November 16, 2023

Prosecutors in Finland this week commenced their criminal trial against Julius Kivimäki, a 26-year-old Finnish man charged with extorting a once popular and now-bankrupt online psychotherapy practice and thousands of its patients. In a 2,200-page report, Finnish authorities laid out how they connected the extortion spree to Kivimäki, a notorious hacker who was convicted in 2015 of perpetrating tens of thousands of cybercrimes, including data breaches, payment fraud, operating a botnet and calling in bomb threats.

In November 2022, Kivimäki was charged with attempting to extort money from the Vastaamo Psychotherapy Center. In that breach, which occurred in October 2020, a hacker using the handle “Ransom Man” threatened to publish patient psychotherapy notes if Vastaamo did not pay a six-figure ransom demand.

Vastaamo refused, so Ransom Man shifted to extorting individual patients — sending them targeted emails threatening to publish their therapy notes unless paid a 500-euro ransom. When Ransom Man found little success extorting patients directly, they uploaded to the dark web a large compressed file containing all of the stolen Vastaamo patient records.

Security experts soon discovered Ransom Man had mistakenly included an entire copy of their home folder, where investigators found many clues pointing to Kivimäki’s involvement. By that time, Kivimäki was no longer in Finland, but the Finnish government nevertheless charged Kivimäki in absentia with the Vastaamo hack. The 2,200-page evidence document against Kivimäki suggests he enjoyed a lavish lifestyle while on the lam, frequenting luxury resorts and renting fabulously expensive cars and living quarters.

But in February 2023, Kivimäki was arrested in France after authorities there responded to a domestic disturbance call and found the defendant sleeping off a hangover on the couch of a woman he’d met the night before. The French police grew suspicious when the 6′ 3″ blonde, green-eyed man presented an ID that stated he was of Romanian nationality.

A redacted copy of an ID Kivimaki gave to French authorities claiming he was from Romania.

Finnish prosecutors showed that Kivimäki’s credit card had been used to pay for the virtual server that hosted the stolen Vastaamo patient notes. What’s more, the home folder included in the Vastaamo patient data archive also allowed investigators to peer into other cybercrime projects of the accused, including domains that Ransom Man had access to as well as a lengthy history of commands he’d executed on the rented virtual server.

Some of those domains allegedly administered by Kivimäki were set up to smear the reputations of different companies and individuals. One of those was a website that claimed to have been authored by a person who headed up IT infrastructure for a major bank in Norway which discussed the idea of legalizing child sexual abuse.

Another domain hosted a fake blog that besmirched the reputation of a Tulsa, Okla. man whose name was attached to blog posts about supporting the “white pride” movement and calling for a pardon of the Oklahoma City bomber Timothy McVeigh.

Kivimäki appears to have sought to sully the name of this reporter as well. The 2,200-page document shows that Kivimäki owned and operated the domain krebsonsecurity[.]org, which hosted various hacking tools that Kivimäki allegedly used, including programs for mass-scanning the Internet for systems vulnerable to known security flaws, as well as scripts for cracking database server usernames and passwords, and downloading databases.

Ransom Man inadvertently included a copy of his home directory in the leaked Vastaamo patient data. A lengthy history of the commands run by that user show they used krebsonsecurity-dot-org to host hacking and scanning tools.

Mikko Hyppönen, chief research officer at WithSecure (formerly F-Secure), said the Finnish authorities have done “amazing work,” and that “it’s rare to have this much evidence for a cybercrime case.”

Petteri Järvinen is a respected IT expert and author who has been following the trial, and he said the prosecution’s case so far has been strong.

“The National Bureau of Investigation has done a good job and Mr Kivimäki for his part some elementary mistakes,” Järvinen wrote on LinkedIn. “This sends an important message: online crime does not pay. Traces are left in the digital world too, even if it is very tedious for the police to collect them from servers all around the world.”

Antti Kurittu is an information security specialist and a former criminal investigator. In 2013, Kurittu worked on an investigation involving Kivimäki’s use of the Zbot botnet, among other activities Kivimäki engaged in as a member of the hacker group Hack the Planet (HTP). Kurittu said it remains to be seen if the prosecution can make their case, and if the defense has any answers to all of the evidence presented.

“Based on the public pretrial investigation report, it looks like the case has a lot of details that seem very improbable to be coincidental,” Kurittu told KrebsOnSecurity. “For example, a full copy of the Vastaamo patient database was found on a server that belonged to Scanifi, a company with no reasonable business that Kivimäki was affiliated with. The leaked home folder contents were also connected to Kivimäki and were found on servers that were under his control.”

The Finnish daily yle.fi reports that Kivimäki’s lawyers sought to have their client released from confinement for the remainder of his trial, noting that the defendant has already been detained for eight months.

The court denied that request, saying the defendant was still a flight risk. Kivimäki’s trial is expected to continue until February 2024, in part to accommodate testimony from a large number of victims. Prosecutors are seeking a seven-year sentence for Kivimäki.


38 thoughts on “Alleged Extortioner of Psychotherapy Patients Faces Trial

    1. JAK

      Right? This is the weirdest part of the story! Did he spin a globe and just stick his finger on Tulsa? Or is this guy known to him somehow?

  1. Dave Horsfall

    “krebsonsecurity[.]org” eh? Sounds like a good argument for registering domains the same as oneself’s but with different TLDs.

    1. ian

      Sure, but where do you stop?
      .net .org .info .hack .xyz?
      Country specific tlds like co.uk co.jp co.us ru?

      There are basically infinite tlds in 2023…

      1. davep

        False dilemma.

        Your argument is really “if you can’t achieve perfection, there’s nothing point in doing anything”.

        Having .com, .org, and .net would provide the majority of benefit. These three are going to be perceived as much more legitimate (than most other TLDs).

    2. .....

      Sounds equally like an argument that there never should have been top-level domains in the first place, just like in meatspace.

      If the name ‘McDonald’s’ is trademark, I can’t open a business in Texas or whatever named “McDonald’s Dallas”.

      1. George S. Gati

        “If the name ‘McDonald’s’ is trademark, I can’t open a business in Texas or whatever named “McDonald’s Dallas”

        Even more so: in a village in NY state there was a small bagel/breakfast/lunch place called McBagel. The owner’s name actually started with Mc. McDonald’s army of lawyers sued and the small shop’s name had to be changed. BTW, that was well before McDonald’s ever served anything with bagels.

  2. Wannabe Techguy

    “even if it is very tedious for the police to collect them from servers all around the world.””
    That’s scary!

  3. Fat Chance

    When Julius K was convicted of so many cyber crimes a number of years ago, he faced zero consequences. He was just let go. He immediately resumed committing cybercrimes. Any of us who have been his victims — and there are so many of us – have been given no protection. I doubt he will face any consequences now. What’s the deal with this?

  4. The Sunshine State

    One psychotherapy word that fits this guy ” narcissistic” It’s all about them,being controlling and thinking cyber crime is doing nothing wrong.

    On the flip side, A lot of these cyber-criminals need “psychotherapy “

  5. R.Cake

    would be interesting to know whether the Romanian eID card was genuine (e.g. obtained through bribery) or fake. When looking at the reference samples on EdisonTD (https://edisontd.nl), real Romanian ID cards have facial images with uniform front illumination. Mr. Kivimäki’s photo on that card has asymmetric illumination and he is visibly tilting his head up – both probably to make biometric matches to his real identity more difficult.

  6. Tom das Tier

    Seven years? That’s ridiculous! especially given the heinous nature of that guy’s crimes. 20 to 30 seems more appropriate.

    1. .....

      It’s Europe… Scandinavia of all places. The leniency is the polar opposite of what goes on in the U.S.

      If Kivimaki was an American citizen, doing all this out of the U.S., he’d probably be looking at combined charges totaling at least 100 years for this.

      1. troyf

        Unless, of course, he happened to be in a blue state, then he’d be let go with time served. Is that what those states mean when they say “catch and release”? :/

        1. an_n

          We’ll see if you’re right if Trump avoids prison in Georgia after his conviction(s).

          1. an_n

            That’s called a court summons. Every state does that.
            Criteria for pre-trial release varies by crime/state, but still.

    2. Man from Finland

      It is to be noted that in Finland he is considered a first timer since he has not been in jail in the last 5 years (in fact, has never been). So he will be conditionally released after three and a half years.

      (English translation: https://finlex.fi/en/laki/kaannokset/1889/18890039)
      Finnish penal code, Chapter 2 c, Section 5:

      >A prisoner who has not served a sentence of imprisonment in prison during the five years preceding the offence is conditionally released once he or she has served half of the sentence.

  7. Mahhn

    seeking a 7 year sentence? that is so pathetic compared to the abuse he has done to so many people. No wonder criminals like him continue to be scumbags, the punishment is free room and board for a few years, then back to the rich life at others expense, while he gets to do his favorite thing – make others suffer.

  8. NissanPatrol

    The French police grew suspicious when the 6′ 3″ blonde, green-eyed man presented an ID that stated he was of Romanian nationality… ahaha true…20% of romanian are gipsys…

  9. Christopher

    Great article and thank you for posting your investigations. I was wondering if the 2200 page report was public? I’ve read Finnish articles that imply it is but I’m unable to find it anywhere except when it is excerpted in news articles.

    PS: Want to read some of his Hacker News comments? Usernames are ryanlol, FDSGSG, rosnd, rosndo, prvit, lfodofod, ryanl0l, bbbbb5, gggggg5 (which stopped posting right after his arrest).

  10. Phil

    LOL. All his data in the home folder. The equivalent of “drunk texting”. Good job Umlot.

  11. NoMore

    Extorting and harassing people struggling with mental health. Rot in prison you asshole.

  12. shannon

    “This sends an important message: online crime does not pay” haha it does pay considering that the guy made it all the way to france

  13. alanstaten

    Thanks for your informative post, I was able to read it thanks to a writing service nurses essay writing, and in the meantime, I can read your wonderful post while they do my work for me!

  14. alanstateq

    Thanks for your informative post, I was able to read it thanks to a writing service nurses essay writing22, and in the meantime, I can read your wonderful post while they do my work for me!

  15. alanstateqw

    Thanks for your informative post, I was able to read it thanks to a writing service nurses essay writing22, and in the meantime, I can read your wonderful post while they do my work for me!

  16. Blair "r000t" Strater

    Those of us who have had careers ended, and months of our lives stolen by this [wonderful individual] have seen this play out before. We will be holding off on celebrations until such time as he is sentenced. The prosecution asking for 7 years is an absolute joke, even by European standards.

    Mr. Kivimaki is also still wanted in the United States for taking out Xbox Live and PlayStation Network over the Christmas holiday in 2014. He, with a straight face, told a news reporter that he did this so that people would spend time with their families. Will Finland be handing this criminal over to the US to face justice after his 7 years in heaven are over?

    Those of us who were victimized by Mr. Kivimaki would like to see him face an American prison, not a European summer camp where he has video games and a daily right to use the sauna.

  17. Frank

    Justice in action! It’s reassuring to see the trial commence against the alleged extortioner of psychotherapy patients. Kudos to the security experts for their diligence in unraveling the case and to the authorities for apprehending the individual. Wishing for a fair and just outcome for the victims.

  18. none

    “uploaded to the dark web a large compressed file containing all of the stolen Vastaamo patient records”
    Wish him the best since some of the patients may be psychopath or other friendly psy diseases…
    Or maybe a correct punishment would be to put him in a soviet like psychiatric hospital… Free electroshock and lobotomy for you, my friend :).

  19. HMCB

    7 years?! That’s it?! That’s such an abysmally short time that it boggles the mind. SMH.

  20. Finn

    In Finland and most nordic countries, there is a limit on how much you can increase the sentence based on multiplicity of offences. Since none of the offences by itself was that serious, 7 years is the maximum. The prosecution would have obviously asked for a higher sentence, if it were possible by law. The law here simply considers ”thousands of crimes” impossible, which pretty much is, except in cybercrime environments. Also the previous sentence he got, was a 2 year suspended sentence. If you are under 18 you pretty much dont go to prison at all unless you kill someone or rob. We don’t send criminals to the U.S. because the sentences are so considerably harsher than in here.

  21. Philippe

    The dterrent effect is not long sentences but more the fear of getting caught. Also, prison should be aimed toward rehabilitation not vengeance.

  22. Clausewitz4.0

    “We don’t send criminals to the U.S. because the sentences are so considerably harsher than in here.”

    Same as my country. We do not extradite nationals. Even internationals like Ronald Biggs, if they have a child with a local woman – automatically protected by LAW. Anyone seeking the opposite would be properly blocked by our Supreme Court.

    It is a shame Finland chose to join NATO. I would like it better if they didn’t. But still seems like a nice place.

    1. an_n

      “It is a shame Finland chose to join NATO. I would like it better if they were annexed by Putin’s regime.”
      -FTFY

Comments are closed.