Finland’s Most-Wanted Hacker Nabbed in France

Julius “Zeekill” Kivimäki, a 25-year-old Finnish man charged with extorting a local online psychotherapy practice and leaking therapy notes for more than 22,000 patients online, was arrested this week in France. A notorious hacker convicted of perpetrating tens of thousands of cybercrimes, Kivimäki had been in hiding since October 2022, when he failed to show up in court and Finland issued an international warrant for his arrest.

In late October 2022, Kivimäki was charged (and “arrested in absentia,” according to the Finns) with attempting to extort money from the Vastaamo Psychotherapy Center. In that breach, which occurred in October 2020, a hacker using the handle “Ransom Man” threatened to publish patient psychotherapy notes if Vastaamo did not pay a six-figure ransom demand.

Vastaamo refused, so Ransom Man shifted to extorting individual patients — sending them targeted emails threatening to publish their therapy notes unless paid a 500-euro ransom.

When Ransom Man found little success extorting patients directly, they uploaded to the dark web a large compressed file containing all of the stolen Vastaamo patient records.

But as documented by KrebsOnSecurity in November 2022, security experts soon discovered Ransom Man had mistakenly included an entire copy of their home folder, where investigators found many clues pointing to Kivimäki’s involvement. From that story:

“Among those who grabbed a copy of the database was Antti Kurittu, a team lead at Nixu Corporation and a former criminal investigator. In 2013, Kurittu worked on an investigation involving Kivimäki’s use of the Zbot botnet, among other activities Kivimäki engaged in as a member of the hacker group Hack the Planet (HTP).”

“It was a huge opsec [operational security] fail, because they had a lot of stuff in there — including the user’s private SSH folder, and a lot of known hosts that we could take a very good look at,” Kurittu told KrebsOnSecurity, declining to discuss specifics of the evidence investigators seized. “There were also other projects and databases.”

According to the French news site actu.fr, Kivimäki was arrested around 7 a.m. on Feb. 3, after authorities in Courbevoie responded to a domestic violence report. Kivimäki had been out earlier with a woman at a local nightclub, and later the two returned to her home but reportedly got into a heated argument.

Police responding to the scene were admitted by another woman — possibly a roommate — and found the man inside still sleeping off a long night. When they roused him and asked for identification, the 6′ 3″ blonde, green-eyed man presented an ID that stated he was of Romanian nationality.

The French police were doubtful. After consulting records on most-wanted criminals, they quickly identified the man as Kivimäki and took him into custody.

Kivimäki initially gained notoriety as a self-professed member of the Lizard Squad, a mainly low-skilled hacker group that specialized in DDoS attacks. But American and Finnish investigators say Kivimäki’s involvement in cybercrime dates back to at least 2008, when he was introduced to a founding member of what would soon become HTP.

Finnish police said Kivimäki also used the nicknames “Ryan”, “RyanC” and “Ryan Cleary” (Ryan Cleary was actually a member of a rival hacker group — LulzSec — who was sentenced to prison for hacking).

Kivimaki and other HTP members were involved in mass-compromising web servers using known vulnerabilities, and by 2012 Kivimäki’s alias Ryan Cleary was selling access to those servers in the form of a DDoS-for-hire service. Kivimäki was 15 years old at the time.

The DDoS-for-hire service allegedly operated by Kivimäki in 2012.

In 2013, investigators going through devices seized from Kivimäki found computer code that had been used to crack more than 60,000 web servers using a previously unknown vulnerability in Adobe’s ColdFusion software.

KrebsOnSecurity detailed the work of HTP in September 2013, after the group compromised servers inside data brokers LexisNexis, Kroll, and Dun & Bradstreet.

The group used the same ColdFusion flaws to break into the National White Collar Crime Center (NWC3), a non-profit that provides research and investigative support to the U.S. Federal Bureau of Investigation (FBI).

As KrebsOnSecurity reported at the time, this small ColdFusion botnet of data broker servers was being controlled by the same cybercriminals who’d assumed control over ssndob[.]ms, which operated one of the underground’s most reliable services for obtaining Social Security Number, dates of birth and credit file information on U.S. residents.

Multiple law enforcement sources told KrebsOnSecurity that Kivimäki was responsible for making an August 2014 bomb threat against former Sony Online Entertainment President John Smedley that grounded an American Airlines plane. That incident was widely reported to have started with a tweet from the Lizard Squad, but Smedley and others said it started with a call from Kivimäki.

Kivimäki also was involved in calling in multiple fake bomb threats and “swatting” incidents — reporting fake hostage situations at an address to prompt a heavily armed police response to that location.

Kivimäki’s apparent indifference to hiding his tracks drew the interest of Finnish and American cybercrime investigators, and soon Finnish prosecutors charged him with an array of cybercrime violations. At trial, prosecutors presented evidence showing he’d used stolen credit cards to buy luxury goods and shop vouchers, and participated in a money laundering scheme that he used to fund a trip to Mexico.

Kivimäki was ultimately convicted of orchestrating more than 50,000 cybercrimes. But largely because he was still a minor at the time (17) , he was given a 2-year suspended sentence and ordered to forfeit EUR 6,558.

As I wrote in 2015 following Kivimäki’s trial:

“The danger in such a decision is that it emboldens young malicious hackers by reinforcing the already popular notion that there are no consequences for cybercrimes committed by individuals under the age of 18.

Kivimäki is now crowing about the sentence; He’s changed the description on his Twitter profile to “Untouchable hacker god.” The Twitter account for the Lizard Squad tweeted the news of Kivimäki’s non-sentencing triumphantly: “All the people that said we would rot in prison don’t want to comprehend what we’ve been saying since the beginning, we have free passes.”

Something tells me Kivimäki won’t get off so easily this time, assuming he is successfully extradited back to Finland. A statement by the Finnish police says they are seeking Kivimäki’s extradition and that they expect the process to go smoothly.

Kivimäki could not be reached for comment. But he has been discussing his case on Reddit using his legal first name — Aleksanteri (he stopped using his middle name Julius when he moved abroad several years ago). In a post dated Jan. 31, 2022, Kivimäki responded to another Finnish-speaking Reddit user who said they were a fugitive from justice.

“Same thing,” Kivimäki replied. “Shall we start some kind of club? A support organization for wanted persons?”

Hacker Charged With Extorting Online Psychotherapy Service

A 25-year-old Finnish man has been charged with extorting a once popular and now-bankrupt online psychotherapy company and its patients. Finnish authorities rarely name suspects in an investigation, but they were willing to make an exception for Julius “Zeekill” Kivimaki, a notorious hacker who — at the tender age of 17 — had been convicted of more than 50,000 cybercrimes, including data breaches, payment fraud, operating botnets, and calling in bomb threats.

In late October 2022, Kivimaki was charged (and arrested in absentia, according to the Finns) with attempting to extort money from the Vastaamo Psychotherapy Center.  On October 21, 2020, Vastaamo became the target of blackmail when a tormentor identified as “ransom_man” demanded payment of 40 bitcoins (~450,000 euros at the time) in return for a promise not to publish highly sensitive therapy session notes Vastaamo had exposed online.

In a series of posts over the ensuing days on a Finnish-language dark net discussion board, ransom_man said Vastaamo appeared unwilling to negotiate a payment, and that he would start publishing 100 patient profiles every 24 hours “to provide further incentive for the company to continue communicating with us.”

“We’re not asking for much, approximately 450,000 euros which is less than 10 euros per patient and only a small fraction of the around 20 million yearly revenues of this company,” ransom_man wrote.

When Vastaamo declined to pay, ransom_man shifted to extorting individual patients. According to Finnish police, some 22,000 victims reported extortion attempts targeting them personally, targeted emails that threatened to publish their therapy notes online unless paid a 500 euro ransom.

The extortion message targeted Vastaamo patients.

On Oct. 23, 2020, ransom_man uploaded to the dark web a large compressed file that included all of the stolen Vastaamo patient records. But investigators found the file also contained an entire copy of ransom_man’s home folder, a likely mistake that exposed a number of clues that they say point to Kivimaki.

Ransom_man quickly deleted the large file (accompanied by a “whoops” notation), but not before it had been downloaded a number of times. The entire archive has since been made into a searchable website on the Dark Web.

Among those who grabbed a copy of the database was Antti Kurittu, a team lead at Nixu Corporation and a former criminal investigator. In 2013, Kurittu worked on investigation involving Kivimaki’s use of the Zbot botnet, among other activities Kivimaki engaged in as a member of the hacker group Hack the Planet.

“It was a huge opsec [operational security] fail, because they had a lot of stuff in there — including the user’s private SSH folder, and a lot of known hosts that we could take a very good look at,” Kurittu told KrebsOnSecurity, declining to discuss specifics of the evidence investigators seized. “There were also other projects and databases.”

Kurittu said he and others he and others who were familiar with illegal activities attributed to Kivimäki couldn’t shake suspicion that the infamous cybercriminal was also behind the Vastaamo extortion.

“I couldn’t find anything that would link that data directly to one individual, but there were enough indicators in there that put the name in my head and I couldn’t shake it,” Kurittu said. “When they named him as the prime suspect I was not surprised.”

A handful of individually extorted victims paid a ransom, but when news broke that the entire Vastaamo database had been leaked online, the extortion threats no longer held their sting. However, someone would soon set up a site on the dark web where anyone could search this sensitive data.

Kivimaki stopped using his middle name Julius in favor of his given first name Aleksanteri when he moved abroad several years ago. A Twitter account by that name was verified by Kivimaki’s attorney as his, and through that account he denied being involved in the Vastaamo extortion.

“I believe [the Finnish authorities] brought this to the public in order to influence the decision-making of my old case from my teenage years, which was just processed in the Court of Appeal, both cases are investigated by the same persons,” Kivimaki tweeted on Oct. 28.

Kivimaki is appealing a 2020 district court decision sentencing him to “one year of conditional imprisonment for two counts of fraud committed as a young person, and one of gross fraud, interference with telecommunications as a young person, aggravated data breach as a young person and incitement to fraud as a young person,” according to the Finnish tabloid Ilta-Sanomat.

“Now in the Court of Appeal, the prosecutor is demanding a harsher punishment for the man, i.e. unconditional imprisonment,” reads the Ilta-Sanomat story. “The prosecutor notes in his complaint that the young man has been committing cybercrimes from Espoo since he was 15 years old, and the actions have had to be painstakingly investigated through international legal aid.”

As described in this Wired story last year, Vastaamo filled an urgent demand for psychological counseling, and it won accolades from Finnish health authorities and others for its services.

“Vastaamo was a private company, but it seemed to operate in the same spirit of tech-enabled ease and accessibility: You booked a therapist with a few clicks, wait times were tolerable, and Finland’s Social Insurance Institution reimbursed a big chunk of the session fee (provided you had a diagnosed mental disorder),” William Ralston wrote for Wired. “The company was run by Ville Tapio, a 39-year-old coder and entrepreneur with sharp eyebrows, slicked-back brown hair, and a heavy jawline. He’d cofounded the company with his parents. They pitched ­Vastaamo as a humble family-run enterprise committed to improving the mental health of all Finns.”

But for all the good it brought, the healthcare records management system that Vastaamo used relied on little more than a MySQL database that was left dangerously exposed to the web for 16 months, guarded by nothing more than an administrator account with a blank password.

The Finnish daily Iltalehti said Tapio was relieved of his duties as CEO of Vastaamo in October 2020, and that in September, prosecutors brought charges against Tapio for a data protection offense in connection with Vastaamo’s information leak.

“According to Vastaamo, the data breach in Vastaamo’s customer databases took place in November 2018,” Iltalehti reported last month. “According to Vastaamo, Tapio concealed information about the data breach for more than a year and a half.”