How a teenage hacker became one of Europe's most wanted criminals

Tiina Parikka was cooling off after her usual Saturday night sauna in Finland when she received a notification on her phone.

It was an email from an anonymous sender, which somehow had her name, social security number and other private details.

"At first, I was struck by how polite it was, how friendly the tone was," she recalls.

"Dear Ms. Parikka," wrote the sender, before telling her that he had obtained her private information from a psychotherapy clinic where she was a patient.

Almost apologetically, the author of the email explained that he was contacting her directly because the clinic was ignoring the fact that her personal data had been stolen.

Two years of meticulous records made by her therapist during dozens of sessions were now in the hands of this unknown blackmailer.

If she didn't pay the amount demanded within 24 hours, all the notes would be published online.

"It was a suffocating feeling," she says. "I was sitting there in my bathrobe, feeling like someone had invaded my private world and was trying to make money out of the traumas of my life."

Tiina quickly realized that she was not alone.

A total of 33,000 other therapy patients also had their records stolen - and thousands were blackmailed, resulting in the criminal case with the highest number of victims in Finland.

The database stolen from the servers of Vastaamo, a Finnish network of psychotherapy clinics, contained the most intimate secrets of a large section of society, including children. Sensitive conversations on subjects ranging from extramarital affairs to confessions of crimes were being used as bargaining chips.

Mikko Hyppönen, from the Finnish cyber security company WithSecure, who researched the attack, says that the case had repercussions and fueled the news for days in the country.

"A hacker attack on this scale is a disaster for Finland - everyone knew someone affected," he says.

The blackmailer, identified only as "ransom_man" by his online signature, demanded that the victims pay 200 euros within 24 hours - otherwise he would publish their information. If they didn't meet this deadline, he would increase the amount to 500 euros.

Around 20 people paid up before realizing it was too late. Their information had been published the day before, when "ransom_man" accidentally leaked the entire database to a forum on the dark web.

Mikko and his team spent some time looking for the hacker and trying to help the police. That's when theories began to emerge that the hacker was probably from Finland.

One of the biggest police investigations in the country's history has reached a young Finn who was already well-known in the world of cybercrime.

'Zeekill' crime wave
Kivimäki, who called himself Zeekill when he was a teenage hacker, didn't become the well-known figure he is by being careful.

As a teenager, all he cared about was hacking, extorting and bragging as loudly as possible. Alongside the hacker teams Lizard Squad and Hack the Planet, he delighted in causing chaos in the extremely active period of teenage hackers in the 2010s.

But he wasn't arrested. The conditional suspension of his two-year sentence sparked controversy, and was criticized by many in the cybersecurity world. Despite Finland's notoriously lenient sentences, the fear was that Kivimäki and his accomplices - mostly other teenagers scattered around the English-speaking world - would not be deterred.

Like many of his colleagues during this tumultuous period, Kivimäki didn't seem to let his problems with the police stop him. After his arrest, and before his sentence was handed down, he carried out one of the most audacious attacks of any gang of teenage hackers. He and Lizard Squad took the two biggest gaming platforms offline on Christmas Eve and Christmas Day.

The Playstation Network and Xbox Live were taken down after their services were hit by an unsophisticated but powerful technique known as a distributed denial-of-service attack.

Kivimäki gained the attention of the world's press and even agreed to give an interview to the television channel Sky News, in which he showed no remorse for the attack. Another hacker who was also a member of the Lizard Squad gang told the BBC that Kivimaki was a vindictive teenager who loved to take revenge on rivals and show off his online skills.

Red alert issued
It took the Finnish police almost two years to gather evidence in order to issue an Interpol (international police) red alert for Kivimäki - and he became one of Europe's most wanted criminals. But no one knew where the 25-year-old was.

He was tracked down by chance last February, when Paris police went to his apartment after receiving a hoax call about a domestic dispute. They discovered that Kivimäki was living with false identity documents.

The young man was quickly extradited to Finland, where police began preparing for one of the most important trials in the country's history. Detective Marko Leponen led the three-year investigation - and according to him, it was the biggest case of his career.

"We had more than 200 police officers on the case at one point, and it was an intense investigation with a lot of victim testimonies and stories to analyze."

Kivimäki's trial was a major news story for the country, closely followed by local journalists - and even the international press, who turned up to hear his testimony.

Leponen says that linking Kivimäki's bank account to the server used to obtain the stolen data was crucial. His agents also used new forensic techniques to extract Kivimäki's fingerprint from an anonymous photo he posted under a pseudonym online.

"We were able to prove that this anonymous person who posted on the forum was Kivimäki. It was unbelievable, but it shows that you have to use all the measures you know, and try the ones you don't," explains Leponen.

In the end, the judges delivered their verdict, finding him guilty of all charges.

The court found Kivimäki guilty of more than 30,000 crimes - one for each victim. He was charged with aggravated data breach, aggravated attempted blackmail, aggravated dissemination of information violating privacy, aggravated attempted blackmail and aggravated blackmail.

He was sentenced to six years and three months in prison (the maximum sentence was seven years), but it is likely that he will only serve half, due to the time already served and the Finnish justice system.

Kivimäki has agreed in principle to an out-of-court settlement with a group of victims, but others are planning to file civil lawsuits against him or Vastaamo itself.

The psychotherapy clinic is now defunct, and its founder has been convicted of failing to protect patient data, with a conditional suspension of sentence. Kivimäki has not told the police how much money he has in bitcoins, and claims to have forgotten the details of his digital wallet.

Lawyer Jenni Raiskio hopes the state can intervene, but says it could take many months, or even years, to analyze each case individually and assess how much damage has been done.

"This is really historic in Finland, because our system is not prepared for this amount of victims. The Vastaamo raid showed us that we need to be prepared for these big cases, so I hope there will be a change. It's not going to end here," he says.

Read more

Wikipedia needs help - but there are “rare exceptions” that do

The true identity of the couple painted by Frans Hals in 1637 discovered

European: Voting is also important to defend beer price limits (and more)

A necklace (not made of silver) stopped a bullet and saved a man from being shot in the neck