Julius Kivimäki, a hacker who rose to infamy as a teenager, has been imprisoned for blackmailing 33,000 therapy patients after stealing their confidential session notes.
His arrest marks the end of an 11-year spree that began when he was only 13 years old and part of a group of anarchic teenage hackers.
For Tiina Parikka, the nightmare began with a seemingly polite email that hit her inbox one Saturday evening after a relaxing sauna session.
The message contained her personal information, including her social security number, and a chilling warning: her psychotherapy records had been stolen, and if she didn’t pay a ransom within 24 hours, they would be published online.
“At first I was struck by how polite it was and how nice the tone was,” Tiina recalls.
The email explained that the sender had her data from the psychotherapy center where she was a patient, and the company was ignoring the breach.
Tiina’s first reaction was shock and disbelief.
As she sat in her robe, she felt a suffocating sense of violation.
Tiina was not alone. A total of 33,000 therapy patients had their records stolen in a massive data breach at Vastaamo, a Finnish psychotherapy center.
The database contained sensitive information, ranging from personal trauma to incriminating confessions, all of which could now be used for blackmail.
Mikko Hyppönen from WithSecure, a Finnish cybersecurity firm, noted the impact: “A hack on this scale is a disaster for Finland – everyone knew someone affected.”
The criminal behind the blackmailing scheme, who signed off as “ransom_man,” demanded €200 from each victim, threatening to publish their information if they didn’t comply.
Those who didn’t pay within 24 hours were subjected to higher demands, with the ransom increasing to €500.
About 20 people paid the ransom before realizing their information had already leaked on a darknet forum.
The investigation to find the perpetrator eventually led to Kivimäki, who had a long history of cybercrimes.
Known by his alias “Zeekill,” he was a key member of the Lizard Squad, a notorious hacker group responsible for high-profile attacks, including a major assault on the PlayStation Network and Xbox Live during the 2010s.
Although he was convicted of 50,700 hacking offenses in 2014, Kivimäki received a suspended two-year prison sentence, a decision that was heavily criticized in the cybersecurity community.
Despite his legal troubles, Kivimäki continued his cybercriminal activities, eventually becoming involved in the Vastaamo hack.
Finnish police issued an Interpol Red Notice for him, making him one of Europe’s most wanted criminals.
His capture came by chance when police in Paris responded to a false domestic disturbance call, finding him with forged identity documents.
Kivimäki was extradited to Finland, where he faced trial for his role in the Vastaamo blackmailing scheme.
During the trial, Kivimäki maintained his innocence, but the evidence against him was overwhelming.
Investigators linked his bank account to the server that contained the stolen data and used advanced forensic techniques to match his fingerprint to an anonymous image he posted online.
He was found guilty of more than 30,000 crimes, including aggravated data breach, attempted aggravated blackmail, and aggravated dissemination of information infringing private life.
Kivimäki was sentenced to six years and three months in prison, out of a possible maximum of seven years.
However, due to the Finnish justice system and the time already served, he is likely to spend only half that time in jail. This outcome left many victims, like Tiina, feeling that justice was not fully served.
“So many people were affected by this in so many ways – 33,000 people are a lot of victims, and it’s affected our health, and some have been targeted with financial scams as well using the stolen data,” says Tiina.
As the victims await potential compensation and further civil cases, questions linger about the safety of their private information and the future of cybersecurity laws in Finland.
Kivimäki’s trial has prompted calls for changes in Finnish law to better address large-scale cybercrimes and protect victims’ rights.
Although the psychotherapy center involved in the breach is now defunct, and its founder has received a suspended prison sentence, the impact of the hack continues to resonate.
With thousands of victims affected, the consequences of Kivimäki’s crimes may be felt for years to come.
