Hacker Julius Kivimäki, one of Europe’s most wanted criminals, has been jailed for blackmailing 33,000 patients whose therapy notes he stole. Kivimäki’s sentencing marks the end of an 11-year cybercrime series that began when he was just 13 years old.
Tiina, who lives in Finland, was resting after the sauna on Saturday night when her phone rang.
The email, from an anonymous caller, included his name, social security number and other private information.
The sender claimed that they received Tiina’s private information from a psychotherapy center where he was a client. He said that they contacted him directly because the company ignored the fact that personal data was stolen.
Records of dozens of sessions held between Tiina and her therapist over two years were now in the hands of this unknown blackmailer.
If he didn’t pay the ransom they wanted within 24 hours, all of this would be published on the internet.
About her feelings at that moment, Tiina said, “I felt like I was drowning,” and soon realized that she was not alone.
How did it get to this point?
In total, the records of 33 thousand therapy clients were stolen and thousands of people were blackmailed. The case was recorded as the criminal case involving the most victims in Finland.
The database stolen from the Vastaamo psychotherapy center contained the most secret secrets of a wide segment of society, including children.
Sensitive conversations on topics ranging from extramarital affairs to criminal confessions had now become bargaining chips.
“An attack of this scale was a disaster for Finland; everyone knew someone who was affected,” says Mikko Hyppönen of WithSecure, a Finnish cybersecurity firm that investigated the attack.
Blackmail emails sent during coronavirus pandemic quarantines in 2020 had a devastating effect.
Lawyer Jenni Raiskio, who represents 2,600 of the victims, said at the hearing that people whose relatives committed suicide contacted her firm after patient records were published on the internet.
A minute of silence was held in court for the victims.
The blackmailer, known online as ‘ransom_man’, demanded that the victims pay him 200 euros within 24 hours, otherwise he would publish their information online. He increased the ransom price to 500 euros for latecomers.
About 20 people paid, but it was too late. Ransom_man’s information had already been published because he accidentally leaked his entire database to a forum on the darknet.
Information is still shared on the internet.
Mikko and his team from the cybersecurity firm worked to assist police with the investigation.
One of the largest police investigations in the country’s history has resulted in the capture of a young Finn who was already notorious in the world of cybercrime.
List of serial crimes committed by Zeekill
Kivimäki, a young hacker who introduced himself as Zeekill, was a person who carried out dozens of high-profile attacks in the 2010s, alongside hacking groups such as Lizard Squad and Hack the Planet.
Kivimäki was detained in 2014, when he was 17, and found guilty of 50,700 hacking attacks.
However, he was not imprisoned. The prevailing opinion was that Kivimäki and his accomplices could not be deterred in this way.
After his detention, he carried out one of the boldest attacks of young hacking groups.
He and a group called Lizard Squad took down the world’s two largest gaming platforms, Playstation Network and Xbox Live, during Christmas 2014.
As a result of this cyber attack, tens of millions of players were unable to download games, play online with their friends, or register their newly purchased consoles into the system.
Kivimäki managed to attract the attention of the press during this period. In an interview with television channel Sky News, he gave the impression that he did not regret the attack.
Another hacker from the Lizard Squad gang described Kivimäki in his statement to the BBC as a spiteful young man who loved to show off and take revenge on his rivals.
This person named Ryan, who did not want to give his last name, said, “He was very good at what he did and did not care about the consequences. He would always go further than others in cyber attacks,” and continued:
“He would make bomb threats and serious prank phone calls and not hide his voice.”
Kivimäki’s name was not widely heard until the Vastaamo attack.
Red notice issued
It took nearly two years for Finnish police to gather enough evidence to issue a Red Notice against him.
Meanwhile, 25-year-old Kivimäki became one of Europe’s most wanted criminals, but his whereabouts were unknown.
Last February, Paris police mistakenly found her when they went to her home after receiving a fake domestic violence report.
Police found that Kivimäki was living under a false name with false identity documents.
Kivimäki was quickly extradited to Finland and preparations began for one of the most high-profile trials in the country’s history.
“At one point we had more than 200 officers working on this. This was an intense investigation that required examining the stories of many victims,” says Marko Leponen, the detective who led the three-year case.
Leponen says proving that the stolen data was downloaded via Kivimäki’s bank account was a crucial step.
Police officials, who wanted to obtain Kivimäki’s fingerprints as part of the investigation, used the latest forensic methods to examine an anonymous photo he shared on the internet under an assumed name.
Leponen said, “We managed to prove that this anonymous person who posted on the forum was Kivimäki. “This was incredible and showed us that we should use every precaution we know and try the ones we don’t know,” he says.
Kivimäk was charged with aggravated data breach, attempted aggravated blackmail, 9,231 counts of aggravated dissemination of information that violates privacy, 20,745 counts of attempted aggravated blackmail, and 20 counts of aggravated blackmail.
Kivimäk was sentenced to 6 years and 3 months in prison.
But victims like Tiina say that’s not enough.
“So many people have been affected by this incident in so many different ways. 33 thousand victims is a very high number and it has affected the health of all of us. Some of us have also been the target of fraud.”
Vastaamo psychotherapy company was dissolved and its founder given a suspended prison sentence for failing to protect patient data.
Kivimäki did not disclose to the police how many bitcoins he had and claimed he had forgotten his digital wallet details.
Meanwhile, calls are growing for Finnish laws to be changed to help deal with such cases in the future.