Hacker Charged With Extorting Online Psychotherapy Service

November 3, 2022

A 25-year-old Finnish man has been charged with extorting a once popular and now-bankrupt online psychotherapy company and its patients. Finnish authorities rarely name suspects in an investigation, but they were willing to make an exception for Julius “Zeekill” Kivimaki, a notorious hacker who — at the tender age of 17 — had been convicted of more than 50,000 cybercrimes, including data breaches, payment fraud, operating botnets, and calling in bomb threats.

In late October 2022, Kivimaki was charged (and arrested in absentia, according to the Finns) with attempting to extort money from the Vastaamo Psychotherapy Center.  On October 21, 2020, Vastaamo became the target of blackmail when a tormentor identified as “ransom_man” demanded payment of 40 bitcoins (~450,000 euros at the time) in return for a promise not to publish highly sensitive therapy session notes Vastaamo had exposed online.

In a series of posts over the ensuing days on a Finnish-language dark net discussion board, ransom_man said Vastaamo appeared unwilling to negotiate a payment, and that he would start publishing 100 patient profiles every 24 hours “to provide further incentive for the company to continue communicating with us.”

“We’re not asking for much, approximately 450,000 euros which is less than 10 euros per patient and only a small fraction of the around 20 million yearly revenues of this company,” ransom_man wrote.

When Vastaamo declined to pay, ransom_man shifted to extorting individual patients. According to Finnish police, some 22,000 victims reported extortion attempts targeting them personally, targeted emails that threatened to publish their therapy notes online unless paid a 500 euro ransom.

The extortion message targeted Vastaamo patients.

On Oct. 23, 2020, ransom_man uploaded to the dark web a large compressed file that included all of the stolen Vastaamo patient records. But investigators found the file also contained an entire copy of ransom_man’s home folder, a likely mistake that exposed a number of clues that they say point to Kivimaki.

Ransom_man quickly deleted the large file (accompanied by a “whoops” notation), but not before it had been downloaded a number of times. The entire archive has since been made into a searchable website on the Dark Web.

Among those who grabbed a copy of the database was Antti Kurittu, a team lead at Nixu Corporation and a former criminal investigator. In 2013, Kurittu worked on investigation involving Kivimaki’s use of the Zbot botnet, among other activities Kivimaki engaged in as a member of the hacker group Hack the Planet.

“It was a huge opsec [operational security] fail, because they had a lot of stuff in there — including the user’s private SSH folder, and a lot of known hosts that we could take a very good look at,” Kurittu told KrebsOnSecurity, declining to discuss specifics of the evidence investigators seized. “There were also other projects and databases.”

Kurittu said he and others he and others who were familiar with illegal activities attributed to Kivimäki couldn’t shake suspicion that the infamous cybercriminal was also behind the Vastaamo extortion.

“I couldn’t find anything that would link that data directly to one individual, but there were enough indicators in there that put the name in my head and I couldn’t shake it,” Kurittu said. “When they named him as the prime suspect I was not surprised.”

A handful of individually extorted victims paid a ransom, but when news broke that the entire Vastaamo database had been leaked online, the extortion threats no longer held their sting. However, someone would soon set up a site on the dark web where anyone could search this sensitive data.

Kivimaki stopped using his middle name Julius in favor of his given first name Aleksanteri when he moved abroad several years ago. A Twitter account by that name was verified by Kivimaki’s attorney as his, and through that account he denied being involved in the Vastaamo extortion.

“I believe [the Finnish authorities] brought this to the public in order to influence the decision-making of my old case from my teenage years, which was just processed in the Court of Appeal, both cases are investigated by the same persons,” Kivimaki tweeted on Oct. 28.

Kivimaki is appealing a 2020 district court decision sentencing him to “one year of conditional imprisonment for two counts of fraud committed as a young person, and one of gross fraud, interference with telecommunications as a young person, aggravated data breach as a young person and incitement to fraud as a young person,” according to the Finnish tabloid Ilta-Sanomat.

“Now in the Court of Appeal, the prosecutor is demanding a harsher punishment for the man, i.e. unconditional imprisonment,” reads the Ilta-Sanomat story. “The prosecutor notes in his complaint that the young man has been committing cybercrimes from Espoo since he was 15 years old, and the actions have had to be painstakingly investigated through international legal aid.”

As described in this Wired story last year, Vastaamo filled an urgent demand for psychological counseling, and it won accolades from Finnish health authorities and others for its services.

“Vastaamo was a private company, but it seemed to operate in the same spirit of tech-enabled ease and accessibility: You booked a therapist with a few clicks, wait times were tolerable, and Finland’s Social Insurance Institution reimbursed a big chunk of the session fee (provided you had a diagnosed mental disorder),” William Ralston wrote for Wired. “The company was run by Ville Tapio, a 39-year-old coder and entrepreneur with sharp eyebrows, slicked-back brown hair, and a heavy jawline. He’d cofounded the company with his parents. They pitched ­Vastaamo as a humble family-run enterprise committed to improving the mental health of all Finns.”

But for all the good it brought, the healthcare records management system that Vastaamo used relied on little more than a MySQL database that was left dangerously exposed to the web for 16 months, guarded by nothing more than an administrator account with a blank password.

The Finnish daily Iltalehti said Tapio was relieved of his duties as CEO of Vastaamo in October 2020, and that in September, prosecutors brought charges against Tapio for a data protection offense in connection with Vastaamo’s information leak.

“According to Vastaamo, the data breach in Vastaamo’s customer databases took place in November 2018,” Iltalehti reported last month. “According to Vastaamo, Tapio concealed information about the data breach for more than a year and a half.”


22 thoughts on “Hacker Charged With Extorting Online Psychotherapy Service

  1. Matthias U

    “and arrested in absentia, according to the Finns” … um,, how is that even possible?

    Reply
    1. Atro Tossavainen

      This means that as soon as the suspect is reached he/she/it can be put away to await trial without further ado.

      Here in Finland you can be “detained in absentia” when you’re not in the country, your whereabouts are not known, or you are deliberately avoiding process.

      Thanks Brian for continuing to report on the case. Best regards from Finland.

      Reply
    2. Antti S

      Jailed in absentia is more accurate translation. After an arrest, police has few days before they must petition court to jail the suspect or release him, now they’ve done this beforehand. I guess it’s needed for extraditions anyway.

      Reply
    1. Jonesy

      Calling them names will really have them shaking in their boots. Almost as much as ‘one year of conditional imprisonment’.

      Whoever presided at the district court lacked empathy. It’s hard to imagine the mental torture he caused the patients but the anxiety associated with people reading about their struggles must be really bad for them. Taking that into account, a more fitting charge might be 15-20 years with hard labor with earlier release if he supplies something significant to help law enforcers trap other offenders.

      Reply
      1. Waterbender

        2015: “In an online interview with KrebsOnSecurity, Kivimaki said he was not surprised by the leniency shown by the court in his trial.
        “During the trial it became apparent that nobody suffered significant (if any) damages because of the alleged hacks,” he said.
        The danger in a decision such as this is that it emboldens young malicious hackers by reinforcing the already popular notion that there are no consequences for cybercrimes committed by individuals under the age of 18.
        Case in point: Kivimaki is now crowing about the sentence; He’s changed the description on his Twitter profile to “Untouchable hacker god.” The Twitter account for the Lizard Squad tweeted the news of Kivimaki’s non-sentencing triumphantly: “All the people that said we would rot in prison don’t want to comprehend what we’ve been saying since the beginning, we have free passes.”
        It is clear that the Finnish legal system, like that of the United States, simply does not know what to do with minors who are guilty of severe cybercrimes.”

        Perhaps now that he’s an adult, things will be much harsher.

        Reply
      2. Atro Tossavainen

        Our criminal punishment system here in Finland just isn’t the same as in the United States, so dreaming about prison sentences that run for decades or that include hard labor is pointless. We don’t do that. Not many countries in Europe do.

        Also, accusing the judge of lacking empathy is another case of idiocy – they have to act within the law and sentencing guidelines.

        Also, juvenile criminals are never tried as adults. The age of criminal responsibility of any kind is 15 in Finland. Between 15 and 18 you are juvenile and that gets you special consideration, and even between 18 and 21 you are still granted extra leniency.

        For anybody who is interested, the English translation of the Young Offenders Act can be reviewed at https://www.finlex.fi/en/laki/kaannokset/1940/en19400262

        All that said, if Julius is found guilty of these breaches in court it is unlikely that he will escape actual time this time around. If he did this, it happened after his 21st birthday (first intrusion to Vastaamo in November 2018, he’s born August 1997) which means he would no longer be eligible for any juvenile consideration.

        Reply
  2. afdsfsa

    Krebs,

    This guy really isn’t the brightest by leaking the data inside the home folder. Can you elaborate on more what contents were in there? Like his ssh keys etc

    This seems like the biggest mistake I ever seen in my life

    Thanks

    Reply
  3. RD

    Kivimaki – young criminal who just got burned and needs to experience real-world consequences. Hope he rots in jail for at least a few.

    Tapio – company man who obviously don’t give a damn about keeping data secure. MySQL “protected” by an admin account with blank password?

    Outsider criminals plus insiders who don’t care… what could go wrong?

    Reply
  4. mealy

    There are some smart and dangerous kids out there. The law should be more aware of that.
    You don’t suddenly grow up at 18.

    Reply
  5. Ann Onymouse

    Convicted of 50,000 cybercrimes by the age of 17? Wow – that’s 8 a day, every day, even if he started at birth, which clearly he didn’t! And that’s just the ones he’d already been convicted for – so it seems likely there were more.

    Reply
  6. el-brujo

    State of case: Failed to attend court
    Offences 1 ) Aggravated computer break-in, offence 2) Aggravated extortion,attempt 3) Aggravated Dissemination of information violating personal privacy 4) Extortion 5) Attempt of an extortion 6) Computer break-in 7) Message interception 8) Falsification of evidence
    https://eumostwanted.eu/#/kivimaki-aleksanteri-tomminpoika

    Reply
  7. Bill Ash

    I wouldn’t call stealing data from a database with no password as hacking. The article says the Vastaamo founder was a coder. A coder would have some understanding of security. There may have been more than one crook involved.

    Reply
  8. a

    @Ann Onymouse. It was probably one crime with one data set involving 50k victims. It was probably charged as one count per victim. Everybody spins narratives nowadays, even prosecutors.

    Reply
  9. CJ

    So sad to read another heartbreaking story about people’s privacy being destroyed, and in the EU where the GDPU protections are far stronger than in the USA.

    BTW, article contains typo/copy+paste error:

    Kurittu said he and others he and others who were familiar with illegal activities that were attributed to Kivimäki couldn’t shake suspicion

    he and others who were familiar with illegal activites that were attributed to Kivimäki couldn’t shake suspicion that the infamous cybercriminal was also behind the Vastaamo extortion.

    Reply
  10. Nyymi

    Julius Aleksanteri Kivimäki is a frequent visitor of Finnish chan Ylilauta.org where ransom_man was also announcing their hacks and demands.

    A couple of years back Kivimäki was taunting people with his luxury traveling pictures: https://ylilauta.org/matkustus/128692502

    Wonder where that money comes from

    Reply

Leave a Reply

Your email address will not be published.

© Krebs on Security