future Publishing via Getty Images)
Ubisoft and Tencent are forming a new company that will take control of its most successful franchises: Assassin's Creed, Far Cry, and Rainbow Six
Kinich, a character in Genshin Impact, stands prepared to brawl with an enemy.
'Diabolical': Genshin Impact's English cast gives new VO the cold shoulder after he frames replacing a striking actor as an 'opportunity to carry the flame'
PC Gamer magazine issue 408 Doom: The Dark Ages
PC Gamer magazine's new issue is on sale now: Doom: The Dark Ages
Two brightly colored stormtroopers dressed like Run-DMC stand in front of PAX Australia's WELCOME HOME banner.
Tickets for PAX Australia 2025 are on sale now
Lara Croft Unified Art
Tomb Raider developer Crystal Dynamics lays off 17 employees 'to better align our current business needs and the studio's future success'
Monster Hunter Wilds' stockpile master studying a manifest
As layoffs and studio closures continue to deathroll the western AAA industry, analyst points out 5 of 8 major Japanese companies hit all-time share prices this year
Latest in News
Story of Seasons - A cahacter in a purple tuxedo stands outside in a town square talking to the player
Story of Seasons is doing another Harvest Moon remake and it might be the best the series has ever looked
Assassin's Creed Shadows change seasons - An upper-body shot of Yasuke looking cheerfully up into the distance.
Assassin's Creed Shadows puts up the 'second highest day-one sales revenue in Assassin's Creed franchise history'
A witch riding a broom sails past a Fish and Chips shop.
Cozy gamers rejoice: Witchbrook finally has a release window, and yes, you can fly around on a broom with your friends
starcraft 2 face
StarCraft fans taunted by the announcement of a new StarCraft... board game
kingdom come: deliverance 2 henry looks confused
'Medieval Batman' completes Kingdom Come: Deliverance 2 pacifist playthrough with zero kills and 535 knockouts
SUQIAN, CHINA - OCTOBER 6, 2024 - Illustration Tencent's plan to buy Ubisoft, Suqian, Jiangsu province, China, October 6, 2024. (Photo credit should read CFOTO/Future Publishing via Getty Images)
Ubisoft and Tencent are forming a new company that will take control of its most successful franchises: Assassin's Creed, Far Cry, and Rainbow Six