A 25-year-old Finnish man has been charged with extorting a as soon as common and now-bankrupt on-line psychotherapy firm and its sufferers. Finnish authorities not often identify suspects in an investigation, however they had been prepared to make an exception for Julius “Zeekill” Kivimaki, a infamous hacker who — on the tender age of 17 — had been convicted of greater than 50,000 cybercrimes, together with information breaches, cost fraud, working botnets, and calling in bomb threats.
In late October 2022, Kivimaki was charged (and arrested in absentia, in line with the Finns) with trying to extort cash from the Vastaamo Psychotherapy Center. On October 21, 2020, Vastaamo grew to become the goal of blackmail when a tormentor recognized as “ransom_man” demanded cost of 40 bitcoins (~450,000 euros on the time) in return for a promise to not publish extremely delicate remedy session notes Vastaamo had uncovered on-line.
In a sequence of posts over the following days on a Finnish-language darkish internet dialogue board, ransom_man mentioned Vastaamo appeared unwilling to barter a cost, and that he would begin publishing 100 affected person profiles each 24 hours “to provide further incentive for the company to continue communicating with us.”
“We’re not asking for much, approximately 450,000 euros which is less than 10 euros per patient and only a small fraction of the around 20 million yearly revenues of this company,” ransom_man wrote.
When Vastaamo declined to pay, ransom_man shifted to extorting particular person sufferers. According to Finnish police, some 22,000 victims reported extortion makes an attempt focusing on them personally, focused emails that threatened to publish their remedy notes on-line until paid a 500 euro ransom.
The extortion message focused Vastaamo sufferers.
On Oct. 23, 2020, ransom_man uploaded to the darkish net a big compressed file that included the entire stolen Vastaamo affected person data. But investigators discovered the file additionally contained a whole copy of ransom_man’s dwelling folder, a probable mistake that uncovered a variety of clues that they are saying level to Kivimaki.
Ransom_man shortly deleted the big file (accompanied by a “whoops” notation), however not earlier than it had been downloaded a variety of occasions. The complete archive has since been made right into a searchable web site on the Dark Web.
Among those that grabbed a replica of the database was Antti Kurittu, a former prison investigator on the Helsinki Police Department. In 2013, Kurittu labored on investigation involving Kivimaki’s use of the Zbot botnet, amongst different actions Kivimaki engaged in as a member of the hacker group Hack the Planet.
“It was a huge opsec [operational security] fail, because they had a lot of stuff in there — including the user’s private SSH folder, and a lot of known hosts that we could take a very good look at,” Kurittu advised KrebsOnSecurity, declining to debate specifics of the proof investigators seized. “There were also other projects and databases.”
Kurittu mentioned he and others who labored on the investigation into Kivimaki’s earlier cybercrimes couldn’t shake the suspicion that the notorious cybercriminal was additionally behind the Vastaamo extortion.
“I couldn’t find anything that would link that data directly to one individual, but there were enough indicators in there that put the name in my head and I couldn’t shake it,” Kurittu mentioned. “I told the police this back in 2020, and when they named him as the prime suspect I was not surprised.”
A handful of individually extorted victims paid a ransom, however when information broke that the complete Vastaamo database had been leaked on-line, the extortion threats not held their sting. However, somebody would quickly arrange a website on the darkish net the place anybody may search this delicate information.
Kivimaki stopped utilizing his center identify Julius in favor of his given first identify Aleksanteri when he moved overseas a number of years in the past. A Twitter account by that identify was verified by Kivimaki’s legal professional as his, and thru that account he denied being concerned within the Vastaamo extortion.
“I believe [the Finnish authorities] brought this to the public in order to influence the decision-making of my old case from my teenage years, which was just processed in the Court of Appeal, both cases are investigated by the same persons,” Kivimaki tweeted on Oct. 28.
Kivimaki is interesting a 2020 district court docket choice sentencing him to “one year of conditional imprisonment for two counts of fraud committed as a young person, and one of gross fraud, interference with telecommunications as a young person, aggravated data breach as a young person and incitement to fraud as a young person,” in line with the Finnish tabloid Ilta-Sanomat.
“Now in the Court of Appeal, the prosecutor is demanding a harsher punishment for the man, i.e. unconditional imprisonment,” reads the Ilta-Sanomat story. “The prosecutor notes in his complaint that the young man has been committing cybercrimes from Espoo since he was 15 years old, and the actions have had to be painstakingly investigated through international legal aid.”
As described in this Wired story final yr, Vastaamo stuffed an pressing demand for psychological counseling, and it gained accolades from Finnish well being authorities and others for its providers.
“Vastaamo was a private company, but it seemed to operate in the same spirit of tech-enabled ease and accessibility: You booked a therapist with a few clicks, wait times were tolerable, and Finland’s Social Insurance Institution reimbursed a big chunk of the session fee (provided you had a diagnosed mental disorder),” William Ralston wrote for Wired. “The company was run by Ville Tapio, a 39-year-old coder and entrepreneur with sharp eyebrows, slicked-back brown hair, and a heavy jawline. He’d cofounded the company with his parents. They pitched Vastaamo as a humble family-run enterprise committed to improving the mental health of all Finns.”
But for all the great it introduced, the healthcare data administration system that Vastaamo used relied on little greater than a MySQL database that was left dangerously uncovered to the online for 16 months, guarded by nothing greater than an administrator account with a clean password.
The Finnish every day Iltalehti mentioned Tapio was relieved of his duties as CEO of Vastaamo in October 2020, and that in September, prosecutors introduced prices towards Tapio for a knowledge safety offense in reference to Vastaamo’s data leak.
“According to Vastaamo, the data breach in Vastaamo’s customer databases took place in November 2018,” Iltalehti reported final month. “According to Vastaamo, Tapio concealed information about the data breach for more than a year and a half.”