From teenage cyber-thug to Europe’s most wanted
- Published
A notorious hacker who was one of Europe’s most wanted criminals has been jailed for blackmailing 33,000 therapy patients with their stolen session notes.
Julius Kivimäki's imprisonment brings to an end an 11-year cyber-crime spree that started when he rose to prominence in a network of anarchic teenage hacking gangs at the age of just 13.
Tiina was cooling off after the customary Finnish Saturday night sauna when her phone pinged.
It was an email from an anonymous sender who somehow had her name, social security number and other private details.
“At first I was struck by how polite it was and how nice the tone was,” she recalls.
“Dear Mrs Parikka” the sender wrote, before outlining that they had obtained her private information from a psychotherapy centre where she was a patient. Almost apologetically the emailer explained that they were contacting her directly because the company was ignoring the fact that personal data had been stolen.
Two years of thorough records taken by her therapist during dozens of intimate sessions were now in the hands of this unknown blackmailer.
If she did not pay a ransom within 24 hours they would all be published online.
“It was a suffocating feeling,” she says. “I was sat there in my robe feeling like someone had invaded my private world and was trying to make money with my life’s trauma.”
Tiina realised quickly she was not alone.
A total of 33,000 other therapy patients also had their records stolen and thousands were being blackmailed in what is the largest number of victims in a criminal case in Finland.
The stolen database from Vastaamo psychotherapy contained the deepest secrets of a large cross-section of society including children. Sensitive conversations on subjects from extra-marital affairs to confessions of crimes were now a bargaining chip.
Mikko Hyppönen, from Finnish cyber-security firm WithSecure, who researched the attack, says the event caused shockwaves in the country and led news bulletins for days. “A hack on this scale is a disaster for Finland - everyone knew someone affected," he says.
This was all happening in 2020 during the pandemic lockdowns and the case stunned the cyber-security world.
The impact of the emails was immediate and devastating. Lawyer Jenni Raiskio represents 2,600 of the victims and, at the trial, said her firm had been contacted by people whose relatives had taken their own lives after the patient records were published online. She led a moment of silence in the court for the victims.
The blackmailer, known only as ransom_man by his sign-off online, demanded victims pay him €200 Euros (£171) within 24 hours otherwise he would publish their information. If they didn't meet that deadline he increased it to €500.
About 20 people paid before the victims realised it was already too late. Their information was already published the day before when ransom_man accidentally leaked the entire database to a forum on the darknet.
It is all still there today.
Mikko and his team spent time tracking the hack and trying to help police, and theories began to emerge that the hacker was likely to be from Finland.
One of the largest police investigations in the country’s history closed in on one young Finn who was already infamous in the cyber-crime world.
Zeekill crime spree
Kivimäki, who called himself Zeekill as a teenage hacker, did not become the notorious figure he is by being careful.
As a teenager he was all about hacking, extorting and bragging as loudly as he could. Alongside hacker teams Lizard Squad and Hack the Planet he revelled in causing chaos in the extremely active teen hacking period of the 2010s.
Kivimäki was a key player, carrying out dozens of high-profile attacks until, aged 17, he was arrested in 2014 and subsequently found guilty of 50,700 hacking offences.
Controversially he was not jailed. His two-year suspended prison sentence was criticised by many in the cyber-security world. Even for Finland’s famously lenient sentences, the fear was that Kivimäki and his accomplices - mostly other teenagers dispersed around the English-speaking world - would not be deterred.
Like many of his peers during this tumultuous time, Kivimäki did not seem to let police run-ins stop him. After his arrest, and before his sentence, he carried out one of the most audacious attacks of any teenage hacking gang.
He and Lizard Squad took the two largest gaming platforms offline on Christmas Eve and Christmas Day. Playstation Network and Xbox Live went down after the services were hit with an unsophisticated but powerful technique known as a Distributed Denial of Service attack. Tens of millions of gamers were unable to download games, register new consoles or play with their friends online.
Kivimäki enjoyed the attention of the world’s media and even accepted a TV interview with me for Sky News, where he showed no remorse for the attack.
Another hacker from Zeekill's Lizard Squad gang told the BBC that Kivimaki was a vindictive teen who loved to get revenge on rivals and show off his skills online.
"He was very good at what he did and didn't care about the consequences. He would always go further than others in attacks.
"Despite the attention on him he would make bomb threats and serious prank calls himself with no voice disguising," Ryan said. He didn't want to give his surname as he is still unknown to authorities.
Aside from being linked to a few smaller-scale hacks after his sentencing, Kivimäki went largely unheard of for years until his name was linked to the Vastaamo psychotherapy attack.
Red Notice Issued
It took Finnish police nearly two years to gather evidence to issue an Interpol Red Notice for him and he became one of Europe’s most wanted criminals. But no-one knew where the now 25-year-old was.
He was tracked down by mistake last February when police in Paris went to his apartment after getting a false domestic disturbance call. They found Kivimäki had been living with forged identity documents under a fake name.
He was swiftly extradited to Finland where police began preparing for one of the most high-profile trials in the country’s history.
Det Ch Supt Marko Leponen lead the three-year case and says it was the biggest of his career. “We had more than 200 officers on the case at one point and it was an intense investigation with so many victim statements and stories to go through.”
Kivimäki's trial was a major story for the country with reporters there every day and international media present when he took the stand.
I was in court for the first day of his evidence and he maintained his innocence calmly and with occasional jokes told to the silenced courtroom.
But the evidence against him was overwhelming.
Det Leponen says linking Kivimäki's bank account to the server used to download the stolen data was crucial.
His officers also used novel forensics techniques to extract Kivimäki's fingerprint from an otherwise anonymous picture he posted under an online pseudonym.
“We were able to prove that this anonymous person posting on the forum was Kivimäki. It was unbelievable but it shows that you have to use every measure you know and try those you don’t,” said Det Leponen.
In the end the judges delivered their verdict finding him guilty of all counts.
According to the court, Kivimäki was guilty of more than 30,000 crimes - one for each victim. He was charged with aggravated data breach, attempted aggravated blackmail, 9,231 aggravated dissemination of information infringing private life, 20,745 attempted aggravated blackmail and 20 aggravated blackmail.
He was sentenced to six years and three months in prison out of a maximum seven years, but he is likely to serve only half because of time already served and the Finnish justice system.
For victims like Tiina, this is nowhere near long enough.
“So many people were affected by this in so many ways - 33,000 people is a lot of victims and it’s affected our health, and some have been targeted with financial scams as well using the stolen data too,” she says.
Meanwhile she and the other victims are waiting to see if there is any compensation from the case.
Kivimäki has agreed in principle to settle out of court with one group of victims, but others are planning civil cases against either him or Vastaamo itself.
The psychotherapy company is now defunct and its founder has been given a suspended prison sentence for failing to protect patient data. Kivimäki has not told police how much money he has in bitcoin and claims to have forgotten his digital wallet details.
Ms Raisko hopes that the state might be able to step in but says it could take many more months if not years to go through each individual case to assess how much harm was caused.
There are even calls to change the law to help deal with future mass hack cases like this.
“This really is historical in Finland because our system is not ready for this amount of victims. The Vastaamo hack has showed us that we have to have to be prepared for these large cases so I hope there’s a change. This is not going to end here,” she says.