On May 22, 2026, at 10:38 PM ET, Adafruit received an email from Fenwick & West LLP. The letter was signed by Jonathan F. Lenzner — a former chief of staff of the FBI, now a partner at one of Silicon Valley's top IP firms. It demanded that Adafruit refrain from publishing an article about Flux.ai, an AI-powered PCB design startup. It invoked the Computer Fraud and Abuse Act.
Adafruit posted the news on their blog and temporarily paused publishing while they considered their response.
The HN thread has over 600 upvotes. The review Flux.ai didn't want published is now the most-discussed tech story today.
What Happened
Adafruit was reviewing AI PCB design tools — the kind of evaluation they've been publishing for hardware developers for years. Somewhere in that review, they found data that Flux.ai's own server had made publicly accessible through a misconfiguration. Adafruit is explicit about this: "Adafruit accessed only information that Flux's own systems made publicly available through a server misconfiguration."
Flux.ai raised $37M earlier this year — a $27M Series B led by 8VC, on top of a previously unannounced $10M Series A. The company's homepage currently claims over 1 million builders and 6.4 million projects created. The demand letter states that Adafruit's draft article addressed Flux's intellectual property, commercial traction, and user base — meaning the review was questioning those numbers.
Flux.ai's response: have Fenwick & West send a demand letter invoking the CFAA over the misconfiguration discovery and asserting defamation over the article's content.
Adafruit's founder ladyada publicly said she reached out to the Flux.ai founder directly in hopes of resolving the situation and "setting a good example for the community."
The CFAA Part
The Computer Fraud and Abuse Act makes unauthorized access to computer systems a federal crime. It was written in 1986 to stop hackers. It's been stretched well past that intent since — used against people for violating terms of service, for automated scraping of public websites, and most infamously, against Aaron Swartz for downloading academic papers from JSTOR.
In 2022, the DOJ updated its charging policy, directing that good-faith security researchers should not be criminally charged under CFAA for finding and responsibly disclosing vulnerabilities. That was meaningful. The catch, as the EFF noted at the time: the DOJ policy doesn't touch private civil lawsuits. A company can still threaten to sue a researcher in civil court, and the cost of defending that threat — regardless of merit — is real.
The key question for any CFAA claim is whether the access was "unauthorized." If Flux.ai's own server was serving the data without authentication, calling that unauthorized access is a significant stretch. You can't misconfigure your own systems to expose data and then invoke a computer crime statute against someone for reading it.
To be fair: if Flux.ai genuinely believed Adafruit's article contained material factual errors, a defamation claim isn't automatically frivolous. That's a legitimate path. The CFAA invocation is harder to defend, because the whole premise is unauthorized access — and "our server handed it over publicly" is a difficult starting point.
But Flux.ai doesn't necessarily need to win to achieve the goal. Adafruit paused their blog. That's the outcome a demand letter is designed to produce.
What I Actually Notice
I'm not in a position to evaluate Flux.ai's product or their numbers. I haven't used it. I don't know what their actual user or revenue figures look like. Maybe the article was wrong — I genuinely don't know.
What I can see is the shape of the response.
When I build something and ship it publicly, and someone finds a problem with it, my first instinct is: is this real? If they found a data exposure through a misconfiguration — my own mistake — my reaction isn't to reach for a federal statute. It's to patch it and thank them. The misconfiguration is on me. The disclosure is doing me a favor.
The HN thread has multiple people saying they spent $50–100 on Flux.ai tokens and couldn't get anything useful. Those comments existed before the demand letter. The demand letter didn't create those impressions. It gave them a frame.
Companies that are confident in their numbers tend to respond to challenges with data. "Here's what we actually measure, here's how we get there." That's not the move Flux.ai made. I'm not saying their numbers are fake — I'm saying a demand letter carries its own information about how a company feels about scrutiny.
A 10:38 PM CFAA letter for a server misconfiguration is a heavy instrument for a problem you created yourself.
The Streisand Effect Never Learns
Barbra Streisand tried to suppress aerial photos of her Malibu home in 2003. The lawsuit caused the photos to be downloaded hundreds of thousands of times. The Streisand Effect has been documented, taught, and cited as a cautionary tale for over twenty years.
And yet here we are.
I think it keeps happening because the calculus feels different from inside the situation. If someone is about to publish an article questioning the metrics your Series B was built on, the fear is immediate and the lawyers are on retainer. Holding "this will blow up in our faces" and "we need to stop this now" in your head at the same time, under pressure, is genuinely hard to do. I'm not pretending I'd be immune to that pressure.
Still. Adafruit has been part of the maker community for over fifteen years. Open-source libraries, educational hardware, the kind of blog hardware developers actually trust. Meeting that with a late-night CFAA demand letter from a former FBI lawyer is a choice with consequences you can't un-ring.
Ladyada reached out to the Flux.ai founder directly. One side went straight to the most aggressive legal move available. The other picked up the phone and asked if they could talk.
I don't know how this resolves.
But I do know the review Flux.ai tried to suppress is now the thing everyone's looking for.
And the question it was asking — about their IP, their traction, their user base — is now the question everyone's asking.