Accused Extortioner of Psychotherapy Patients Faces Trial – Krebs on Security

Prosecutors in Finland this week began their criminal trial against Julius Kivimäki, a 26-year-old Finnish man accused of extorting a once-popular and now-bankrupt online psychotherapy practice and thousands of its patients. In a 2,200-page report, Finnish authorities outlined how they connected the extortion spree to Kivimäki, a notorious hacker convicted in 2015 of committing thousands of cybercrimes, including data breaches, fraud to pay, operate a botnet and call the bomb. threats.

In November 2022, Kivimäki was accused of attempting to extort from Vastaamo Psychotherapy Center. In that breach, which occurred in October 2020, a hacker using the handle “Ransom Man” threatened to publish the patient’s psychotherapy notes if Vastaamo did not pay a six-figure ransom demand.

Vastaamo refused, so the Ransom Man switched to extorting individual patients – sending them targeted emails threatening to publish their therapy notes unless a 500-euro ransom was paid. When the Ransom Man found little success in extorting patients directly, they uploaded to the dark web a large compressed file containing all of Vastaamo’s stolen patient records.

Security experts soon discovered that Ransom Man had mistakenly included a full copy of their home folder, where investigators found several clues pointing to Kivimäki’s involvement. At that time, Kivimäki was no longer in Finland, but the Finnish government nevertheless accused Kivimäki of being absent in the Vastaamo hack. The 2,200-page document of evidence against Kivimäki suggests that he enjoyed a lavish lifestyle while on the lam, frequenting luxury resorts and renting extravagant cars and lodgings. there.

But in February 2023, Kivimäki was arrested in France after authorities there responded to a domestic disturbance call and found the defendant sleeping with a hangover on the couch of a woman he had met the night before. French police grew suspicious when the 6′ 3″ blonde, green-eyed man showed an ID stating he was a Romanian national.

A redacted copy of an ID Kivimaki gave to French authorities claiming he was from Romania.

Finnish prosecutors indicated that Kivimäki’s credit card was used to pay for the virtual server that hosted Vastaamo’s stolen patient notes. Additionally, the home folder attached to Vastaamo’s patient data archive also allowed investigators to view other cybercrime projects of the defendants, including domains accessed by Ransom Man as well as a long history of the orders he executed in the rented virtual. server.

Some of the domains allegedly managed by Kivimäki were set up to damage the reputation of various companies and individuals. One of them is a website that claims to have been created by a person who heads the IT infrastructure for a major bank in Norway that discusses the idea of ​​legalizing child sexual abuse.

Another domain hosts a fake blog that tarnishes the reputation of a Tulsa, Okla. man whose name was included in blog posts about supporting the “white pride” movement and calling for an apology for Oklahoma City bomber Timothy McVeigh.

It appears that Kivimäki intends to tarnish the name of this journalist as well. The 2,200-page document shows that Kivimäki owns and operates the domain krebsonsecurity(.)orgwhich hosts various hacking tools allegedly used by Kivimäki, including programs for mass-scanning the Internet for systems vulnerable to known security flaws, as well as scripts for to crack database server usernames and passwords, and download databases.

The Ransom Man inadvertently attached a copy of his home directory to the leaked Vastaamo patient data. A long history of commands run by that user shows that they use krebsonsecurity-dot-org to host hacking and scanning tools.

Mikko Hyppönenchief research officer of WithSecure (formerly F-Secure), said that Finnish authorities have done “an extraordinary job,” and that “it is rare to have so much evidence for a cybercrime case.”

Petteri Järvinen is a respected IT expert and author who has been following the trial, and he says the prosecution’s case so far is strong.

“The National Bureau of Investigation has done a good job and Mr Kivimäki has his share of some elementary mistakes,” Järvinen WRITES on LinkedIn. “It sends an important message: online crime does not pay. Traces are left in the digital world as well, although it is very tiring for the police to collect them from servers around the world.

Antti Kurittu an information security specialist and former criminal investigator. In 2013, Kurittu worked on an investigation involving Kivimäki’s use of the Zbot botnet, and other activities that Kivimäki was involved in as a member of a hacker group. Hacking the Planet (HTP). Kurittu said it remains to be seen if the prosecution can make their case, and if the defense has any answers to all the evidence presented.

“Based on the public pretrial investigation report, it seems that the case has many details that seem unlikely to be a coincidence,” Kurittu told KrebsOnSecurity. “For example, a complete copy of Vastaamo’s patient database was found on a server belonging to Scanifi, a company that has no reasonable business relationship with Kivimäki. The leaked contents of the folder at home is also connected to Kivimäki and found on servers under his control.”

Everyday Finnish reports that Kivimäki’s lawyers intend to release their client from prison for the remainder of his trial, as the accused has already been detained for eight months.

The court denied the request, saying that the accused is still a flight risk. Kivimäki’s trial is expected to continue until February 2024, in part to accommodate testimony from more victims. Prosecutors sought a seven-year sentence for Kivimäki.

Leave a comment