A 25-year-old Finnish man has been charged with extorting a as soon as common and now-bankrupt on-line psychotherapy firm and its sufferers. Finnish authorities hardly ever title suspects in an investigation, however they had been prepared to make an exception for Julius “Zeekill” Kivimaki, a infamous hacker who — on the tender age of 17 — had been convicted of greater than 50,000 cybercrimes, together with knowledge breaches, cost fraud, working botnets, and calling in bomb threats.
In late October 2022, Kivimaki was charged (and arrested in absentia, in accordance with the Finns) with trying to extort cash from the Vastaamo Psychotherapy Heart. On October 21, 2020, Vastaamo grew to become the goal of blackmail when a tormentor recognized as “ransom_man” demanded cost of 40 bitcoins (~450,000 euros on the time) in return for a promise to not publish extremely delicate remedy session notes Vastaamo had uncovered on-line.
In a sequence of posts over the following days on a Finnish-language darkish internet dialogue board, ransom_man stated Vastaamo appeared unwilling to barter a cost, and that he would begin publishing 100 affected person profiles each 24 hours “to supply additional incentive for the corporate to proceed speaking with us.”
“We’re not asking for a lot, roughly 450,000 euros which is lower than 10 euros per affected person and solely a small fraction of the round 20 million yearly revenues of this firm,” ransom_man wrote.
When Vastaamo declined to pay, ransom_man shifted to extorting particular person sufferers. In line with Finnish police, some 22,000 victims reported extortion makes an attempt focusing on them personally, focused emails that threatened to publish their remedy notes on-line except paid a 500 euro ransom.
On Oct. 23, 2020, ransom_man uploaded to the darkish net a big compressed file that included all the stolen Vastaamo affected person information. However investigators discovered the file additionally contained a whole copy of ransom_man’s house folder, a probable mistake that uncovered a variety of clues that they are saying level to Kivimaki.
Ransom_man shortly deleted the massive file (accompanied by a “whoops” notation), however not earlier than it had been downloaded a variety of occasions. The whole archive has since been made right into a searchable web site on the Darkish Net.
Amongst those that grabbed a replica of the database was Atti Kurritu, a former felony investigator on the Helsinki Police Division. In 2013, Kurritu labored on investigation involving Kivimaki’s use of the Zbot botnet, amongst different actions Kivimaki engaged in as a member of the hacker group Hack the Planet.
“It was an enormous opsec [operational security] fail, as a result of they’d numerous stuff in there — together with the person’s non-public SSH folder, and numerous identified hosts that we might take an excellent have a look at,” Kurritu instructed KrebsOnSecurity, declining to debate specifics of the proof investigators seized. “There have been additionally different tasks and databases.”
Kurritu stated he and others who labored on the investigation into Kivimaki’s earlier cybercrimes couldn’t shake the suspicion that the notorious cybercriminal was additionally behind the Vastaamo extortion.
“I couldn’t discover something that will hyperlink that knowledge instantly to at least one particular person, however there have been sufficient indicators in there that put the title in my head and I couldn’t shake it,” Kurritu stated. “I instructed the police this again in 2020, and once they named him because the prime suspect I used to be not stunned.”
A handful of individually extorted victims paid a ransom, however when information broke that the whole Vastaamo database had been leaked on-line, the extortion threats not held their sting. Nevertheless, somebody would quickly arrange a web site on the darkish net the place anybody might search this delicate knowledge.
Kivimaki stopped utilizing his center title Julius in favor of his given first title Aleksanteri when he moved overseas a number of years in the past. A Twitter account by that title was verified by Kivimaki’s lawyer as his, and thru that account he denied being concerned within the Vastaamo extortion.
“I consider [the Finnish authorities] introduced this to the general public so as to affect the decision-making of my outdated case from my teenage years, which was simply processed within the Courtroom of Enchantment, each circumstances are investigated by the identical individuals,” Kivimaki tweeted on Oct. 28.
Kivimaki is interesting a 2020 district courtroom choice sentencing him to “one yr of conditional imprisonment for 2 counts of fraud dedicated as a teenager, and considered one of gross fraud, interference with telecommunications as a teenager, aggravated knowledge breach as a teenager and incitement to fraud as a teenager,” in accordance with the Finnish tabloid Ilta-Sanomat.
“Now within the Courtroom of Enchantment, the prosecutor is demanding a harsher punishment for the person, i.e. unconditional imprisonment,” reads the Ilta-Sanomat story. “The prosecutor notes in his grievance that the younger man has been committing cybercrimes from Espoo since he was 15 years outdated, and the actions have needed to be painstakingly investigated via worldwide authorized support.”
As described in this Wired story final yr, Vastaamo stuffed an pressing demand for psychological counseling, and it gained accolades from Finnish well being authorities and others for its providers.
“Vastaamo was a non-public firm, but it surely appeared to function in the identical spirit of tech-enabled ease and accessibility: You booked a therapist with a number of clicks, wait occasions had been tolerable, and Finland’s Social Insurance coverage Establishment reimbursed a giant chunk of the session charge (offered you had a recognized psychological dysfunction),” William Ralston wrote for Wired. “The corporate was run by Ville Tapio, a 39-year-old coder and entrepreneur with sharp eyebrows, slicked-back brown hair, and a heavy jawline. He’d cofounded the corporate along with his mother and father. They pitched Vastaamo as a humble family-run enterprise dedicated to bettering the psychological well being of all Finns.”
However for all the great it introduced, the healthcare information administration system that Ville Tapio constructed from scratch reportedly relied on little greater than a MySQL database that was left dangerously uncovered to the online for 16 months, guarded by nothing greater than an administrator account with a clean password.
The Finnish each day Iltalehti stated Tapio was relieved of his duties as CEO of Vastaamo in October 2020, and that in September, prosecutors introduced prices towards Tapio for a knowledge safety offense in reference to Vastaamo’s data leak.
“In line with Vastaamo, the information breach in Vastaamo’s buyer databases passed off in November 2018,” Iltalehti reported final month. “In line with Vastaamo, Tapio hid details about the information breach for greater than a yr and a half.”