July 17, 2024
Finland’s Most-Needed Hacker Nabbed in France – Krebs on Safety

Julius “Zeekill” Kivimäki, a 25-year-old Finnish man charged with extorting an area on-line psychotherapy follow and leaking remedy notes for greater than 22,000 sufferers on-line, was arrested this week in France. A infamous hacker convicted of perpetrating tens of 1000’s of cybercrimes, Kivimäki had been in hiding since October 2022, when he failed to point out up in courtroom and Finland issued a world warrant for his arrest.

In late October 2022, Kivimäki was charged (and “arrested in absentia,” in accordance with the Finns) with trying to extort cash from the Vastaamo Psychotherapy Middle. In that breach, which occurred in October 2020, a hacker utilizing the deal with “Ransom Man” threatened to publish affected person psychotherapy notes if Vastaamo didn’t pay a six-figure ransom demand.

Vastaamo refused, so Ransom Man shifted to extorting particular person sufferers — sending them focused emails threatening to publish their remedy notes until paid a 500-euro ransom.

When Ransom Man discovered little success extorting sufferers straight, they uploaded to the darkish net a big compressed file containing the entire stolen Vastaamo affected person information.

However as documented by KrebsOnSecurity in November 2022, safety consultants quickly found Ransom Man had mistakenly included a whole copy of their residence folder, the place investigators discovered many clues pointing to Kivimäki’s involvement. From that story:

“Amongst those that grabbed a replica of the database was Antti Kurittu, a group lead at Nixu Company and a former prison investigator. In 2013, Kurittu labored on an investigation involving Kivimäki’s use of the Zbot botnet, amongst different actions Kivimäki engaged in as a member of the hacker group Hack the Planet (HTP).”

“It was an enormous opsec [operational security] fail, as a result of that they had a number of stuff in there — together with the person’s personal SSH folder, and a number of identified hosts that we might take an excellent have a look at,” Kurittu informed KrebsOnSecurity, declining to debate specifics of the proof investigators seized. “There have been additionally different tasks and databases.”

In response to the French news site actu.fr, Kivimäki was arrested round 7 a.m. on Feb. 3, after authorities in Courbevoie responded to a home violence report. Kivimäki had been out earlier with a girl at an area nightclub, and later the 2 returned to her residence however reportedly obtained right into a heated argument.

Police responding to the scene had been admitted by one other girl — presumably a roommate — and located the person inside nonetheless sleeping off a protracted night time. Once they roused him and requested for identification, the 6′ 3″ blonde, green-eyed man offered an ID that acknowledged he was of Romanian nationality.

The French police had been uncertain. After consulting information on most-wanted criminals, they rapidly recognized the person as Kivimäki and took him into custody.

Kivimäki initially gained notoriety as a self-professed member of the Lizard Squad, a primarily low-skilled hacker group that specialised in DDoS assaults. However American and Finnish investigators say Kivimäki’s involvement in cybercrime dates again to not less than 2008, when he was launched to a founding member of what would quickly develop into HTP.

Finnish police mentioned Kivimäki additionally used the nicknames “Ryan”, “RyanC” and “Ryan Cleary” (Ryan Cleary was really a member of a rival hacker group — LulzSec — who was sentenced to jail for hacking).

Kivimaki and different HTP members had been concerned in mass-compromising net servers utilizing identified vulnerabilities, and by 2012 Kivimäki’s alias Ryan Cleary was promoting entry to these servers within the type of a DDoS-for-hire service. Kivimäki was 15 years outdated on the time.

The DDoS-for-hire service allegedly operated by Kivimäki in 2012.

In 2013, investigators going by means of gadgets seized from Kivimäki discovered pc code that had been used to crack greater than 60,000 net servers utilizing a beforehand unknown vulnerability in Adobe’s ColdFusion software program.

KrebsOnSecurity detailed the work of HTP in September 2013, after the group compromised servers inside information brokers LexisNexis, Kroll, and Dun & Bradstreet.

The group used the identical ColdFusion flaws to interrupt into the Nationwide White Collar Crime Middle (NWC3), a non-profit that gives analysis and investigative help to the U.S. Federal Bureau of Investigation (FBI).

As KrebsOnSecurity reported on the time, this small ColdFusion botnet of information dealer servers was being managed by the identical cybercriminals who’d assumed management over ssndob[.]ms, which operated one of many underground’s most dependable companies for acquiring Social Safety Quantity, dates of beginning and credit score file data on U.S. residents.

A number of legislation enforcement sources informed KrebsOnSecurity that Kivimäki was liable for making an August 2014 bomb threat in opposition to former Sony On-line Leisure President John Smedley that grounded an American Airways aircraft. That incident was broadly reported to have began with a tweet from the Lizard Squad, however Smedley and others mentioned it began with a name from Kivimäki.

Kivimäki additionally was concerned in calling in a number of pretend bomb threats and “swatting” incidents — reporting pretend hostage conditions at an deal with to immediate a closely armed police response to that location.

Kivimäki’s obvious indifference to hiding his tracks drew the curiosity of Finnish and American cybercrime investigators, and shortly Finnish prosecutors charged him with an array of cybercrime violations. At trial, prosecutors offered proof exhibiting he’d used stolen bank cards to purchase luxurious items and store vouchers, and took part in a cash laundering scheme that he used to fund a visit to Mexico.

Kivimäki was in the end convicted of orchestrating greater than 50,000 cybercrimes. However largely as a result of he was nonetheless a minor on the time (17) , he was given a 2-year suspended sentence and ordered to forfeit EUR 6,558.

As I wrote in 2015 following Kivimäki’s trial:

“The hazard in such a call is that it emboldens younger malicious hackers by reinforcing the already well-liked notion that there are not any penalties for cybercrimes dedicated by people below the age of 18.

Kivimäki is now crowing in regards to the sentence; He’s modified the outline on his Twitter profile to “Untouchable hacker god.” The Twitter account for the Lizard Squad tweeted the information of Kivimäki’s non-sentencing triumphantly: “All of the those that mentioned we might rot in jail don’t wish to comprehend what we’ve been saying because the starting, we now have free passes.”

One thing tells me Kivimäki gained’t get off so simply this time, assuming he’s efficiently extradited again to Finland. A press release by the Finnish police says they’re looking for Kivimäki’s extradition and that they anticipate the method to go easily.

Kivimäki couldn’t be reached for remark. However he has been discussing his case on Reddit utilizing his authorized first identify — Aleksanteri (he stopped utilizing his center identify Julius when he moved overseas a number of years in the past). In a submit dated Jan. 31, 2022, Kivimäki responded to a different Finnish-speaking Reddit person who mentioned they had been a fugitive from justice.

“Identical factor,” Kivimäki replied. “We could begin some form of membership? A help group for needed individuals?”