Transcription performed by LeahTranscribes[START OF RECORDING]
JACK: So, you first came on my radar when I was researching this story. I think it was video game cheats, and I was like, trying desperately to find video game — people who are selling video game cheats, and nobody wanted to talk with me on the record. I found a couple people that were just willing to chat only, but never like, audio. Then I found an interview you did with somebody who’s just like, yeah, I sell video game cheats, and he’s like, fourteen or something. I’m like, how did you find this guy? So, ever since then, I’ve had so much respect, and reading this book is once again a testament of just how deep you can get into this community and reach these people. So, really, hats off to your ability to infiltrate the hacking world.
JOE: Thank you very much, yeah. It’s become something of a speciality. But really, I’m always surprised they want to talk, but they do. I think there is a thing in hacking, in cybercrime, where — as well as the kind of anonymity that it brings — I think people like to brag and they like to show off.
JACK: Yeah, yeah. So, I think that leads us right into the first question, which is who are you and what do you do, and how’d you get there?
JOE: Well, my name’s Joe Tidy, and I’m the BBC’s cyber correspondent. [Music] So, that means I cover hacking, cybersecurity, data protection, online harms, AI, and a bit of crypto as well. I’ve been working with the BBC for about — I think it’s seven years in this role, and before that, I was at Sky News, and I was a general correspondent at Sky News doing all sorts of bits and bobs. But then in 2014 there was this amazingly huge and incredible DDOS attack on Sony PlayStation Network and Xbox Live which took down those services over Christmas, Christmas Eve and Christmas Day. It was headline news, and my boss came in and said to me, right, these gang — these teenagers called Lizard Squad, you’ve gotta find one of them. ‘We want a Lizard on air tonight’ is the phrase.
JACK: A Lizard on…
JOE: Get me a Lizard on air tonight, yeah.
JACK: Do they know what kind of ridiculous ask that is…
JOE: Nope.
JACK: …to get a Lizard on air tonight, like on camera, even?
JOE: Yeah, exactly, yeah, not even just a text interview. They wanted them on camera within — I think it was ten hours when we were gonna be on air. I thought to myself, well, this is impossible.
JACK: Joe miraculously pulled it off. He got someone from Lizard Squad to come on TV and answer questions.
JOE: Speaking to us from Finland, this man who calls himself Ryan says he is one of the hackers. Why? Why did you do this? It affected so many people. It ruined Christmas for potentially millions of people.
RYAN: Why we did it? Mostly for — to raise awareness, to amuse ourselves. Also, one of the big aspects here was raising awareness regarding the low state of computer security at these companies, because these companies make tens of millions every month from just their subscriber fees, and that doesn’t even include purchases made by their customers. They should have more than enough funding to be able to protect against these attacks.
JOE: Do you not feel guilty that you’ve taken so much enjoyment of gaming away from more than 100 million people over this Christmas period?
RYAN: I’d be rather worried if those people didn’t have anything better to do than play games on their consoles on Christmas Eve and Christmas Day. I can’t really say I feel bad. I might have forced a couple of kids to play — spend their time with their families instead of playing games.
JACK: I can’t believe that clip; this kid calling himself Ryan appearing on Sky News not hiding his face or voice at all, admitting to taking down Xbox Live and PlayStation, and I just can’t believe Joe got that interview. It takes a certain amount of finesse and diligence to get hackers to talk. I should know. But he’s got just what it takes to make it happen.
JOE: He just didn’t give a damn. He didn’t care. All the chaos that he was causing, all the headlines around the world, people going, what is going on with Xbox and Sony PlayStation? This is absolutely a monumental cybersecurity issue here, and this kid was laughing at the whole thing. It just made me think, wow, the power that they can wield from keyboard and mouse, and it just really struck me, and from then on out, I was just, yeah, hooked on hacking and cyber, and have been ever since.
(INTRO): [INTRO MUSIC] These are true stories from the dark side of the internet. I’m Jack Rhysider. This is Darknet Diaries. [INTRO MUSIC ENDS]
JACK: The reason why I wanted to talk with Joe Tidy today is because he just published a book called Ctrl+Alt+Chaos, and I just finished reading it. It’s great. It starts out in 2020 with a cyber attack in Finland.
JOE: [Music] There was this incredibly sinister and cruel cyber attack in Finland, and it shocked the world. It was up for my money the worst and most nasty, cruelest, darkest cyber attack in history.
JACK: The worst, most nasty, cruelest, and darkest cyber attack in history? Oh, I’m in. I want to drive straight into that story. But before we hit the gas, let’s try to guess at what it could be. What comes to mind when you hear that? Like, maybe a hospital system brought to its knees where lives are on the line? Or maybe a pipeline gets shut down, or fuel shortages, chaos everywhere? Or maybe an entire government agency gets compromised and state secrets are exposed? Well, those are all serious and probably scary, but they don’t sound like the nastiest to me.
Let’s think smaller, closer to home, more personal. Is there something, some piece of data on you that if exposed would make you feel fear, like a deeply disturbing fear? Maybe it’s your photos getting out. You probably just publish your photos online anyway, so that’s probably not it. Okay, well, what about your text messages? Are those private enough that would cause a lot of fear if they got out? Maybe. Or your location data? Or maybe your password getting leaked? Alright, fine, the guessing game is over. Let’s hear what it was.
JOE: So, the Vastaamo cyber attack was in October 2020, and the first we heard of it was that there was someone on a forum in Finland on the darknet who was saying — they were calling themselves Ransom Man and they were saying, I have hacked the Vastaamo psychotherapy center. I have got the — all the personal details of all the clients of this ginormous chain of psychotherapy centers. So, this is a really well-known company in Finland, a kind of social-good company that was very, very popular. They were offering people psychiatrists, psychotherapists, that kind of thing, and they had dozens of centers popping up all over Finland. They had a very famous and recognizable logo of a green speech mark.
I think Vastaamo translates as ‘the answer machine’ or ‘the place to go for answers’. So, in a small country like Finland, everyone knew Vastaamo because if you didn’t go to it, you knew someone that probably went to it. So, when this Ransom Man popped up on the darknet on a website which is now gone, but it was called Torilauta, and he said, I have hacked Vastaamo. I’ve got all of this information. Not only have I got the information from the patients about — like, name, address, e-mail, phone number, social security number, I’ve also crucially and cruelly got all their therapy notes as well. So, that’s 33,000 people who were potentially gonna have their deepest, darkest secrets exposed online.
JACK: There it is; the notes your therapist took when you spilled your most personal and private thoughts to them. That, in my opinion, is in fact the cruelest piece of personal data that someone could hold for ransom, especially because you didn’t do anything wrong. You were just talking to your therapist. But this Ransom Man guy was talking with Vastaamo, telling them, hey, I hacked your company, I stole your patient records, and all I want is Bitcoin or else I’m gonna release it to the world. Vastaamo contacted the police, who took over communication directly with this hacker, and they were trying to get as much information as they could from this guy. But that went on for six weeks, and Ransom Man felt like it wasn’t going anywhere, and needed to up the pressure to show that he’s serious.
JOE: Ransom Man said, I have been trying to get 400,000 euros, which — I forget how many Bitcoins it was at the time, but that’s how much it equated to. I’ve been trying to get that off the CEO of Vastaamo, and they’re refuse — the company’s refusing to pay. [Music] So, now I’m going to release one hundred records every day until they pay me.
JACK: Of course, the Finnish police were already very aware of this situation because they were working with Vastaamo to try to catch this guy. So, they noticed this post right away and start archiving anything, looking for clues. Yes, the first day, he did release one hundred records. Everyone’s worst fears were a reality.
JOE: It’s the kind of stuff that is a nightmare for people who are vulnerable, they’re struggling already with their mental health, and then to have this kind of information out there, it’s anything you can imagine. So, we know now that Ransom Man took a lot of time choosing which hundred to release. He wanted the most salacious ones he could find. He wanted the most harmful ones he could find. So, he did searches for things like rape fantasies, child abuse, police as well; at one stage he was searching for that kind of key words in the database. He posted these, these first hundred.
JACK: Typically when you see someone post a snippet of breached data to a darknet forum saying you hacked into something, people think it’s funny and maybe even cheer for you. But he didn’t see any of those kind of reactions.
JOE: He chose sites that you’d think that would be acceptable to this kind of crime and this kind of maverick approach to morals; I suppose you could put it that way. As well as posting on Torilauta, he posted it to a clearweb forum called Ylilauta, which was known as — like Torilauta, known for being a place a bit like 4chan. You know that horrible website 4chan where anything goes and edgelords rule and the more offensive you can be, the better? The two pace — those two places that he posted — what I was really surprised at looking back through the logs and research for the book was just how much hatred he got straight away. There was no respect for him.
There was no ‘wow, well done, you’ve done a crazy thing. Awesome’. Everyone was very, very angry. There wasn’t much love at all for Ransom Man. What I found really interesting is if you look through the back and forth that he has over the hours that he’s on both those websites, people are saying, you’re a script kitty, go and kill yourself, there’s a special place in hell for you, all these things being thrown at him. Quite quickly it got — his post got marked as being a sign of criminality on the Ylilauta website, so they took it down. But on the darknet one, it stayed there, and he carried on — he carried through with his threats every day. He posted a hundred more records.
JACK: [Music] I mean, I think this might even be an instance where I’d call him a script kitty myself. Normally I would never call anybody that except maybe myself, because the term is usually derogatory. A script kitty is just a beginner hacker who doesn’t know what he’s doing. But I like beginners. We all have to start somewhere. Beginners aren’t a problem. But the reason why I might call this guy a script kitty is more because of the ‘you don’t know what you’re doing’ part. Holding this kind of sensitive data hostage — dude, that’s messed up. You can’t mess around with that kind of data like that. This whole thing just strikes me as being so reckless and careless for other people’s most inner, private details getting out. He’s got an unbelievable amount of highly-personal data, and he’s weaponizing it in order to profit from it. It’s like he doesn’t care how much people he hurts from this just so he can try to extort this company. It does seem like he’s really grasping for something here; what, fame, money, respect? But he’s just not getting it from anyone.
JOE: Ransom Man even joked about that. He said that getting into this database that was holding all this really private data was really easy. He said there was no password. It was ‘root root’, and he put that on the forum, and people kind of laughed along with it, in a sense. But then there was also the idea that he was out of his depth. People were accusing him, Ransom Man, of being an amateur, of not knowing the difference between profit — gross profit, net, accusing him of asking the company for too much money. What’s funny about the exchanges on the forum is that he’s constantly having to defend his actions as a hacker. He’s saying, no, no, no, I’ve done loads of hacks and this is just one of them, and I know what I’m doing, and trust me, I’m a serious cyber criminal. But people weren’t really buying it. But what was also quite troubling and scary is that there were a couple of people — whilst most people on the forum were having a laugh with it and trying to make him feel bad for what he’s done, some of them were posting saying, hang on a minute, this is my data. Please, please don’t post it.
JACK: So, that was the first day. Already it stirred up some people pretty bad, but Ransom Man promised another one hundred more every day.
JOE: [Music] Then, like clockwork, the next day, another hundred, and then like clockwork, the next day, another hundred. Obviously, as you can imagine, it was getting picked up now by news organizations around the world. People in Finland were getting extremely worried and concerned about it, and there was nowhere to turn to ‘cause Vastaamo was in absolute chaos.
JACK: Vastaamo stayed quiet through all this, partially because they were working with the police to try to catch him, partially because they were speaking directly with Ransom Man over e-mail. Their customers were freaking out, and they were trying to focus on this catastrophe at hand.
JOE: So, 300 different patient records now on the internet for anyone to download, and all you had to do was click on one of the links, and then you’ve got access to the — all of the data. In some cases, some of these people would be regular clients and patients of Vastaamo. So, they would maybe have a year’s worth of therapy notes, and these are kind of like typed out by the therapist. It’ll be things like, today we talked about this. They wanted to say this. I think it could be to do with this. So, you can imagine what types of information and details there are put in there by the therapist. If you look at the whole thousands of people that were affected by this, some of them were regular Vastaamo patients, so they would have had a huge amount of detail. Some of them were infrequent and some of them were only one or two visits. But the first 300 people that had their notes exposed, they were chosen specifically because they were the most deep and upsetting. I think we know now that he knew exactly what he was doing when he chose those.
JACK: Gosh, how awful to be one of those people who trusted this company with their innermost secrets only to have it all posted publicly for anyone to see. That would absolutely rattle me to my core. I would simply be frozen for a solid week, unable to move, not knowing how my friends or family or coworkers will react if they read it. I guess this is another lesson in protecting your own data. Just because something is supposed to be safe and secure doesn’t mean it is. Companies might say they treat your data with the utmost privacy, but actually, they don’t do as good of a job as they should. It’s just one of those reminders that you are the only one who will treat your data with the privacy it deserves. So, make sure you’re doing it.
JOE: [Music] But what he did next was he made probably the biggest mistake in the history of cyber crime, because he thought, I’m gonna be helpful here. So, he told the forum users, here’s a large folder. You can download the whole thing. Instead of having to go to one, two, three download links, here it all is. But what he accidentally did was posted his entire home directory and the entire list and all the data from the 33,000 patients. So, in that one upload, he gave away all his bargaining chips.
JACK: He posted it late at night and went to sleep before realizing his mistake. Of course, by this point, a lot of cybersecurity researchers were keeping a close eye on him, including the police. When they saw this post, they all immediately tried grabbing this .tar folder with all the data, but since he posted it on the darknet on Tor, it was an extremely slow connection, so nobody could really grab it. There just wasn’t enough bandwidth, and everyone was getting extremely slow download speeds.
JOE: There was a couple of people on the forum in the morning who were talking about — oh, I got five megabytes here, one megabyte here, but this file was ten gigs big, so — and the slow internet speeds that you get on the darknet meant that people weren’t able to download the full thing. Plus, there was a little bit of luck that Ransom Man had as well; he ran out of storage space or something, and it kind of — it locked out and went down overnight, so it didn’t allow many people to have full access to it. But there were some who did, and there were some that managed to get a decent chunk of that file.
JACK: So, nobody got the full file, but even just getting the first five megabytes had a lot of very interesting data in it. People were extracting what they could out of it and looking through it, and it had loads of patient details, but there was some other stuff in there; details about Ransom Man himself.
JOE: [Music] Well, there’s this moment where he wakes up and he realizes his mistake, and he posts on Torilauta, ‘whoopsie, enjoy big tar’, and he puts a smiley face emoticon. What’s interesting about that, of course, is that he’s playing down what is a serious situation for him. He hasn’t just given away his entire bargaining chip; he’s given away really, really important information that he wanted to keep secret about himself. So, very quickly it becomes clear to the police that if he knows what’s happened, they need to be quick. They very quickly — in the early hours of that morning, they started tearing through this two-gigabyte file they had managed to download from the big tar, and they found an IP address, a crucial IP address. It was a massive stroke of luck from the police. Not only that; bizarrely, the IP address was for a cloud-hosting provider in Helsinki, where the investigation was taking place.
So, there was this — I spoke to the head detective, Marko Leponen, and he said there was this mad race to try and get to the cloud service provider, get that computer off the internet as quickly as possible to stop Ransom Man having any control over it. He says there was a race against time between Ransom Man himself. He could see the files being deleted somehow, and he said that he had to get two police officers in a car, sirens going, right away across town to try and get to this place. He had another officer on the phone trying to get through to them in the early hours. They eventually got through on the phone. They had a guy from the company running through the warehouse, finding the server, unplugging it so that Ransom Man had his connection severed — Ransom Man trying to delete the evidence from his massive server which had way more than the big tar, of course, that had everything on there, and he was only able to delete a certain amount because they got there just in time and pulled the plug.
JACK: Wow, the police were really on the ball here. I mean, holy cow. See, when you’re on Tor, the darknet, IP addresses are hidden. These files could be hosted anywhere in the world, and the police would have absolutely no idea where to look to find Ransom Man or where the files are hosted. But this file he posted pointed exactly to where those files were hosted. It was a big mistake, and it gave the police their first huge piece of evidence. With this server seized, they took it back to the police station to analyze it.
JOE: Yeah, they took the server back to their lab in the cyber — the HQ in Helsinki, and they started going into it, and it gave them a wealth of information [music] not just about that particular hack that took place, but also about the kind of — the network and the infrastructure that was being used, what other cloud service storage providers that Ransom Man was using, receipts from certain things, other little nuggets and little bread crumbs that took them to online accounts which they could subpoena Google for or whoever it was to get information about individuals. It was a treasure trove. It was an absolute — a boon for the police.
JACK: So, Ransom Man was toast. All the data he was holding for ransom is now out there, so he’s got nothing left to threaten Vastaamo with. If it was me, I’d be like, oh crap, and I’d delete everything on my machine and just close it and set it on fire and try to disappear as fast as I could.
JOE: I don’t know what goes through his mind, but he sort of thinks, okay, how can I make some money? I’ve come this far. I need to make some money out of this. So, the next step is really, really nasty. He finds the e-mail addresses, obviously in the stolen data, of as many people of those 33,000 patients as he can find — I think it was something like 27,500 e-mail addresses — and then he e-mails them, every single person, all in one batch, with their name in the e-mail, personalized to them with their social security numbers, and he says, I’ve been trying to get Vastaamo to pay me so I don’t release your data. They are not paying me, so you’re gonna have to pay me now.
JACK: Oh, wow. He contacts every person he can to try to extort the users individually? That is cruel. Like, already they’re reeling from their deepest secrets being out there, and now he’s hitting them when they’re down, saying, give me money and I’ll delete your data.
JOE: …which is 200 euros worth of Bitcoin, and if they don’t pay within twenty-four hours, it goes up to 500 euros in Bitcoin. Otherwise their data will be published online.
JACK: Of course, he CC’d the CEO of Vastaamo and their executives. Vastaamo goes into full panic mode at that point. Tons of people started calling in who were just now hearing about this, really worried. Not only were they calling Vastaamo, but floods of people were calling the police, too. Honestly, I can’t recall a data breach where the hacker tried to extort all the victims whose data was in the breach. Yes, I know that people comb through data breaches looking for targets to hit, and so, the people in the data breach are often victims themselves, but to extort them all like this, that is — that’s just something new to me.
JOE: Yeah, it’s certainly at this scale never-before seen, and if you speak to some of the security experts who were looking at it at the time, this is a real nadir in cyber crime. This is the lowest of the low. [Music] This is a cyber criminal who did something despicable in the first place, failed in trying to extort the company, and now is going directly into the inboxes of these vulnerable people. The impact that this had is just awful. I’ve spoken to probably — I think about fifteen of the victims, and you hear some of the stories of the impact it had on them. One of the women that I spoke to said it was — it felt like digital rape, she said, which really has always struck me as just such a horrible proposition and such a horrible description. But it does bring to life for me what it feels like. Having your data stolen, your private data, can feel like a burglary, is what some of the victims said, but having this particular type of information stolen is just such an invasion.
JACK: Joe spoke to the lawyer of some of these victims, who told him that some people couldn’t handle this news, and they chose to end their own life rather than to face the shame of their data getting out there. It was truly an awful, dark, cruel time for these victims.
JOE: Yeah, so, at this point, the story went completely stratospheric, as you can imagine, because people started going online saying, I’ve been — I’ve got this e-mail; I’m being ransomed directly. If the country hadn’t been doing much to help people up to this point, suddenly it kind of burst into gear. You had statements from the president and the prime minister, there were meetings held at the highest level of government trying to work out what you can do for these people, because of course, the data’s already out there. Although Ransom Man was asking for payment, not many people paid. I think about — we know for a fact about twenty people sent Ransom Man money, but a lot of people were advised, and they got the advice, don’t pay.
It’s too late. The data’s out there. If you pay, you’re wasting your money. That was the advice that was given. But the police were getting calls from — we’re talking, yeah, 33,000 people, potentially thousands of people all on that same night hit with this same e-mail, the same threats. So, that’s an instant spike in criminal complaints. Criminal records and reports needed to be filed. They couldn’t cope. There was phone lines set up by Vastaamo to try and help people, but they were overwhelmed. The police were overwhelmed. They said, please don’t call 999 or whatever the equivalent is in Finland with an emergency. You need to go to this specific number.
This was all happening during Covid, as well. This was October 2020. So, the country was already in a state of panic. There’s this picture that I’d dug up for the book from Twitter which showed the prime minister and her cabinet sat around a circular table, all socially distanced, all with surgical masks on, looking at this big screen with the Vastaamo details on it. That just really hit home to me. This is such a time of already peril for society, and then suddenly you’ve got this ginormous hack, which in a small country like Finland, 5.5 million people — as Mika Hypponen said, everyone knows someone who was affected by this.
JACK: Twenty people paid the ransom. That’s, what, like $6,000 worth of ransom payments that he made from all this, and in total that’s about all he made from this whole thing. Not a very big payday for him compared to how much damage he caused these victims. At this point, the police had been working on this case for almost six weeks and have started to collect some pretty interesting evidence.
JOE: Well, the main detective, Marko Leponen, he — obviously he’s very, very happy that they managed to secure this server that Ransom Man was using and running, and he thinks, great, I’ve managed to get something here that’s gonna really help us. [Music] But then, of course, it all comes crashing down for him when his phone just doesn’t stop ringing because of victims who’ve managed to get hold of his number who were calling for help. There’s a sort of scene in the book where Marko feels relieved, but then the phone is going and people are calling, saying, what am I gonna tell my husband about my affair? What am I gonna — how am I gonna go into the office on Monday if my colleagues find out what I’ve said about them? It really, really hits him hard, and he breaks down and he’s crying, and he decides to change his phone number and concentrate on the criminal investigation, which is what he does, and he spends the next — the best part of — over a year trying to figure out who Ransom Man is.
JACK: Over a year; wow.
JOE: Yeah, and slowly it dawns on him that this kid or this cyber criminal who was famous when he was a kid, infamous, rather, is probably the prime suspect. The name Julius Kivimaki just keeps coming up.
JACK: Julius Kivimaki? Of course his name would come up as a person of interest. It was in the back of a lot of people’s minds from the beginning that it might be him. You know what? You already know who that is. Julius Kivimaki is the guy who took down the Xbox and PlayStation network on Christmas 2014, the guy that Joe interviewed live on Sky News. You heard his voice at the beginning of this episode, the notorious hacker from Lizard Squad. He’s from Finland. He’s been involved with some pretty high-profile hacks in the past, and he just doesn’t seem to care how much trouble he gets in or chaos he causes. Could Ransom Man be him? Speculators were thinking it, but the investigator, Marko, was finding actual evidence that was pointing to him.
JOE: [Music] But he can’t find him. He can’t find where Julius Kivimaki is to bring him in for an interview. He could be anywhere in the world. Nobody knows where he is. So, Marko does the quite extreme move of putting out an Interpol Red Notice to try and find out where he is, and I think it was November 2022 that he put out the Red Notice, which means that if there is a police force in Europe that comes across anyone that bears the liking of Julius Kivimaki or has any likeness to him in terms of the kind of aliases that he’s using, that kind of thing, need to arrest him on sight in order to get — to send him back to Finland. Marko puts out this Red Notice and obviously carries on with other cases and things, and just hopes that somebody somewhere recognizes Kivimaki and brings him in.
JACK: Julius was smart about evading capture. He was in hiding, using fake IDs, and in some other country. There was just no trace of him anywhere. But this is when Joe realized he’s talked to this hacker before.
JOE: As soon as the name came out, as soon as he was wanted with the Interpol Red Notice, the cybersecurity world were like, hang on a minute, this is the same kid — or not kid anymore, but this is the same person that was this notorious cyber criminal when he was a teenager. I was like, wow. I couldn’t believe it because I would — I was trying to keep tabs on this kid. I had a feeling that he would be back after the Lizard Squad attacks, and then he comes up and does this. You just think, wow, this goes to show that if you don’t catch and deal with some of these cyber criminals, they will just keep coming back for more. It’s sort of like an addiction. If you look at the history of people like Kivimaki — and in the book we go into great detail about what he did as a teenager, what kind of gangs he was in, the people around him, the culture around him, there is a kind of element of just addiction and power and greed when it comes to these individuals. Once you get a taste for that hacking life, I think it’s hard to let go.
JACK: Meanwhile, Vastaamo is still reeling from this attack.
JOE: So, if you ask the CEO of Vastaamo and the founder of Vastaamo, Ville Tapio, he would say that the company could have survived if he’d had been allowed to keep operating it and kind of steered the ship through this crisis, but he was dropped very, very quickly as soon as the investigators began poking around.
JACK: When Vastaamo got the ransom note from Ransom Man, they called the police, and the police took over the situation. They took over the CEO’s e-mail and they were responding to Ransom Man, posing as the CEO. They were advising Vastaamo how to react to everything, and the police weren’t trying to save the reputation of the company. They were trying to solve the case of who did it, so they had a totally different priority than maybe the Vastaamo leadership. So, the CEO of Vastaamo didn’t have control of the ship in the middle of this crisis. The police did.
JOE: Not only had Ransom Man managed to get hold of this data in 2018; someone else somewhere — we don’t know who, we don’t know what happened; they got hold of it in 2019 or they had access to it, and there was still a lot of confusion here about whether or not there was a cover-up. [Music] Tapio denies that vociferously. The IT team that he hired have gone dark. They don’t — they haven’t spoken to anybody. So, we don’t know exactly the nature of that, but the Vastaamo hack, Ransom Man, plus this incident in 2019, it just meant the company was in absolute chaos and crisis, and legal problems as well. You can imagine data protection authorities breathing down their necks. They had fines to pay. Then you’ve just got the fact that there was tens of thousands of people who just could no longer trust the company, and the way they handled it was atrocious. People were turning up at the therapy centers demanding their notes to be handed over, and some of the staff were in tears. It was just utter, utter devastation, and the company collapsed into administration.
JACK: The company collapsed. Wow. It’s pretty rare for a company to be damaged so badly from a cyber attack that it can’t recover and has to shut down like this. It’s wild to think that your whole business could come to a catastrophic end all because of a hacker. But all this does make you wonder, whose fault is it for not securing the customers’ data better, and shouldn’t they be held responsible?
JOE: Well, Ville Tapio, the CEO, he has been prosecuted for…
JACK: Really?
JOE: …for failing to protect the data, but he’s appealing that and we don’t know what’s gonna happen with that.
JACK: The CEO blames his IT team for failing to protect the data, and he blames the police for how badly the fallout was handled. He says when he called the NBI, the National Bureau of Investigation, they locked him out of all decision-making, and he didn’t even know what was being said in e-mails using his name. Pretty early in the investigation, the NBI filed a criminal complaint against the CEO accusing him of a data protection violation, which led the board to remove him as CEO in the middle of this crisis while people were trying to call 24/7 looking for help. So, the company was leaderless during all this, and not only was he dismissed as the CEO, but the parent company of Vastaamo also sued him, accusing him of failing to protect user data.
Ville Tapio, the CEO, was convicted in the District Court of Helsinki for data protection violations under the EU’s General Data Protection Regulations. He was sentenced to a three-month suspended prison sentence in April 2023 after being found guilty of not anonymizing or encrypting the personal data processed at Vastaamo. But he doesn’t agree with that, and he’s actively trying to fight that to clear his name, so it’s still yet to be seen where he lands. [Music] Around that time, someone phones up the Paris police and reports that there’s a domestic abuse situation happening. They said there’s scary noises; it sounds like a scared woman, an angry man. Something’s going on. Check it out.
JOE: They get called out to a domestic abuse situation in Paris in early 2023, and they — the police arrive in the early hours; I think it’s something like half past 6:00, 7:00 in the morning, to a very quiet part of Paris in the north — I think it’s the northwest, and they approach the door expecting potentially for there to be a serious situation of potentially a man abusing a girl, a woman. They knock on the door and eventually a very bleary, tired-looking girl answers the door, and she’s fine. The police go in and they find a 6’3, blonde hair, green-eyed man, who’s traveling under the name Asan Amet. They think, hang on a minute, this person doesn’t look like they should be from Romania. So, they run some checks and it turns out this isn’t a Romanian living in Paris with his girlfriend or wife at the time. This is the wanted cyber criminal Julius Kivimaki.
JACK: So, the Vastaamo hack happened in 2018, but the ransom attempt and public posting of this data didn’t happen ‘til two years later in 2020, and now Julius is arrested in 2023.
JOE: So, they very quickly arrest him and drive him to the police station. Then, of course, the call goes in to Marko and the team in Finland, and they are high-fiving around the office. They’re screaming for joy ‘cause they didn’t think that this Red Notice would be so successful. This was only a few months after they put the call out to other police for help, and they had no idea where he was. So, suddenly, to have this arrest take place in Paris meant that they got their guy.
JACK: So, he’s sent to jail in Helsinki, Finland, and has to face a judge there.
JOE: So, it takes them a good few months to get together the evidence that they need to start the trial, and the trial takes place in Finland just outside Helsinki, and it’s the biggest criminal case in Finland’s history because of the number of victims. I went along to the first day when Kivimaki was in the dock as — doing his cross examination. It was an absolutely ram-packed courthouse, as you can imagine. So many people there wanted to know what he would say and how he would sort of get around it. What was interesting as well was there was lots of people watching who were victims in a cinema in a secret location as well, watching the live feed.
But during the trial, about halfway through the trial, somehow Kivimaki’s legal team managed to convince the judges to let him out on bail because they thought that he wasn’t a flight risk. So, he was released from prison and he was allowed to do what he wanted as long as he was under certain conditions. Like, he had to keep his phone on him and go to a police station every couple of days. But just as soon as he was released, the police were like, whoa, whoa, whoa, you cannot let this guy go because he’s gonna — he is a flight risk. He’s gonna disappear again. ‘Cause don’t forget, he’s been — he was wanted and there was a manhunt for him previously. Plus, you’ve got this massive history as well where he just doesn’t seem to give a damn about the police.
So, lo and behold, they say — the judges change their mind and they say, right, come back to prison, please, Kivimaki. We don’t know where you are, but come in because you’ve got to come back to prison, and he just refuses. He just says — he answers the phone saying, nah, I’m staying where I am. I’ll see you in court, but I’m still — I’m chilling. I’m not gonna come into the — I’m not gonna come to prison again until the court case starts. So, you had this absolutely absurd situation where a wanted cyber criminal who was found by accident in Paris, brought to Helsinki, the largest criminal case in Finland’s history, released on bail; now they want him back, and he’s saying ‘no’, mid trial.
I just think it’s incredible, because all the cases that I’ve covered, the defendants are always trying to be as good as possible and trying to convince the jury and the judges that they are upstanding members of society, and Kivimaki just doesn’t care. So, the police had to start another manhunt to find out where he is. Marko is so angry about this, and he’s got — all the police resources are out there trying to find him, and eventually they managed to track Kivimaki down because he posts a picture of him or posts a picture of a hand holding a really expensive champagne bottle, and they recognize the room might be something from an Airbnb, and they managed to locate the Airbnb he’s in and re-arrest him.
JACK: 9,600 counts of aggravated invasion of privacy…
JOE: Yeah.
JACK: …21,000 attempted aggravated extortion attempts…
JOE: So, those are the e-mails that they know about.
JACK: Yeah, and twenty counts of aggravated blackmail. This is crazy, 21,000 aggravated extortion attempts. Of all the — I’ve heard people get arrested for like, seven counts of this, thirteen counts of that, but 21,000 counts; holy mackerel.
JOE: Yeah. Well, that’s the kind of preposterous thing about the Finnish justice system, because when you look at it, it’s outrageous, isn’t it? But actually, if you look at the numbers in detail — so, the 9,231 aggravated dissemination of information infringing private life, those are the people that actually filed complaints. So…
JACK: Really, 9,000 people?
JOE: Yeah.
JACK: Almost like a class-action lawsuit with 9,000 complainers.
JOE: Yeah.
JACK: Wow.
JOE: Then the 20,000 are the e-mails that they know of. So, there were 27,000. I think there were some duplicates, and 20,000 were the ones that they kind of confirmed as being aggravated. Then you’ve got the twenty aggravated, which is the people that paid.
JACK: Yeah, in the US we have civil cases which is like, a user of the site is claiming damage that the site caused them reputational damage or whatever, but this is a criminal case where people complained that this particular person, Kivimaki, has harmed their life and in ways — I think that’s also unusual.
JOE: Yeah, and they’re actually thinking of changing the Finnish justice system to cope with this kind of thing. They’ve never had a court case on this scale where so many individuals go after and accuse one individual of issues, of criminality. So, there’s discussions in the country about how they’re gonna cope with something if this happens again, because they had to — they’re still working through it, to be honest. They are still working through the backlog of potential compensation to be paid. The company, Vastaamo, is bankrupt, so they can’t really pay very much, but Kivimaki has agreed to pay some people, but it’s not gonna be much.
Of course, the kind of — the scale of harm is very different depending on who you are, as well. So, there will be some people — I spoke to one guy who went there twice with his wife to help them with their divorce, and he doesn’t feel particularly aggrieved, or he’s not feeling too invaded by that. But then you’ve got people who have been there — going there for years, and they poured their hearts out to the therapist, and now they’re absolutely terrified. They’re looking — if someone looks at them funny in the street, they’re worried that that person’s read their notes and they know their deepest, darkest secrets. They’re kind of — there is a real difference in how it’s affected people.
JACK: Yeah, so it’s — in the court there, they mention how many other crimes this guy has committed and how it just goes back for almost a decade that this guy was a cyber thug. That’s where I think there’s just so much more to your book, right?
JOE: Yeah, and you mentioned the 30,000 crimes that the court accused him of or convicted him of. But if you go back not that long, Kivimaki has a history of cyber crime. He got convicted of 50,000 cyber crimes when he was a teenager because of various things he did, because this guy was really brought up in a time when teenage cyber-crime gangs were absolutely coming to the fore. They were prolific. There’s this period of time in the 2010s where you had this conveyor belt of cyber-criminal teenage gangs that were, one after the other, passing their baton, upping the ante. They were worse than each other each time they tried to outdo each other in terms of the kind of things they could do, get away with, the kind of criminality and cruelty they could be responsible for.
I don’t know if you remember any of these gangs, but I’ll go through some of them. So, LulzSec probably started this whole thing. I don’t know if you remember them; 2011. Then after that you had HTP, which Kivimaki was part of and convicted for. He was actually — he was collared when he went to Defcon in — I think it was 2012, 2013 when he was a teenager, and the police — the FBI managed to get him in a room, in a hotel room, and interrogate him for some of the stuff he was doing. Then he was arrested by the Finnish police and spent time in prison, and then eventually the long, slow way that the justice system works, he was convicted. But of course, in that time, he didn’t stop and he carried on. Then there were other gangs he was part of like Lizard Squad and UGNazi, Isis gang. All these types of gangs just came and went in this period, causing damage as they did so.
JACK: He was convicted of 50,000 cyber crimes in the past? Look, what we’ve covered in this episode is only the first few chapters of Joe Tidy’s book, Ctrl+Alt+Chaos. You’ve gotta hear what else this guy did, so I encourage you to go get his book and hear the rest of the story. We only covered one of his hacks here, but there are so many more this guy did, and I have a strong feeling that Julius Kivimaki will go down as one of the most notorious hackers in history. It’s really amazing how close Joe was following this whole story, especially in this Vastaamo case. Joe was in the court room watching all this unfold.
JOE: Yeah, I was there on the first day that he gave evidence, and it was packed full of journalists from all over Finland and also international journalists as well, because of course by this time, this was known as the biggest case in Finland’s history, and the Vastaamo court case and the Vastaamo case itself was just such a big, nasty story. I went in and it was really interesting ‘cause Kivimaki sat there and he had a laptop in front of him and he was answering all his prepared questions from his lawyer, and he was just not even thinking about it, just kinda stroking the mouse keypad on the laptop back and forth, back and forth, and smiling while he was talking and cracking little jokes. He seemed really relaxed. Of course, when you look at his history, when you look at the amount of cyber crime that he’s carried out, the amount of run-ins with the police, convictions, that makes sense to me. This is the kind of world that he operates in. He doesn’t seem to have much care for anything.
JACK: Yeah. Yeah, it does seem like that, just what can I do to set the world on fire, kind of thing.
JOE: Yeah, I think it is a bit of that. It’s one of the really weird things about this whole case. I’ve followed this guy for ten years, since he was a teenager, and the people that speak to him and know him — he’s not a popular hacker. He falls out with people all the time. He did some nasty stuff even before the Vastaamo hack. I would argue that he’s probably the most hated hacker in history because he didn’t give a damn and doesn’t give a damn, and people are confused by him, what his morals are, because he’s got the money. Some people said that he just likes to cause damage and likes to cause chaos and enjoys it.
JACK: In April 30th, 2024, Julius Kivimaki was sentenced to six years and three months in prison. He’s currently sitting in prison right now, serving his time.
(Outro): [Outro music] Thank you so much to Joe Tidy for sharing this incredible story with us. You have to hear the rest of the story, though, so go get his book. It’s called Ctrl+Alt+Chaos, and it releases this month. I have to take a moment to just thank my premium subscribers. They are the real heroes to me for supporting this show. It really helps keep it going. I love you so much. Thank you. [Blows kiss] If you’re not already a premium subscriber and you want kisses from me, visit plus.darknetdiaries.com, and if you sign up, you’ll get an ad-free version of the show, plus eleven bonus episodes. This episode was created by me, the root canal, Jack Rhysider. Our editor is the drop table, Tristan Ledger, mixing done by Proximity Sound, and the intro music is by the mysterious Breakmaster Cylinder. Of course I use a password manager. It’s called the dark web. Have you heard of it? It’s got everyone’s password on there. You can look up mine or anyone else’s. It’s real easy. This is Darknet Diaries. [END OF RECORDING]