Julius Kivimäki, A.K.A “Zeekill”, a 25-year-old Finnish was arrested this week in France.
Kivimäki, a notorious hacker convicted of perpetrating tens of thousands of cybercrimes had been charged with extorting a local online psychotherapy practice and leaking therapy notes for more than 22,000 patients online
Kivimäki had been in hiding since October 2022, when he was charged (and “arrested in absentia,”) with attempting to extort money from the Vastaamo Psychotherapy Center. Kivimäki failed to show up in court and Finland issued an international warrant for his arrest.
In the Vastaamo breach, which occurred in October 2020, a hacker using the handle “Ransom Man” threatened to publish patient psychotherapy notes if Vastaamo did not pay a six-figure ransom demand. Vastaamo refused, so Ransom Man shifted to extorting individual patients — sending them targeted emails threatening to publish their therapy notes unless paid a 500-euro ransom.
Direct extortion yielded little success, so Ransom Man uploaded a large compressed file containing all of the stolen Vastaamo patient records to the dark web
Mistakes happen
When Ransom Man uploaded the data to the dark web, they had mistakenly included an entire copy of their PC’s home folder which allowed cyber crime investigators to find clues pointing to Kivimäki’s involvement including the user’s private SSH folder, and a lot of known hosts that forensic investigators could take a very good look at. This was a huge opsec (operational security) fail.
According to the French news site actu.fr, Kivimäki was arrested around 7 a.m. on the 3rd February, after authorities in Courbevoie responded to a domestic violence report. Kivimäki had been out earlier with a woman at a local nightclub, and later the two returned to her home but reportedly got into a heated argument.
Police responding to the scene found the man inside sleeping off a long night. When they roused him and asked for identification, the 6′ 3″ blonde, green-eyed man presented an ID that stated he was of Romanian nationality.
The French police were doubtful of this identity, and after consulting records on most-wanted criminals, they quickly identified the man as Kivimäki and took him into custody.
A life of (cyber) crime
Kivimäki initially gained notoriety as a self-professed member of the Lizard Squad, a mainly low-skilled hacker group that specialized in DDoS attacks. But American and Finnish investigators say Kivimäki’s involvement in cybercrime dates back to at least 2008, when he was introduced to a founding member of what would soon become Hack The Planet (HTP.)
As well as the moniker Ransom Man, Kivimäki also used the nicknames “Ryan”, “RyanC” and “Ryan Cleary”.
Ryan Cleary was actually a member of rival hacker group – LulzSec, and was sentenced to prison for hacking in 2012.
Kivimaki and other HTP members were involved in the mass compromising of web servers using known vulnerabilities, and by 2012 Kivimäki’s alias Ryan Cleary was selling access to those servers in the form of a DDoS-for-hire service. Kivimäki was 15 years old at the time.
In 2013, investigators going through devices seized from Kivimäki found code that had been used to crack more than 60,000 web servers using a previously unknown vulnerability in Adobe’s ColdFusion software.
Kivimäki was also responsible for making an August 2014 bomb threat against former Sony Online Entertainment President John Smedley that grounded an American Airlines plane.
Kivimäki was ultimately convicted of orchestrating more than 50,000 cybercrimes. But largely because he was only 17 at the time and therefore classed as a minor, he was given a 2-year suspended sentence and ordered to forfeit €6,558.
The future for Kivimäki
It is early days in this latest investigation, so at the moment it is unknown what charges Kivimäki will ultimately face trial for, but considering that Europol wanted him on charges of crimes including aggravated computer breach, aggravated attempted extortion, aggravated dissemination of information violating personal privacy, extortion, attempted extortion, computer breach, message interception and falsification of evidence, I suspect his future will certainly involve many long days behind bars.