February 5, 2023

Julius “Zeekill” Kivimäki, a 25-year-old Finnish man charged with extorting a local online psychotherapy practice and leaking therapy notes for more than 22,000 patients online, was arrested this week in France. A notorious hacker convicted of perpetrating tens of thousands of cybercrimes, Kivimäki had been in hiding since October 2022, when he failed to show up in court and Finland issued an international warrant for his arrest.

In late October 2022, Kivimäki was charged (and “arrested in absentia,” according to the Finns) with attempting to extort money from the Vastaamo Psychotherapy Center. In that breach, which occurred in October 2020, a hacker using the handle “Ransom Man” threatened to publish patient psychotherapy notes if Vastaamo did not pay a six-figure ransom demand.

Vastaamo refused, so Ransom Man shifted to extorting individual patients — sending them targeted emails threatening to publish their therapy notes unless paid a 500-euro ransom.

When Ransom Man found little success extorting patients directly, they uploaded to the dark web a large compressed file containing all of the stolen Vastaamo patient records.

But as documented by KrebsOnSecurity in November 2022, security experts soon discovered Ransom Man had mistakenly included an entire copy of their home folder, where investigators found many clues pointing to Kivimäki’s involvement. From that story:

“Among those who grabbed a copy of the database was Antti Kurittu, a team lead at Nixu Corporation and a former criminal investigator. In 2013, Kurittu worked on an investigation involving Kivimäki’s use of the Zbot botnet, among other activities Kivimäki engaged in as a member of the hacker group Hack the Planet (HTP).”

“It was a huge opsec [operational security] fail, because they had a lot of stuff in there — including the user’s private SSH folder, and a lot of known hosts that we could take a very good look at,” Kurittu told KrebsOnSecurity, declining to discuss specifics of the evidence investigators seized. “There were also other projects and databases.”

According to the French news site actu.fr, Kivimäki was arrested around 7 a.m. on Feb. 3, after authorities in Courbevoie responded to a domestic violence report. Kivimäki had been out earlier with a woman at a local nightclub, and later the two returned to her home but reportedly got into a heated argument.

Police responding to the scene were admitted by another woman — possibly a roommate — and found the man inside still sleeping off a long night. When they roused him and asked for identification, the 6′ 3″ blonde, green-eyed man presented an ID that stated he was of Romanian nationality.

The French police were doubtful. After consulting records on most-wanted criminals, they quickly identified the man as Kivimäki and took him into custody.

Kivimäki initially gained notoriety as a self-professed member of the Lizard Squad, a mainly low-skilled hacker group that specialized in DDoS attacks. But American and Finnish investigators say Kivimäki’s involvement in cybercrime dates back to at least 2008, when he was introduced to a founding member of what would soon become HTP.

Finnish police said Kivimäki also used the nicknames “Ryan”, “RyanC” and “Ryan Cleary” (Ryan Cleary was actually a member of a rival hacker group — LulzSec — who was sentenced to prison for hacking).

Kivimaki and other HTP members were involved in mass-compromising web servers using known vulnerabilities, and by 2012 Kivimäki’s alias Ryan Cleary was selling access to those servers in the form of a DDoS-for-hire service. Kivimäki was 15 years old at the time.

The DDoS-for-hire service allegedly operated by Kivimäki in 2012.

In 2013, investigators going through devices seized from Kivimäki found computer code that had been used to crack more than 60,000 web servers using a previously unknown vulnerability in Adobe’s ColdFusion software.

KrebsOnSecurity detailed the work of HTP in September 2013, after the group compromised servers inside data brokers LexisNexis, Kroll, and Dun & Bradstreet.

The group used the same ColdFusion flaws to break into the National White Collar Crime Center (NWC3), a non-profit that provides research and investigative support to the U.S. Federal Bureau of Investigation (FBI).

As KrebsOnSecurity reported at the time, this small ColdFusion botnet of data broker servers was being controlled by the same cybercriminals who’d assumed control over ssndob[.]ms, which operated one of the underground’s most reliable services for obtaining Social Security Number, dates of birth and credit file information on U.S. residents.

Multiple law enforcement sources told KrebsOnSecurity that Kivimäki was responsible for making an August 2014 bomb threat against former Sony Online Entertainment President John Smedley that grounded an American Airlines plane. That incident was widely reported to have started with a tweet from the Lizard Squad, but Smedley and others said it started with a call from Kivimäki.

Kivimäki also was involved in calling in multiple fake bomb threats and “swatting” incidents — reporting fake hostage situations at an address to prompt a heavily armed police response to that location.

Kivimäki’s apparent indifference to hiding his tracks drew the interest of Finnish and American cybercrime investigators, and soon Finnish prosecutors charged him with an array of cybercrime violations. At trial, prosecutors presented evidence showing he’d used stolen credit cards to buy luxury goods and shop vouchers, and participated in a money laundering scheme that he used to fund a trip to Mexico.

Kivimäki was ultimately convicted of orchestrating more than 50,000 cybercrimes. But largely because he was still a minor at the time (17) , he was given a 2-year suspended sentence and ordered to forfeit EUR 6,558.

As I wrote in 2015 following Kivimäki’s trial:

“The danger in such a decision is that it emboldens young malicious hackers by reinforcing the already popular notion that there are no consequences for cybercrimes committed by individuals under the age of 18.

Kivimäki is now crowing about the sentence; He’s changed the description on his Twitter profile to “Untouchable hacker god.” The Twitter account for the Lizard Squad tweeted the news of Kivimäki’s non-sentencing triumphantly: “All the people that said we would rot in prison don’t want to comprehend what we’ve been saying since the beginning, we have free passes.”

Something tells me Kivimäki won’t get off so easily this time, assuming he is successfully extradited back to Finland. A statement by the Finnish police says they are seeking Kivimäki’s extradition and that they expect the process to go smoothly.

Kivimäki could not be reached for comment. But he has been discussing his case on Reddit using his legal first name — Aleksanteri (he stopped using his middle name Julius when he moved abroad several years ago). In a post dated Jan. 31, 2022, Kivimäki responded to another Finnish-speaking Reddit user who said they were a fugitive from justice.

“Same thing,” Kivimäki replied. “Shall we start some kind of club? A support organization for wanted persons?”

24 thoughts on “Finland’s Most-Wanted Hacker Nabbed in France

  1. The Sunshine State

    Interesting article, a guy with anger issues , that does swatting, bomb threats and domestic violence , hacks into a psychotherapy practice without any remorse

    Who see’s the irony here ?

  2. Anonymous

    Fantastic news, and well done to all of the investigators involved! Kivimaki has been a menace to society, stealing money and blackmailing ever since he got a slap on the wrist for 50,000 counts of hacking. There are many reformed hackers, but Kivimaki is not one of them.

  3. John

    Yes — string this career hacker criminal up by his thumbs, in Solitary Confinement, for the rest of his twisted life. Far too many times these cybercrooks get a mild slap on the wrist and they’re back on the cyber highway after spreading their knowledge to anyone smart enough with whom they’re incarcerated.

    Make an example of this punk!

    1. Francis

      I totally agree. All hackers need to be held accountable and given serious prison sentences. Additionally, they should be prohibited from using any technology for their entire sentence. They should be limited to only writing letters and sending them by snail mail or 5 minute monitored plain old trlephone calls home. Confinement should ensure that their technical skills go down the toilet forever. Do not pamper these criminals. I would rather see minor drug abusers be given a break and rehabilitation and let all these cyber criminals rot in prison. These criminals are attacking medical organizations and that makes the violent criminals against the sick.

  4. Terry Smith

    Gutter criminal. Off with his head. (Not kidding)

  5. Blanche DuBois

    Zut alors!
    Aleksanteri, bienvenue a la belle France!!!

    I have often traversed Romania with a “New Jersey passport”, but have yet to meet a 6’-3” Romanian male who resembled a blond, green-eyed, Nordic giant…

    Understood that this was a bad “fast guess” by you, when those gendarmerie rudely interrupted your slumber.
    (Aren’t the only blonds in Romania from a bleach bottle?)

    However, keep your spirits up and positive.
    Like the rest of us, into every data thug’s life, a little rain must fall…

    Remember, you are very lucky to be in the EU/Finland justice system.

    But in case you are extradited to the US, a few tips…
    Emphasize that you never used a gun for your alleged ill-gotten gains.
    No gun in your crime, means 6 hours in a US jail unless the fraud was above US$1 million.
    (If you used a gun to rob $3.14 in the street, that’s 15 years for openers.)

    Yes, then you will get 3 hots and a cot, plus almost good health and dental care.
    But avoid “Fat Albert” in cell block B…

    The wheels of human justice grind slowly Aleks, but inexorably…
    We will somehow recover from missing you on Tik Tok…

  6. mari q. contrari

    like those he hurts & everyone else, dude has embarrassing secrets.
    pls, someone, put him in his place & spill it.

  7. Dick Ruckus

    I wish he wouldn’t of gotten caught!!! All of the governments including there officials have been robbing the people. Modern day slavery. FREE HIM UNTIL ITS READ BACKWARDS

    1. Francis

      Grow up. He destroyed people’s lives and if governments were not providing basic infrastructure people that need the Internet would not exist. The real survivalist live off the grid.

  8. R. Cake

    This is really good news. I hope it will bring some kind of closure to the individuals affected especially by the absolutely shameless Vastaamo data breach and patient record publication.

  9. Dave Dickerson

    Who among us hasn’t accidentally uploaded our entire /home to the dark web? His arrogance seems unwarranted. Glad he’ll be out of circulation.

    1. Daniel

      Its honestly a wonder why he didn’t get caught sooner, being that stupid. Im legitimately bewildered as to how that happens

  10. Mahhn

    Glad to see some of the worst of humans get a little suffering too, for a change.

  11. Sam

    He used his keyboards/computers just like a gun in the back! He is a COWARD and a THUG that sneeks into our private and professional lives. It’s time for raising the amount of time and TRUTH in SENTENCING for CYBER CRIMINALS. Onec the thief is released keep him/them on paper for 10 yrs. C if these looser laugh at that!

  12. Vladimir

    “I’d rather not be paid in imaginary money”…

    I enjoy these stories. Thank you Brian Krebs.

  13. Pete Jones

    Sadly, the Finnish criminal law system is notoriously lenient and understanding to criminals. If he gets 2 years (let alone more), that would be extraordinary. After that, the system is heavily geared towards integrating this PoS back into society.

    But of course things like this – bullying, abusing and extorting the vulnerable – is not something that is generally kindly looked on by hardcore criminals. Recently, a suspected child molester (who was apparently innocent, however) was beaten and tortured to death by other prisoners while in police custody in Finland.
    It is entirely possible that Julius Kivimäki might have a very interesting jail time, involving one or more peculiar ‘accidents’.

    1. Adam

      You cannot put child molesting on the same level as extortion. No one in prison will do that lol

  14. kingJames

    Who would attack a healthcare organization? That is really low. This is where folks are struggling to stay alive and you will go over and pull the plug to buy Gucci socks? Even Satan stopped that. Lock him up for a long time and update the laws that allow these acts to persist. If you are truly smart with computers, use your skills for good and you will be rewarded by society.

  15. HB

    kyllästyi patonkiin? vois kirjottaa kirjan ja kääntyä uskoon tiilenpäitä lueskellessa?

  16. H8rHurtr

    I think this kid needs a job and a wife. I say cut his index fingers clean off, tattoo a big shlong on his forhead and mutilate his toung. He will soon then seek mental health he saught to abuse in the passed. then release him. Let the world and life be his punishment

  17. Jian

    “shifted to extorting individual patients — sending them targeted emails threatening to publish their therapy notes”
    Threatening psy patients? I wish for him some of them were not hard-boiled psychopath…

  18. CryptoBulling

    It’s concerning to see the extent of damage that one individual can inflict through cybercrime. The fact that Julius Kivimäki has been involved in numerous hacking incidents, including the extortion and leak of therapy notes for thousands of patients, is alarming.
    Hopefully, his arrest will serve as a warning to others who engage in similar activities, and reinforce the importance of cybersecurity measures to protect sensitive information.

Comments are closed.