Finnish Hacker Receives Nearly 7-Year Sentence

ISMG provides a weekly summary of significant cybersecurity incidences and breaches. In the latest report, a notorious Finnish hacker has been sentenced to nearly seven years for hacking the now-defunct psychotherapy center, Vastaamo. Meanwhile, the cybercriminal group ShinyHunters announced breaches at Dutch telecom, Odido, and online vehicle marketplace, CarGurus. Additionally, a Ukrainian individual received a five-year federal prison sentence for orchestrating laptop farms for North Korean IT workers. A Romanian national confessed to selling unauthorized access to an Oregon state government network. A collaborative operation led by Interpol apprehended numerous scam networks across Africa. Also noteworthy was MuddyWater’s AI-assisted espionage efforts in MENA region, Advantest’s ransomware incident, and critical vulnerability patches issued by SolarWinds and Microsoft. Furthermore, QualDerm disclosed a significant healthcare data breach.

Related Information: Understanding the Appeal of ‘Living Off the Land’ Tactics by Cyberattackers

On Thursday, the Helsinki Court of Appeal sentenced Aleksanteri Kivimäki, aged 28, to six years and eleven months for cybercrimes related to the Vastaamo psychotherapy center hack. Kivimäki, known as “ransom_man,” extorted victims by threatening to publish sensitive patient information online. His activities caused distress, resulting in at least one reported suicide. Prosecutors indicated the breaches occurred from November 2018 to March 2019 (see: Insights on the Vastaamo Case Appeal).

Finnish news outlet Helsingin Sanomat reported that the sentence fell just short of the maximum limit, contingent upon Kivimäki compensating the victims. His lawyer noted that Kivimäki is currently untraceable, thus complicating restitution efforts. Following the incident, Vastaamo declared bankruptcy after Kivimäki leaked sensitive therapy records affecting over 2,000 patients.

Between 20,000 and 25,000 patients received ransom demands as high as 450,000 euros from Vastaamo, with Kivimäki demanding 200 euros in cryptocurrency from individual victims, raising to 500 after a critical deadline. Kivimäki has a history as a former member of the Lizard Squad, a distributed denial-of-service group involved in major attacks, including on gaming services during Christmas 2014.

In late 2025, Finnish authorities charged a U.S. citizen, Daniel Lee Newhard, for allegedly aiding Kivimäki in his extortion schemes.

This week, the cyber-extortion group ShinyHunters declared two new targets: Odido, a leading Dutch telecommunications provider, and CarGurus, a prominent online automotive marketplace.

On February 12, Odido reported an exfiltration event, specifying that sensitive user data was compromised through their Salesforce-based customer service system. Fortunately, the breach did not expose account passwords or sensitive billing details. However, the compromised data may include names, contact information, customer ID numbers, and financial details, with ShinyHunters demanding a ransom and threatening further digital fallout should the payment not be made.

ShinyHunters also announced the successful breach of CarGurus, claiming to have extracted 1.7 million corporate records. This incident, involving voice phishing tactics for unauthorized access, raised alarms due to the sheer volume of compromised data, including email addresses and financial applications. Verifying the data’s legitimacy, breach monitoring platform HaveIBeenPwned affirmed that approximately 70% had been previously reported in earlier incidents.

Since the start of the year, ShinyHunters has also successfully breached several prominent institutions, including Ivy League schools and major investment firms.

In a significant case, a Ukrainian national, Oleksandr Didenko, received a five-year sentence in a U.S. federal prison for orchestrating fraudulent activities via laptop farms that facilitated North Korean IT workers. Didenko, aged 29, managed several U.S.-based operations, providing cover for North Korean nationals to pose as American employees.

Federal prosecutors detailed how Didenko acquired stolen U.S. identities and established the domain Upworksell.com, further enabling North Korean workers to mislead companies. His actions reportedly allowed these workers to access employment opportunities across approximately 40 U.S. firms, generating significant revenue for North Korea amidst international sanctions.

The sentencing reflects ongoing federal efforts, spearheaded by the FBI and the Justice Department, to dismantle North Korea’s cyber operations, categorized as part of a broader state-sponsored revenue generation initiative relying on identity theft and financial obfuscation strategies.

A Romanian citizen, Catalin Dragomir, pleaded guilty to selling illicit access to an Oregon state government network, among other U.S. entities. Dragomir, aged 45, admitted to breaching and subsequently marketing access to the systems as early as June 2021, impacting multiple networks and resulting in damages exceeding $250,000.

The prosecution displayed findings that Dragomir provided samples of stolen personal information to potential buyers, verifying his control over the compromised systems. Detained in Romania in late 2024, he faced extradition to the U.S. to answer for his crimes.

In an extensive crackdown, law enforcement from 16 African nations, in collaboration with Interpol, dismantled numerous online scam networks during a major operation, dubbed “Operation Red Card 2.0.” This initiative led to 651 arrests and the recovery of over $4.3 million in fraudulent proceeds.

Running from December 8, 2025, to January 30, 2026, the campaign targeted high-yield investment fraud, mobile money scams, and other deceptive financial operations, with investigators linking scams to losses exceeding $45 million globally. Over 1,200 victims were identified, with measures taken to seize a multitude of malicious tools and infrastructure associated with the scams.

Noteworthy arrests occurred in Nigeria, where an extensive fraud ring was dismantled, and in Kenya, where individuals were apprehended for promoting fake investment schemes. The operation’s success underscores the persistent threat posed by cybercriminal enterprises in the region.

The Iran-linked advanced persistent threat group MuddyWater has initiated a new cyberespionage campaign, codenamed “Operation Olalampo,” targeting sectors across the Middle East and North Africa. This operation employs a range of specially crafted malware and spear-phishing tactics designed to infiltrate systems.

Beginning on January 26, analysts observed that MuddyWater utilized malicious Microsoft Office documents as the initial attack vector, executing various payloads once users enabled macros, thereby establishing persistence within victim networks. Among the key malware families identified were downloader implants that facilitate further compromise and controlled interaction with the affected systems.

Japanese semiconductor firm Advantest has disclosed a ransomware-related incident affecting parts of its IT infrastructure. The company detected abnormal activities within its systems on February 15, indicating potential unauthorized access by external actors.

Although Advantest has not yet confirmed the exfiltration of data or received ransom demands, the incident highlights the persistent vulnerabilities faced by enterprises in safeguarding their networks from cyber threats.

American technology provider SolarWinds has addressed four critical vulnerabilities in its Serv-U managed file transfer software, issues that could permit attackers to gain elevated access to systems. Identified vulnerabilities, bearing high CVSS scores, stem from flaws in access controls, enabling possible arbitrary code executions and unauthorized administrative account creations.

Enterprises utilizing Serv-U are advised to install the latest updates promptly, given the history of vulnerabilities exploited in significant attacks, including the 2020 SolarWinds supply chain incident.

Microsoft recently released a patch for a high-severity vulnerability in its Windows Admin Center platform, which posed a serious risk of privilege escalation for attackers. The issue, stemming from improper authentication, could have been exploited to elevate access privileges significantly, highlighting ongoing concerns regarding enterprise security protocols.

Soliton Systems has issued a security advisory regarding a critical command injection vulnerability in its FileZen file transfer appliance, which is currently being actively exploited. This flaw allows authenticated users to execute arbitrary operating system commands, raising serious security concerns.

The U.S. Cybersecurity and Infrastructure Security Agency has added this vulnerability to its Known Exploited Vulnerabilities Catalog, underscoring the urgency for organizations using FileZen to secure their systems promptly.

QualDerm Partners, known for providing administrative services to dermatology practices, has notified regulators and affected parties about a December 2025 data breach impacting nearly 175,000 patients in Texas. The unauthorized activity was detected within their IT network, severely compromising sensitive personal information.

As investigations continue, QualDerm emphasizes its commitment to rectify the situation and ensure all patients receive appropriate support in addressing potential impacts resulting from this breach.

Additional Insights

Reporting contributors include Information Security Media Group analysts based in various locations.