A 25-year-old Finnish man has been charged with extorting a as soon as standard and now-bankrupt on-line psychotherapy firm and its sufferers. Finnish authorities not often title suspects in an investigation, however they have been prepared to make an exception for Julius “Zeekill” Kivimaki, a infamous hacker who — on the tender age of 17 — had been convicted of greater than 50,000 cybercrimes, together with information breaches, cost fraud, working botnets, and calling in bomb threats.
In late October 2022, Kivimaki was charged (and arrested in absentia, in accordance with the Finns) with making an attempt to extort cash from the Vastaamo Psychotherapy Heart. On October 21, 2020, Vastaamo turned the goal of blackmail when a tormentor recognized as “ransom_man” demanded cost of 40 bitcoins (~450,000 euros on the time) in return for a promise to not publish extremely delicate remedy session notes Vastaamo had uncovered on-line.
In a collection of posts over the following days on a Finnish-language darkish internet dialogue board, ransom_man mentioned Vastaamo appeared unwilling to barter a cost, and that he would begin publishing 100 affected person profiles each 24 hours “to offer additional incentive for the corporate to proceed speaking with us.”
“We’re not asking for a lot, roughly 450,000 euros which is lower than 10 euros per affected person and solely a small fraction of the round 20 million yearly revenues of this firm,” ransom_man wrote.
When Vastaamo declined to pay, ransom_man shifted to extorting particular person sufferers. In line with Finnish police, some 22,000 victims reported extortion makes an attempt focusing on them personally, focused emails that threatened to publish their remedy notes on-line except paid a 500 euro ransom.
The extortion message focused Vastaamo sufferers.
On Oct. 23, 2020, ransom_man uploaded to the darkish internet a big compressed file that included the entire stolen Vastaamo affected person information. However investigators discovered the file additionally contained a whole copy of ransom_man’s house folder, a probable mistake that uncovered numerous clues that they are saying level to Kivimaki.
Ransom_man rapidly deleted the massive file (accompanied by a “whoops” notation), however not earlier than it had been downloaded numerous instances. Your entire archive has since been made right into a searchable web site on the Darkish Internet.
Amongst those that grabbed a replica of the database was Antti Kurittu, a former prison investigator on the Helsinki Police Division. In 2013, Kurritu labored on investigation involving Kivimaki’s use of the Zbot botnet, amongst different actions Kivimaki engaged in as a member of the hacker group Hack the Planet.
“It was an enormous opsec [operational security] fail, as a result of that they had lots of stuff in there — together with the person’s personal SSH folder, and lots of identified hosts that we may take an excellent take a look at,” Kurittu advised KrebsOnSecurity, declining to debate specifics of the proof investigators seized. “There have been additionally different initiatives and databases.”
Kurittu mentioned he and others who labored on the investigation into Kivimaki’s earlier cybercrimes couldn’t shake the suspicion that the notorious cybercriminal was additionally behind the Vastaamo extortion.
“I couldn’t discover something that may hyperlink that information straight to 1 particular person, however there have been sufficient indicators in there that put the title in my head and I couldn’t shake it,” Kurittu mentioned. “I advised the police this again in 2020, and once they named him because the prime suspect I used to be not stunned.”
A handful of individually extorted victims paid a ransom, however when information broke that all the Vastaamo database had been leaked on-line, the extortion threats not held their sting. Nonetheless, somebody would quickly arrange a web site on the darkish internet the place anybody may search this delicate information.
Kivimaki stopped utilizing his center title Julius in favor of his given first title Aleksanteri when he moved overseas a number of years in the past. A Twitter account by that title was verified by Kivimaki’s lawyer as his, and thru that account he denied being concerned within the Vastaamo extortion.
“I imagine [the Finnish authorities] introduced this to the general public with a purpose to affect the decision-making of my previous case from my teenage years, which was simply processed within the Courtroom of Enchantment, each circumstances are investigated by the identical individuals,” Kivimaki tweeted on Oct. 28.
Kivimaki is interesting a 2020 district courtroom resolution sentencing him to “one 12 months of conditional imprisonment for 2 counts of fraud dedicated as an adolescent, and one among gross fraud, interference with telecommunications as an adolescent, aggravated information breach as an adolescent and incitement to fraud as an adolescent,” in accordance with the Finnish tabloid Ilta-Sanomat.
“Now within the Courtroom of Enchantment, the prosecutor is demanding a harsher punishment for the person, i.e. unconditional imprisonment,” reads the Ilta-Sanomat story. “The prosecutor notes in his criticism that the younger man has been committing cybercrimes from Espoo since he was 15 years previous, and the actions have needed to be painstakingly investigated by worldwide authorized support.”
As described on this Wired story final 12 months, Vastaamo stuffed an pressing demand for psychological counseling, and it gained accolades from Finnish well being authorities and others for its providers.
“Vastaamo was a non-public firm, however it appeared to function in the identical spirit of tech-enabled ease and accessibility: You booked a therapist with a number of clicks, wait instances have been tolerable, and Finland’s Social Insurance coverage Establishment reimbursed an enormous chunk of the session charge (supplied you had a recognized psychological dysfunction),” William Ralston wrote for Wired. “The corporate was run by Ville Tapio, a 39-year-old coder and entrepreneur with sharp eyebrows, slicked-back brown hair, and a heavy jawline. He’d cofounded the corporate along with his dad and mom. They pitched Vastaamo as a humble family-run enterprise dedicated to enhancing the psychological well being of all Finns.”
However for all the nice it introduced, the healthcare information administration system that Vastaamo used relied on little greater than a MySQL database that was left dangerously uncovered to the online for 16 months, guarded by nothing greater than an administrator account with a clean password.
The Finnish day by day Iltalehti mentioned Tapio was relieved of his duties as CEO of Vastaamo in October 2020, and that in September, prosecutors introduced costs in opposition to Tapio for a knowledge safety offense in reference to Vastaamo’s data leak.
“In line with Vastaamo, the information breach in Vastaamo’s buyer databases came about in November 2018,” Iltalehti reported final month. “In line with Vastaamo, Tapio hid details about the information breach for greater than a 12 months and a half.”
