A 26-year-old Finnish man was sentenced to more than six years in prison today after being convicted of hacking into an online psychotherapy clinic, leaking tens of thousands of patient therapy records, and attempting to extort the clinic and patients.
On October 21, 2020, the Vastaamo Psychotherapy Center in Finland became the target of blackmail when a tormentor identified as βransom_manβ demanded payment of 40 bitcoins (~450,000 euros at the time) in return for a promise not to publish highly sensitive therapy session notes Vastaamo had exposed online.
Ransom_man announced on the dark web that he would start publishing 100 patient profiles every 24 hours. When Vastaamo declined to pay, ransom_man shifted to extorting individual patients. According to Finnish police, some 22,000 victims reported extortion attempts targeting them personally, targeted emails that threatened to publish their therapy notes online unless paid a 500 euro ransom.
Finnish prosecutors quickly zeroed in on a suspect: Julius βZeekillβ KivimΓ€ki, a notorious criminal hacker convicted of committing tens of thousands of cybercrimes before he became an adult. After being charged with the attack in October 2022, KivimΓ€ki fled the country. He was arrested four months later in France, hiding out under an assumed name and passport.
Antti Kurittu is a former criminal investigator who worked on an investigation involving KivimΓ€kiβs use of the Zbot botnet, among other activities KivimΓ€ki engaged in as a member of the hacker groupΒ Hack the Planet (HTP).
Kurittu said the prosecution had demanded at least seven years in jail, and that the sentence handed down was six years and three months. Kurittu said prosecutors knocked a few months off of KivimΓ€kiβs sentence because he agreed to pay compensation to his victims, and that KivimΓ€ki will remain in prison during any appeal process.
βI think the sentencing was as expected, knowing the Finnish judicial system,β Kurittu told KrebsOnSecurity. βAs KivimΓ€ki has not been sentenced to a non-suspended prison sentence during the last five years, he will be treated as a first-timer, his previous convictions notwithstanding.β
But because juvenile convictions in Finland donβt count towards determining whether somebody is a first-time offender, KivimΓ€ki will end up serving approximately half of his sentence.
βThis seems like a short sentence when taking into account the gravity of his actions and the life-altering consequences to thousands of people, but itβs almost the maximum the law allows for,β Kurittu said.
KivimΓ€ki initially gained notoriety as a self-professed member of theΒ Lizard Squad, a mainly low-skilled hacker group that specialized in DDoS attacks. But American and Finnish investigators say KivimΓ€kiβs involvement in cybercrime dates back to at least 2008, when he was introduced to a founding member of what would soon become HTP.
Finnish police said KivimΓ€ki also used the nicknames βRyanβ, βRyanCβ and βRyan Clearyβ (Ryan Cleary was actually a member of a rival hacker group β LulzSecΒ β who was sentenced to prison for hacking).
KivimΓ€ki and other HTP members were involved in mass-compromising web servers using known vulnerabilities, and by 2012 KivimΓ€kiβs alias Ryan Cleary was selling access to those servers in the form of a DDoS-for-hire service. KivimΓ€ki was 15 years old at the time.
In 2013, investigators going through devices seized from KivimΓ€ki found computer code that had been used to crack more than 60,000 web servers using a previously unknown vulnerability inΒ Adobeβs ColdFusion software. KrebsOnSecurity detailed the work of HTP in September 2013, after the groupΒ compromised servers inside data brokers LexisNexis, Kroll, and Dun & Bradstreet.
The group used the same ColdFusion flawsΒ to break into the National White Collar Crime Center (NWC3), a non-profit that provides research and investigative support to theΒ U.S. Federal Bureau of InvestigationΒ (FBI).
As KrebsOnSecurity reported at the time, this small ColdFusion botnet of data broker servers was being controlled by the same cybercriminals whoβd assumed control over SSNDOB, which operated one of the undergroundβs most reliable services for obtaining Social Security Number, dates of birth and credit file information on U.S. residents.
KivimΓ€ki was responsible for making an August 2014 bomb threatΒ against formerΒ Sony Online Entertainment President John Smedley that grounded an American Airlines plane.Β KivimΓ€kiΒ also was involved in calling in multiple fake bomb threats and βswattingβ incidents β reporting fake hostage situations at an address to prompt a heavily armed police response to that location.
Ville Tapio, the former CEO of Vastaamo, was fired and also prosecuted following the breach. Ransom_man bragged about Vastaamoβs sloppy security, noting the company had used the laughably weak username and password βroot/rootβ to protect sensitive patient records.
Investigators later found Vastaamo had originally been hacked in 2018 and again in 2019. In April 2023, a Finnish court handed down a three-month sentence for Tapio, but that sentence was suspended because he had no previous criminal record.