Cybercrime,
Fraud Management & Cybercrime
Vastaamo Hacker Aleksanteri Kivimäki Released While Awaiting Appeal
A Helsinki court has ordered the release of one of Finland’s most infamous hackers, Aleksanteri Tomminpoika Kivimäki, pending the outcome of his appeal from an April 2024 conviction related to the breach of psychotherapy records for over 33,000 individuals. This decision has significant implications for cybersecurity and criminal justice in Finland.
Kivimäki was found guilty of hacking into the now-defunct psychotherapy chain, Vastaamo, where he operated under the alias “ransom_man.” His actions led to the publication of sensitive patient information online and subsequent blackmail attempts towards victims, with at least one reported suicide linked to the incident. Prosecutors allege that the unauthorized access occurred between November 2018 and March 2019, marking a significant breach of data security.
The Helsinki Court of Appeal determined on Thursday that Kivimäki had spent excessive time in pretrial detention, and therefore should be released. Finnish media outlet, Helsingin Sanomat, reported that his prior conviction was based on actions that constituted aggravated data breaches, for which he received a sentence of six years and three months. The prosecution is now seeking to increase this sentence to seven years as the appeals process unfolds.
The court’s ruling hinged on Finnish law, which permits first-time offenders to apply for parole after serving half their sentence. Given that Kivimäki’s time in detention surpassed this threshold, his legal team argued he was eligible for release. Kivimäki expressed relief at the decision, stating he plans to actively participate in the ongoing court proceedings.
The Vastaamo incident has had far-reaching consequences, resulting in the company’s bankruptcy following Kivimäki’s extortion of victims. He initially demanded a ransom of 200 euros in cryptocurrency from individuals whose therapy notes were exposed, a demand that later escalated to 500 euros. This not only compromised patient trust but also highlighted deficiencies in data protection protocols within the healthcare sector.
Prosecutors compiled a substantial body of evidence against Kivimäki, including financial records indicating transactions linked to ransom payments during his hacking spree. They also noted a crucial oversight on his part—failing to anonymize his IP address—which facilitated law enforcement’s identification of him as “ransom_man.”
In contesting the evidence against him, Kivimäki has claimed that the basis of the prosecution’s arguments is constructed on falsified information. His background is equally complex; he has been implicated in a range of cybercriminal activities, including participating in the infamous Lizard Squad, which targeted gaming platforms like Xbox Live and the PlayStation Network on Christmas Day in 2014.
This case underscores the evolving nature of cybercrime, as well as the challenges of regulating cybersecurity in an increasingly complex digital landscape. The incident not only impacts individuals but raises broader concerns regarding data protection compliance, the implications of hacking for businesses, and the efficacy of legal frameworks in responding to such threats.
