One of Europe’s most wanted cyber criminals has been jailed for attempting to blackmail 33,000 people whose confidential therapy notes he stole.
Julius Kivimäki obtained them after breaking into the databases of Finland’s largest psychotherapy company, Vastaamo.
After his attempt to extort the company failed, he emailed patients directly, threatening to reveal what they had told their therapists.
At least one suicide has been linked to the case , which has shocked the country.
In terms of the number of victims, Kivimäki’s trial was the biggest criminal case in Finnish history.
The 26-year-old had maintained his innocence – despite going on the run and being arrested in Paris under a fake identity.
During the trial, he also went missing for more than a week after refusing to be recalled back to prison by the court.
The judges found him guilty of all counts, describing his blackmail as “ruthlessly taking advantage of another person’s special weakness.”
“Taking into account Vastaamo’s position as a company producing mental health services, Kivimäki has caused great suffering or the risk of it to the interested parties,” the verdict document said.
His sentence of six years and three months brings to an end a cyber crime spree that started when he was just 13-years-old.
Kivimäki, known online as Zeekill, was a key member of multiple teenage cyber gangs which caused chaos between 2009-2015.
He was arrested in 2013, at the age of 15, and given a juvenile non-custodial two year suspended sentence.
At the time, cyber experts were worried his punishment would fail to deter him – and he was quickly linked to many more hacks carried out with teen gangs before disappearing for years.
His name was quickly linked to the Vastaamo hack of 2020 after experts pointed to Kivimäki traits in the attack.
He demanded a 400,000 Euro (£340,000) ransom from the company.
When it refused, he emailed thousands of patients asking for 200 Euros and threatening to publish their notes and personal details on the darknet.
But it was a mistake that the hacker made himself that led police to a treasure trove of information found on a server that Kivimäki owned.
Unprecedented digital forensics and cryptocurrency tracking also help secure the conviction.
Some victims say his sentence doesn’t go far enough, even when taking into account Finland’s relatively lenient justice system.
Tiina Parrika recalls receiving the email from him saying that he had her therapy notes.
She told the BBC it caused her to relapse into mental health problems that the therapy had initially helped her overcome.
She said the maximum permissible sentence of seven years was not a strong enough punishment.
“So many people were affected by this in so many ways,” she said.
The boss of Vastaamo, Ville Tapio, was also convicted of failing to protect his customers’ sensitive data.
Investigations found that the databases were vulnerable and open to the internet without proper protections.
He was given a suspended three month prison sentence last year.
The company which was once a highly regarded and successful business in Finland collapsed after the hack.
Despite the conviction, the Vastaamo case is not over as civil court cases are now likely to begin in an attempt to get some of the victims compensation for the hack.
