A 25-year-old Finnish man has been charged with extorting a as soon as widespread and now-bankrupt on-line psychotherapy firm and its sufferers. Finnish authorities not often title suspects in an investigation, however they have been prepared to make an exception for Julius “Zeekill” Kivimaki, a infamous hacker who — on the tender age of 17 — had been convicted of greater than 50,000 cybercrimes, together with information breaches, cost fraud, working botnets, and calling in bomb threats.
In late October 2022, Kivimaki was charged (and arrested in absentia, in keeping with the Finns) with making an attempt to extort cash from the Vastaamo Psychotherapy Middle. On October 21, 2020, Vastaamo turned the goal of blackmail when a tormentor recognized as “ransom_man” demanded cost of 40 bitcoins (~450,000 euros on the time) in return for a promise to not publish extremely delicate remedy session notes Vastaamo had uncovered on-line.
In a collection of posts over the following days on a Finnish-language darkish web dialogue board, ransom_man mentioned Vastaamo appeared unwilling to barter a cost, and that he would begin publishing 100 affected person profiles each 24 hours “to supply additional incentive for the corporate to proceed speaking with us.”
“We’re not asking for a lot, roughly 450,000 euros which is lower than 10 euros per affected person and solely a small fraction of the round 20 million yearly revenues of this firm,” ransom_man wrote.
When Vastaamo declined to pay, ransom_man shifted to extorting particular person sufferers. In line with Finnish police, some 22,000 victims reported extortion makes an attempt concentrating on them personally, focused emails that threatened to publish their remedy notes on-line until paid a 500 euro ransom.
The extortion message focused Vastaamo sufferers.
On Oct. 23, 2020, ransom_man uploaded to the darkish net a big compressed file that included the entire stolen Vastaamo affected person information. However investigators discovered the file additionally contained a complete copy of ransom_man’s house folder, a possible mistake that uncovered numerous clues that they are saying level to Kivimaki.
Ransom_man rapidly deleted the massive file (accompanied by a “whoops” notation), however not earlier than it had been downloaded numerous instances. The whole archive has since been made right into a searchable web site on the Darkish Internet.
Amongst those that grabbed a duplicate of the database was Antti Kurittu, a workforce lead at Nixu Company and a former legal investigator. In 2013, Kurittu labored on investigation involving Kivimaki’s use of the Zbot botnet, amongst different actions Kivimaki engaged in as a member of the hacker group Hack the Planet.
“It was an enormous opsec [operational security] fail, as a result of that they had plenty of stuff in there — together with the consumer’s personal SSH folder, and plenty of recognized hosts that we may take an excellent have a look at,” Kurittu informed KrebsOnSecurity, declining to debate specifics of the proof investigators seized. “There have been additionally different initiatives and databases.”
Kurittu mentioned he and others he and others who have been aware of unlawful actions that have been attributed to Kivimäki couldn’t shake suspicion
he and others who have been aware of unlawful activites that have been attributed to Kivimäki couldn’t shake suspicion that the notorious cybercriminal was additionally behind the Vastaamo extortion.
“I couldn’t discover something that might hyperlink that information instantly to 1 particular person, however there have been sufficient indicators in there that put the title in my head and I couldn’t shake it,” Kurittu mentioned. “Once they named him because the prime suspect I used to be not shocked.”
A handful of individually extorted victims paid a ransom, however when information broke that all the Vastaamo database had been leaked on-line, the extortion threats not held their sting. Nevertheless, somebody would quickly arrange a web site on the darkish net the place anybody may search this delicate information.
Kivimaki stopped utilizing his center title Julius in favor of his given first title Aleksanteri when he moved overseas a number of years in the past. A Twitter account by that title was verified by Kivimaki’s legal professional as his, and thru that account he denied being concerned within the Vastaamo extortion.
“I consider [the Finnish authorities] introduced this to the general public with the intention to affect the decision-making of my outdated case from my teenage years, which was simply processed within the Court docket of Enchantment, each circumstances are investigated by the identical individuals,” Kivimaki tweeted on Oct. 28.
Kivimaki is interesting a 2020 district courtroom determination sentencing him to “one 12 months of conditional imprisonment for 2 counts of fraud dedicated as a teenager, and one in all gross fraud, interference with telecommunications as a teenager, aggravated information breach as a teenager and incitement to fraud as a teenager,” in keeping with the Finnish tabloid Ilta-Sanomat.
“Now within the Court docket of Enchantment, the prosecutor is demanding a harsher punishment for the person, i.e. unconditional imprisonment,” reads the Ilta-Sanomat story. “The prosecutor notes in his grievance that the younger man has been committing cybercrimes from Espoo since he was 15 years outdated, and the actions have needed to be painstakingly investigated by means of worldwide authorized support.”
As described in this Wired story final 12 months, Vastaamo stuffed an pressing demand for psychological counseling, and it received accolades from Finnish well being authorities and others for its companies.
“Vastaamo was a personal firm, but it surely appeared to function in the identical spirit of tech-enabled ease and accessibility: You booked a therapist with just a few clicks, wait instances have been tolerable, and Finland’s Social Insurance coverage Establishment reimbursed a giant chunk of the session payment (supplied you had a recognized psychological dysfunction),” William Ralston wrote for Wired. “The corporate was run by Ville Tapio, a 39-year-old coder and entrepreneur with sharp eyebrows, slicked-back brown hair, and a heavy jawline. He’d cofounded the corporate together with his mother and father. They pitched Vastaamo as a humble family-run enterprise dedicated to enhancing the psychological well being of all Finns.”
However for all the great it introduced, the healthcare information administration system that Vastaamo used relied on little greater than a MySQL database that was left dangerously uncovered to the net for 16 months, guarded by nothing greater than an administrator account with a clean password.
The Finnish every day Iltalehti mentioned Tapio was relieved of his duties as CEO of Vastaamo in October 2020, and that in September, prosecutors introduced expenses towards Tapio for a knowledge safety offense in reference to Vastaamo’s info leak.
“In line with Vastaamo, the information breach in Vastaamo’s buyer databases happened in November 2018,” Iltalehti reported final month. “In line with Vastaamo, Tapio hid details about the information breach for greater than a 12 months and a half.”
