From teenage cyber-thug to Europe’s most wanted
A notorious cybercriminal, once one of Europe’s most wanted, has been sentenced to prison for extorting 33,000 therapy patients by threatening to expose their stolen session notes.
Julius Kivimäki’s incarceration marks the culmination of an 11-year cybercrime spree that began when he gained notoriety as a member of anarchic teenage hacking groups at the tender age of 13.
Tiina had just finished her customary Finnish Saturday night sauna when her phone chimed with a notification.
It was an email from an unknown sender, who somehow possessed her name, social security number, and other sensitive details.
“At first, I was struck by its politeness and the gentle tone,” she remembers.
“Dear Mrs. Parikka,” the email began, before revealing that the sender had obtained Tiina’s private information from a psychotherapy center where she was a patient.
Almost apologetically, the sender explained that they were reaching out directly because the company had disregarded the fact that personal data had been compromised.
Two years’ worth of detailed records, meticulously kept by her therapist during numerous intimate sessions, were now in the possession of this anonymous extortionist.
Unless she paid a ransom within 24 hours, they threatened to publish all the information online.
“It felt like suffocation,” she says. “Sitting there in my robe, it felt as though someone had intruded upon my private world and was attempting to profit from my life’s traumas.”
Tiina soon realized she wasn’t the only victim.
A staggering 33,000 other therapy patients had their records stolen, and thousands were being blackmailed, marking the largest number of victims in a criminal case in Finland.
The stolen database from Vastaamo psychotherapy contained the deepest secrets of a large cross-section of society including children. Sensitive conversations on subjects from extra-marital affairs to confessions of crimes were now a bargaining chip.
Mikko Hyppönen, from Finnish cyber-security firm WithSecure, who researched the attack, says the event caused shockwaves in the country and led news bulletins for days. “A hack on this scale is a disaster for Finland – everyone knew someone affected,” he says.
This was all happening in 2020 during the pandemic lockdowns and the case stunned the cyber-security world.
The impact of the emails was immediate and devastating. Lawyer Jenni Raiskio represents 2,600 of the victims and, at the trial, said her firm had been contacted by people whose relatives had taken their own lives after the patient records were published online. She led a moment of silence in the court for the victims.
The blackmailer, known only as ransom_man by his sign-off online, demanded victims pay him 200 Euros (£171) within 24 hours otherwise he would publish their information. If they didn’t meet that deadline he increased it to €500.
About 20 people paid before the victims realized it was already too late. Their information was already published the day before when ransom_man accidentally leaked the entire database to a forum on the darknet.
It is all still there today.
Mikko and his team spent time tracking the hack and trying to help police, and theories began to emerge that the hacker was likely to be from Finland.
One of the largest police investigations in the country’s history closed in on one young Finn who was already infamous in the cyber-crime world.
Kivimäki, who called himself Zeekill as a teenage hacker, did not become the notorious figure he is by being careful.
As a teenager, he was all about hacking, extorting, and bragging as loudly as he could. Alongside hacker teams Lizard Squad and Hack the Planet he revelled in causing chaos in the extremely active teen hacking period of the 2010s.
Kivimäki was a key player, carrying out dozens of high-profile attacks until, aged 17, he was arrested in 2014 and subsequently found guilty of 50,700 hacking offenses.
Controversially he was not jailed. His two-year suspended prison sentence was criticized by many in the cyber-security world.
Even for Finland’s famously lenient sentences, the fear was that Kivimäki and his accomplices – mostly other teenagers dispersed around the English-speaking world – would not be deterred.
Like many of his peers during this tumultuous time, Kivimäki did not seem to let police run-ins stop him. After his arrest, and before his sentence, he carried out one of the most audacious attacks of any teenage hacking gang.
He and Lizard Squad took the two largest gaming platforms offline on Christmas Eve and Christmas Day.
Playstation Network and Xbox Live went down after the services were hit with an unsophisticated but powerful technique known as a Distributed Denial of Service attack.
Tens of millions of gamers were unable to download games, register new consoles, or play with their friends online.
Kivimäki enjoyed the attention of the world’s media and even accepted a TV interview with me for Sky News, where he showed no remorse for the attack.
Another hacker from Zeekill’s Lizard Squad gang told the BBC that Kivimaki was a vindictive teen who loved to get revenge on rivals and show off his skills online.
“He was very good at what he did and didn’t care about the consequences. He would always go further than others in attacks.
“Despite the attention on him he would make bomb threats and serious prank calls himself with no voice disguising,” Ryan said. He didn’t want to give his surname as he was still unknown to authorities.
Aside from being linked to a few smaller-scale hacks after his sentencing, Kivimäki went largely unheard of for years until his name was linked to the Vastaamo psychotherapy attack.
It took Finnish police nearly two years to gather evidence to issue an Interpol Red Notice for him and he became one of Europe’s most wanted criminals. But no one knew where the now 25-year-old was.
He was tracked down by mistake last February when police in Paris went to his apartment after getting a false domestic disturbance call. They found Kivimäki had been living with forged identity documents under a fake name.
He was swiftly extradited to Finland where police began preparing for one of the most high-profile trials in the country’s history.
Det Ch Supt Marko Leponen led the three-year case and says it was the biggest of his career. “We had more than 200 officers on the case at one point and it was an intense investigation with so many victim statements and stories to go through.”
Kivimäki’s trial was a major story for the country with reporters there every day and international media present when he took the stand.
I was in court for the first day of his evidence and he maintained his innocence calmly and with occasional jokes told to the silenced courtroom.
But the evidence against him was overwhelming.
Det Leponen says linking Kivimäki’s bank account to the server used to download the stolen data was crucial.
His officers also used novel forensics techniques to extract Kivimäki’s fingerprint from an otherwise anonymous picture he posted under an online pseudonym.
“We were able to prove that this anonymous person posting on the forum was Kivimäki. It was unbelievable but it shows that you have to use every measure you know and try those you don’t,” said Det Leponen.
In the end, the judges delivered their verdict finding him guilty of all counts.
According to the court, Kivimäki was guilty of more than 30,000 crimes – one for each victim. He was charged with aggravated data breach, attempted aggravated blackmail, 9,231 aggravated dissemination of information infringing private life, 20,745 attempted aggravated blackmail, and 20 aggravated blackmail.
He was sentenced to six years and three months in prison out of a maximum of seven years, but he is likely to serve only half because of the time already served and the Finnish justice system.
For victims like Tiina, this is nowhere near long enough.
“So many people were affected by this in so many ways – 33,000 people are a lot of victims and it’s affected our health, and some have been targeted with financial scams as well using the stolen data too,” she says.
Meanwhile, she and the other victims are waiting to see if there is any compensation from the case.
Kivimäki has agreed in principle to settle out of court with one group of victims, but others are planning civil cases against either him or Vastaamo itself.
The psychotherapy company is now defunct and its founder has been given a suspended prison sentence for failing to protect patient data. Kivimäki has not told police how much money he has in Bitcoin and claims to have forgotten his digital wallet details.
Ms Raisko hopes that the state might be able to step in but says it could take many more months if not years to go through each case to assess how much harm was caused.
There are even calls to change the law to help deal with future mass hack cases like this.
“This is historical in Finland because our system is not ready for this amount of victims. The Vastaamo hack has shown us that we have to have to be prepared for these large cases so I hope there’s a change. This is not going to end here,” she says.