Notorious Finnish Hacker 'Zeekill' Busted by French PoliceAleksanteri Kivimäki Charged With Mental Health Patient Data Breach and Extortion
French police arrested a notorious hacker who's suspected of forming part of an extortion scheme that targeted a Finnish psychotherapy practice and its patients.
Aleksanteri Tomminpoika Kivimäki, 25, is the focus of a European arrest warrant issued last October in Finland. He's been charged with participating in the hack of Vastaamo Psychotherapy Center. The now-defunct private company, based in Helsinki, provided mental health services via 25 therapy centers and served as a contractor for Finland's public healthcare system (see: Patients Blackmailed 2 Years After a Breach).
Kivimäki, who formerly used the first name Julius, was arrested Friday morning in Courbevoie, a suburb of Paris, after police responded to a report of suspected domestic violence at an apartment, France's Actu.fr news site reports.
When no one answered the door, police prepared to ram it open when they were admitted by the woman who had phoned them at 7 a.m., reporting that a man that her female housemate had brought home from a nightclub was "angry and drunk" and that the two had been fighting.
Police asked the man - 6' 3" tall, with green eyes and blond hair - for his identity papers, which said he was Romanian. Reviewing France's database of known criminals and suspects on the run, police identified him instead as being Kivimäki and immediately arrested him. The young woman he had been with at the club is not a suspect in any crime, they added.
Charges: Hacking, Extortion, Racketeering
Kivimäki, aka "Zeekill" and "Ryan," has been charged with eight offenses tied to Vastaamo including hacking, racketeering and extortion; leaking people's private information; and falsifying evidence. In October 2022, Helsinki District Court ordered him arrested in absentia, because he was known to be staying abroad, and issued a European arrest warrant and Interpol red notice.
Vastaamo suffered data breaches in November 2018 and March 2019, resulting in the theft of patient data, including medical records and financial details. In 2020, the clinic's board reported that when probing the first breach, it belatedly discovered the second one. In response, it fired the company's CEO.
The breaches came to light in October 2020, after hackers began leaking some of the stolen data and demanded a ransom payment from Vastaamo worth approximately 450,000 euros - $485,000 - in bitcoins to forestall additional data leaks.
One or more extortionists, using the handle "Ransom Man," began contacting individual patients, demanding they pay a ransom worth about 200 euros - $215 - within 24 hours - rising to 500 euros - $540 - if not paid within 48 hours, if they didn't want to see their private medical and financial details get leaked.
Ultimately, about 25,000 records were released. Police said financial information stolen in the breaches was also later used to commit fraud.
"We don't have a precise understanding of the victims who paid ransom to the perpetrator," Detective Chief Inspector Marko Leponen, who is heading the investigation by Finland's National Bureau of Investigation, known as KRP, told Helsinki Times last October.
"We're talking about pretty marginal sums, though," he added. "Our findings suggest that about 20 to 30 people paid the ransom."
The data breach was a watershed moment in how Finland views privacy, the safety of online connectivity and public discussions of mental health, The Christian Science Monitor reported.
Alleged OPSEC Fail
As cybersecurity blogger Brian Krebs reported, a digital forensic review of the leaked data found that Ransom Man had inadvertently included their PC's home directory in the data dump, and investigators said the data it contained pointed to Kivimäki's involvement.
When the charges were unveiled last October, Kivimäki said in a Reddit discussion that "my whereabouts are no secret," adding: "I'm not in exile, I just don't live in Finland."
Via his Twitter account, which lists him as being a London-based investor, he denied any involvement in the Vastaamo breach or extortion. "I don't know a damn thing about it," he tweeted, adding that he had offered to speak to police via telephone to answer all of their inquiries.
Finnish police say they plan to immediately request Kivimäki's extradition but add that it's unclear how long that process might take.
Convicted of DDoS Attacks
This isn't Kivimäki's first brush with legal trouble. In 2015, he was found guilty of carrying out 50,700 distributed denial-of-service attacks in 2012 and 2013 under the banner of the notorious DDoS gang Lizard Squad.
But because he was only 15 and 16 at the time - below the legal age of adulthood in Finland, which is 18 - he received a suspended two-year sentence. In addition to paying a small fine, Kivimäki also agreed to have all of his internet use monitored temporarily (see: Young Hackers: Jail Time Appropriate?).
Vastaamo Fined by Privacy Watchdog
Vastaamo, following its two data breaches, declared bankruptcy in February 2021.
In December 2021, Finland's Data Protection Ombudsman imposed an administrative fine of 608,000 euros - $655,000 - on Vastaamo for multiple data privacy violations.
Vastaamo neglected its duties related to the safe processing of personal data as well as reporting a personal data breach, said Finland's privacy watchdog, which enforces compliance with the EU's General Data Protection Regulation. "Vastaamo must have become aware that the patient data had disappeared and that it may have ended up in the possession of an external attacker already in March 2019," it said, adding that the mental health services provider "should have reported the breach both to the supervisory authority and its customers without delay," rather than waiting until September 2020.
The Data Protection Ombudsman also found that "personal data had not been appropriately protected against unauthorized and illegal processing or accidental disappearance, and Vastaamo had not implemented basic measures to ensure the safe processing of personal data." In addition, due to insufficient database logging and network monitoring, the company could not detail how attackers first gained access to its unprotected, internet-connected database.
"The most likely cause for the patient record database leak was an unprotected MySQL port in the database, in which the root user account of the database had not been password-protected," it said. "The user account had also been granted the right to log into the database from any IP address. The patient record database server was open to the internet without the protection of a firewall at least from November 26, 2017, to March 13, 2019."
Because an administrative fine receives "the lowest priority claim in a bankruptcy," the privacy watchdog said its fine would "not reduce the funds available for other claims in bankruptcy, such as potential compensation for damages."