CTRL+ALT+CHAOS E-Book

Ctrl+Alt+

CHAOS

This book is dedicated to victims of cybercrime andthe people who work hard to protect our lives online.

Contents

//Preface

//1      An accidental arrest

//2      Ransom_man strikes

//3      I got the email

//4      The rise of Zeekill

//5      Hacking for retweets

//6      Hacking for power – and bitcoins

//7      Zeekill arrested

//8      Addicted to hacking

//9      Hacking to harm

//10    Christmas is cancelled

//11    Vastaamo implodes

//12    Untouchable Hacker God caged

//13    The baton passed

Acknowledgements

Endnotes

Index

//Preface

As a television reporter I’m used to my bosses making outrageous requests. But this was surely the most ridiculous yet.

‘I want a lizard. On air tonight,’ my news editor said, adding the chilling words: ‘Ryley’s called – make it happen.’

When John Ryley – the head of Sky News – gives you a mission it’s one you have to accept. But this was surely mission impossible? By ‘lizard’ he meant a member of the Lizard Squad hacking crew who were making global headlines after carrying out a cyber attack that was spoiling Christmas for about a hundred million people around the world.

Lizard Squad – a gang of anonymous teens known only by their social media handles – had successfully brought the Xbox Live and PlayStation Network services to their knees. Anyone trying to connect to the online systems of either of these games giants was met with the error message: ‘Page not found’. So that meant no playing against your mates, no downloading new games and no registering your shiny new console.

This type of cyber attack would be disruptive at the best of times, but this was Christmas Day 2014 – a peak time for millions of children, parents and everyone in between to fire up their exciting new gaming gifts and play.

Lizard Squad’s attack was a top story around the world and one of those rare occasions when a cyber attack was seen to have an immediate and obvious impact on society. Tens of millions of people were instantly impacted, and a tsunami of them turned to social media to vent their anger and confusion. They were met with a group of kids bragging about their hacking handiwork. People started asking: how on earth was it possible for these teenage boys to humble tech giants like Sony and Microsoft?

I was left with a different question: how was I going to find and interview one of these lizards for a Sky News TV report that evening?

A frantic seven-hour search across every recess of the internet led me to a seventeen-year-old called Julius Kivimäki. An infamous figure in the anarchist teenage hacking scene, he was calling himself ‘Ryan’. But he would go on to have dozens of other aliases, including ‘The Untouchable Hacker God’ and ‘Zeekill’.

As the clock ticked down to our deadline, my video editor and I anxiously waited for this teenager to come online as promised. Just in time, he called on Skype. With a smirk, public enemy number one for gamers all over the world popped up on my screen. I was shocked at how young he looked. He had a shaved head, soft facial features and deadpan eyes. He was utterly unremorseful and arrogant in manner. I did my best to hold him to account but found the experience surreal – he didn’t seem to give a damn, making himself chuckle throughout the interview. Lizard Squad had decided to carry out the hacks on a whim, he said, boasting that the whole thing took him and three others about six hours to pull off. ‘I can’t really say I feel bad about it,’ he said with a broad smile.

His arrogance was like a red rag to a bull to the cybersecurity world and the hordes of angry people who had been affected. The video racked up more than a million views on YouTube. More importantly, from my point of view, the top brass at Sky News were placated.

But that day, and that interview, sparked my now decade-long obsession with cybersecurity.

Back then crime had been a major part of my beat as a general Home Affairs reporter, and I’d covered everything from murders to drug busts. But never before had I come across such brazen and boastful criminals. And never before had I interviewed someone like Julius – so nihilistic and so cocky.

I came to appreciate the power that cyber criminals can wield from their keyboards and I’ve been hooked on hackers ever since. I made it my business to report on every subsequent major cyber attack, first for Sky News and then in my current role at BBC News. I’ve been lucky enough to travel the world covering cybersecurity stories and making documentaries as the BBC’s first Cyber Correspondent. I’ve traversed Russia in search of the world’s most wanted cyber criminals. I’ve unmasked Ukraine’s civilian hacking force. I’ve hung out at the Argentinian beach house of the first millionaire ethical hacker. And I’ve put tough questions to authorities in Saudi Arabia as they hosted a cybersecurity conference in an effort to become trusted global players in the burgeoning industry.

You can see why the Saudis want a slice. It’s estimated that the cybersecurity industry is now worth $200 billion,1 with huge growth on the horizon. Companies and consultants charge terrified organisations top dollar for the latest and greatest software to stop hackers. But time and again people fail to address one of the biggest elephants in the room. Often the culprits aren’t super cyber spies. They’re bored, lonely and unsupervised teenage boys who team up to cause mayhem from their bedrooms, often situated thousands of miles apart from each other and all without knowing each other’s real names.

I’ve never met a female cyber criminal. I’m sure there are some out there, but the testosterone-filled subculture of teen hacking appears to deter girls from falling onto this dark path. For better or worse.

It’s boys who rise up from the depths of the internet every few years to wreak havoc. They’ve been doing it since the dawn of hacking in the 1970s. What is it about teenage boys that makes them so easily attracted to a life of cybercrime and how are they able, time and time again, to fool the smartest minds in cyber? It’s a cycle we’ve failed to stop, and each new teen gang is more serious and sinister than the last. But the 2010s period in which Lizard Squad and others were running riot also saw a dangerous and seemingly irreversible shift in the nature of this cycle.

The hackers featured in this book are now grown men. Some have served prison sentences. Some have found well-paid and respectable jobs in cybersecurity. Others are living lavish lifestyles funded by cryptocurrency that they may or may not have acquired during their hacking days. In writing about their activities, I’ve chosen to omit identifiable details to protect those among them who are still under the radar. Doing so is a difficult decision which I’ve often faced in my job, but I think it’s justified to get the full stories from the horses’ mouths. But one thing that quickly became evident in the process of researching the book is that this community of hackers is a vipers’ nest of backstabbing and hatred. Even now when these characters are in their twenties and thirties, they remain prone to exaggeration and routinely lie about things they did and didn’t do. And their readiness to argue with each other and trade nasty abuse is something I have found shocking. For the purposes of this book, I’ve made clear which of their various competing stories are backed up with hard evidence and which claims are just that – claims. In particular I’ve leaned heavily on court records to help me navigate my way through this shifting world of liars and wannabes.

Julius Kivimäki will be our focus. He is the thread that runs through so much of the period covered by the book – from 2014 through to the present day – and where he went, others have sadly followed. Through his dark story we’ll learn how teenage hacking culture is shaped by young men and how it can turn innocent computer obsessives into callous cyber criminals.

It’s hard to find a cyber criminal quite as callous as Kivimäki. He is arguably the most hated hacker in history. Not just by the gamers he angered over Christmas 2014 but by the many other victims (including fellow hackers) he harmed along the way. In 2022, for example, eight years after I interviewed him for Sky News, he was linked to probably the most shocking cyber attack in history – the hacking of the mental health records of 33,000 people in Finland and a subsequent attempt to extort money from the victims to keep the records unpublished. Everyone in this small country of just 5.5 million people knows someone who was affected by this attack.

Some will say we shouldn’t give hackers like Kivimäki any more of the attention they crave. But in these pages I hope to shine a spotlight that reveals for the first time how the stories of these wayward characters can be drawn together to tell the full picture and find the otherwise obscured patterns that might help us answer the biggest question of all – how can we stop teenage boys becoming cyber criminals?

This book is not aimed at glamorising this troubling corner of criminality – it’s designed to focus an unflinching light on these immature, misguided and cruel boys and to learn lessons from their stories.

And it all starts with a stroke of luck that led French police to Julius Kivimäki in the early hours of 3 February 2023 . . .

//1

An accidental arrest

2023

It was just getting light as the patrol car rolled up the cobbled intersection to 1 Promenade Saint-Nicolas. The six-storey building wraps around a pretty little park and children’s play area in Courbevoie – a leafy corner on the northern fringes of Paris. Far from any nightlife hotspots, this is a place for families and business people. ‘Bustling during the day but usually peaceful at night’ is how one of the residents described it to me. The alert to police came from a woman worried about a friend of hers who lived there. A group of them had been out drinking at a nightclub and her friend had had a big argument with her partner. He was angry and drunk, she told the call handler. Her friend had not been picking up her phone since they returned home and she was terrified something had happened. The police took the report seriously and turned up at the apartment shortly after the call came in at 7 a.m.

They knocked and waited in the corridor but no one answered. They knocked again and nothing. Again, and still silence. Then, according to local news reports,1 the officers got their battering ram out and were readying to smash the door in when a young woman opened it.

She was fine. Perhaps a little hungover and upset, but any police fears of domestic violence were quickly laid to rest. They found her husband in bed and woke him up. Then, as a matter of protocol, they asked to see some ID. He dug around for his documents and handed over a passport that declared him to be a Romanian citizen called Asan Amet. It seemed an unlikely name for this six-footthree, blond-haired, green-eyed man so one of the officers radioed the station to run some checks while the other made small talk in the apartment.

Then alarm bells rang.

The name ‘Asan Amet’ was flagged up as one of the fake identities used by one of Europe’s most wanted criminals. This baby-faced man had been charged in Finland with ‘computer-related crime, racketeering and extortion’.

Police cuffed him and led him outside to their car as residents walked past on their way to work or on the school run. Another team came to search the apartment, finding signs of a resourceful and well-connected criminal: he had two other Romanian photo ID cards under the same fake name and there were also images on his wife’s phone of four other drivers’ licences, each one bearing his picture but each one a fake – including one from Britain and one from Arizona.

With the fugitive in the back of their patrol car, the police drove down the narrow streets towards the River Seine. The Eiffel Tower was visible in the overcast skyline that lay ahead on the long straight road to the city centre. The officers probably couldn’t wait to talk about the morning’s unexpected success. The man sitting in cuffs behind them was a huge target.

His real name was Aleksanteri Julius Tomminpoika Kivimäki.

#

Some 2,600 km away in Helsinki, the silence in the offices of Finland’s Cybercrime Centre was broken by four sounds in quick succession. First came the ding of a text message. Then a chuckle. Then another ding. And then an almighty shout of ‘JOOOO!’, which is the Finnish for ‘Yeeeeees!’

The first ding was Detective Chief Inspector Marko Leponen receiving a text from a colleague informing him of the arrest. The chuckle was him laughing it off as a bad joke and sending a sarcastic reply. The second ding was the confirmation that the news was real. And that exultant ‘JOOOO!’ was the chirpy middle-aged cyber cop shouting out in delight. Congratulations exploded around the station. Everyone knew how hard Marko had worked over the previous couple of years to find the hacker behind the Vastaamo cyber attack. They knew too that he had been waiting for news of this arrest for months – ever since he had identified Kivimäki as the prime suspect and arranged for him to be remanded ‘in absentia’ on 27 October 2022.

That notice released by Helsinki District Court had been the biggest talking point of the cyber world at the time. It read: ‘A European arrest warrant has been issued against the suspect. He can be arrested abroad under this warrant. After that the police will request his surrender to Finland. An Interpol notice will also be issued against the suspect, who is a Finnish citizen and about 25 years of age.’

The reason it sparked so much interest was simple: the Vastaamo cyber attack of October 2020 was one of the most impactful and cruel hacks in history – and remains so to this day. Not only did it affect 33,000 innocent and vulnerable people, including children, it exposed them to the most grotesque form of blackmail, with their therapy notes used as a bargaining chip and then callously published online for the world to see. It also destroyed a growing Finnish company that had been doing important work in mental health. Even grizzled cyber professionals who thought they’d seen it all were stunned by the incident and desperate to see the criminal brought to justice.

Although the police didn’t initially name the twenty-five-yearold suspect, they didn’t need to. Kivimäki AKA The Untouchable Hacker God AKA Zeekill AKA Ryan was a notorious figure with a long history of causing cyber chaos. Marko and his team had been certain he would eventually be found, but they had been forced to put their faith in the ability of foreign police forces to see through Kivimäki’s bank of false identities. They couldn’t believe their luck when the call came in from France so quickly.

Messages of congratulation came flooding into the Helsinki Cyber Crime centre from other police forces around the world. ‘Everyone was rooting for us to get Kivimäki,’ Marko recalls. He cancelled all of his other case work and scrambled a team to go to France and bring the fugitive back to Finland. They would do the lengthy and complex paperwork needed to organise the extradition while Marko and his detectives would begin working towards the most important trial of their careers and the biggest criminal case in Finland’s history. No expense or police officer’s time was spared. Everyone wanted to see justice done.

The anger felt by the police towards this young man long predated the Vastaamo hack. His chosen alias of The Untouchable Hacker God was all too appropriate. Kivimäki had been on the force’s radar for more than ten years. He had been a serial offender since the age of thirteen. With a click of his mouse he had repeatedly disrupted the lives of millions of people and done profound harm to some individuals too. But until now he’d largely got away with it. Not only that, he had bragged about his crimes and taunted the police for years in social media posts and press interviews. This was their chance to right a wrong and put him behind bars.

A couple of days after Kivimäki’s extradition from France came his opening interrogation. Seeing his quarry for the first time face to face, Marko Leponen was surprised by how polite and cooperative he was. But the interview was also extremely tense. It took place in a small room with Marko and three fellow officers facing off against Kivimäki and his lawyer. The detective had prepared for this moment mentally and been willing it to happen for months, but was still amazed that they finally had Kivimäki in custody. He could sense Kivimäki found it all strange too. ‘It was very surreal.’

There’s always a huge amount riding on the first interrogation of a suspect. For the detectives it is less about extracting evidence and more about building a workable connection and relationship with the accused. For that reason, Marko himself took the decision to leave the room after the first introductions had been made. He knew that he had a slim chance of building any rapport with Kivimäki because the hacker saw him as the agent of his doom; it was Marko who had been the figurehead of the Vastaamo investigation and who had arranged for him to be arrested in absentia. It was a good decision. One of his fellow detectives built up a strong connection with Kivimäki from the off. Over the course of the next eight months, that’s how it worked: Marko would stay out of the room unless he was needed for a specific topic and would instead receive detailed feedback on each interview from his officers and via the recorded tapes.

The detectives called Kivimäki in from his prison cell for interviews around a dozen times, sometimes questioning him for eight hours in a day as they tried to break through his guard and find the truth. He was always polite and cooperative, but also wily and careful. He liked to talk. He seemed to enjoy discussing everything cyber and computers – but only on his terms. He had a very good memory for detail until it came to anything potentially incriminating – for example, how much money he had amassed in bitcoin. ‘I can’t remember’ or ‘I can’t answer that’ were his responses when Marko or others tried to press him on important details.

Marko could never work out who the real Kivimäki was under that politeness. He would skirt around subjects and avoid any outright lies with clever turns of phrase. Working out how Kivimäki answered became more important than what he actually said. Detectives slowly identified a pattern to his evasive language that helped them gain clues about what he was – and wasn’t – lying about.

Another thing gradually became clear in Marko’s mind: Kivimäki would never admit that he had committed the crime. No matter how solid the case was against him or how strong the evidence, he would never confess. And the evidence was extremely compelling thanks in large part to the way events had played out over the three chaotic days in October 2020 when the Vastaamo hack became public and shocked the world.

//2

Ransom_man strikes

October 2020

The post landed on the anonymous Finnish website Ylilauta at just after 2 a.m. on Wednesday 21 October 2020. The user ID was 114398433 – a jumble of random numbers assigned by the message board site. But the poster would quickly become known as ‘ransom_man’. He posted in English:

Hello Finnish colleagues,

We have hacked the psychotherapy clinic ‘vastaamo.fi’ and taken tens of thousands of patient records including extremely sensitive session notes and social security numbers. We requested a small payment of 40 bitcoins (nothing for a company with yearly revenues close to 20 million euros), but the CEO has stopped responding to our emails. We are now starting to gradually release their patient records, 100 entries every day.

You can view the data at http://3wnug3445ja7qj47.onion.pet/

Enjoy!

Press contact: [email protected]

Vastaamo’s name was instantly recognisable to Finns as a safe and reliable place to go to for mental health support. It was Finland’s largest commercial therapy provider and one of the crown jewels of the country’s home-grown social enterprise start-ups. The company was launched in 2009 to address the shortage of mental health provision in Finland and had become extremely popular and successful. Its bright green speech bubble logo began popping up on buildings in towns and cities across the country and it grew fast to become a recognised and trusted brand. By 2020 Vastaamo had clinics in twenty-seven locations across the small nation and employed 300 people – mostly psychotherapists, psychologists and psychiatrists. As well as offering fast appointment booking and online therapy, the company provided free online services to promote mental health and prevent mental health problems, which were used annually by more than half a million Finns.

So anyone who happened to be online when ransom_man posted his threat about publishing Vastaamo’s data would instantly have felt the hairs rise on the back of their neck. If they’d clicked on ransom_man’s link they would have seen the innermost secrets of one hundred Vastaamo patients laid bare: multiple note entries written by therapists detailing the intimate struggles of their clients, alongside the patients’ phone numbers, social security numbers and email addresses, all readable in plain text. And according to ransom_man, this was just the start.

It’s not clear what sort of response the criminal was hoping for by posting his threat. Perhaps a hero’s welcome. Or digital high fives. Or shocked excitement. He got none of it. Just forty-five seconds later an anonymous user replied to his thread: ‘Go to shower, sleep and work in the morning. Oh and KYS.’

KYS is the internet acronym for ‘kill yourself’. It’s reserved for the nastiest responses on the chaotic Ylilauta message threads. It’s a site where almost anything goes but even still, ransom_man must have been taken aback.

Ylilauta is a Finnish-language copy of the notorious international online cesspit 4chan – a site famous for purveying some of the most heinous and offensive conspiracy theories of recent times thanks to its almost non-existent moderation. The Finnish site calls itself an image board but most of the content is just text. People start a conversation thread and hundreds more chime in, in Finnish or English.

Somehow it’s one of the most popular websites in Finland. According to the people behind it, it gets around 100 million page views a month from a dedicated 2.5 million visitors, most of whom are based in Finland. Huge for such a small country. But I would guess those numbers are over generous. Its homepage proudly states it is a ‘privacy-oriented anonymous discussion board where you are free to discuss almost anything’. Sending messages requires neither registration nor a username.

‘The tone on Ylilauta, as also in 4chan, is irreverent, mock-everything, everything is ironic and I am a cool edge-lord above caring,’ says Finnish Urban Philosophy Professor Veikko Eranti in a research paper about the website.1 Analysis suggests most of the site’s users are young, male and often leaning to the alt-right in politics. According to Eranti’s research, race, sexual assault and immigration are common themes of discussion. Users like to split the world into ‘us’ and the ‘normies’. If you’re an outsider then you must be a ‘hippie’ or a ‘feminazi’. A scan of the homepage at the time of writing this book gives an idea of the sort of content and discussion points you can find there: homophobic slurs, transphobic labels, stories about being bullied or depressed and many many Pepe the Frog cartoons (Pepe is commonly used by the alt-right or antagonistic trolls). According to a study commissioned by the Finnish government, which took a two-month snapshot of internet usage in 2021, Ylilauta was responsible for the most hate speech across all message boards and social media in the country.2 Of the 300,000 examples of hate speech recorded, 285,000 – or 96 per cent – of the messages were on the site.

So you’d think ransom_man’s bombshell hack would have gone down well with such an anarchic community. But post after post showed that stealing the psychotherapy notes of tens of thousands of mental health patients and publishing them online was a bridge too far even for Ylilauta users. Comments cascaded under ransom_man’s post in a mixture of Finnish and English.

‘You could’ve done anything with your life and you hacked a psychotherapy clinic and posted about it on a Finnish forum for frogs. Look at your life and how pathetic it is.’

‘Hide all the contact information posts, I’m not fucking interested in anyone’s problems.’

‘This is sensitive information for those concerned. It would piss me off if my name popped up.’

As the thread gained traction, people joined in their droves to have their say and ask questions. A few minutes into the discussion, one user posted a picture of a screaming white cat accompanied by a bizarre message in capital letters – ‘ALERT WARNING ALERT WARNING ALERT WARNING’ – and some nonsensical conspiracy theory about false flags and the media. No one seemed to pay any attention to it, brushing the post off as a case of so-called ‘shitposting’ – the practice of trying to derail the conversation thread with nonsense content.

Ransom_man tried to keep his cool and get the conversation back to his hack. He posted more information, including a screen-shot of his failed negotiations with Ville Tapio, the boss of Vastaamo. ‘This is how the CEO of the company feels about protecting their patient data’, he wrote.

But it backfired instantly: ‘How big a spinner do you have to be to demand a €400k ransom for something like this? Nobody would pay that,’ came one of the responses.

The thread descended into a mixture of aggressive insults hurled at the hacker and the usual stream of random stuff that people post to get attention. The forum’s users fired off critical questions asking ransom_man why he would blackmail an innocent CEO, challenging his research into Vastaamo’s finances, arguing that he didn’t know the difference between a company’s turnover and profit. Ransom_ man replied with the firm’s public financial records in an attempt to win the respect of the baying online mob. He was met with insults: one user called him a ‘Grade A low-level asshole’; another dismissed him as a ‘script kiddie’ – the ultimate insult to a hacker. It implies that the hacker has made use of pre-written off-the-shelf ‘scripts’ and is not talented enough to write their own hacking programmes.

Looking now at the hundreds of interactions between the hacker and his uncooperative audience, it’s almost amusing to see the disdain that the Ylilauta users have for him and his need for recognition. Almost amusing, until you remember what is at stake here – the highly sensitive therapy records of tens of thousands of innocent and vulnerable people. Amongst all the mayhem there were a small number of users who seemed genuinely worried. ‘These are my infos mate, please can you delete them?’ one person pleaded.

Eventually people started reporting ransom_man’s post for being evidence of criminal activity and soon the moderators of Ylilauta deleted his thread. But there was another site with fewer qualms about illegal activity.

Torilauta means ‘market board’ in Finnish. Before the Finnish language site was shut down later in 2020, it was the go-to place for buying and selling illegal goods like drugs. It was a so-called ‘darknet’ website, housed on a part of the internet that is far off the beaten track of Google, Facebook and other mainstream sites. The darknet is the portion of the internet that can only be accessed through specialist software that protects a user’s identity, concealing their true location by sending their internet traffic through a series of different routers placed around the world. One such software package is called The Onion Router (Tor) and it’s true that peeling back its layers of protection to find the real person surfing the darknet requires a complex and eyewatering amount of work. Interestingly Tor was created in 2002 by the US government’s Naval Research Laboratory to allow US spies to use the internet without risk of identification. They needed to spread the software far and wide to make it a truly effective way for spooks to carry out their work around the world, so they gave the technology away and have continued to fund its development through the nonprofit Tor Project. Tor has been used by privacy nerds, activists and whistleblowers ever since. But it’s also been a gift that keeps on giving for all sorts of criminals who use it to remain anonymous while launching websites selling all manner of illegal products and services.

Cyber criminals especially love the darknet. They routinely use it to leak, sell and extort their stolen data. Established cybercrime gangs maintain their own darknet ‘leak sites’ that they use to name and shame organisations they’ve hacked into. Once the hackers get inside an organisation they’ll poke and prod around its computer network looking for valuable or incriminating data to download. Customer records or sensitive internal documents are always seized upon as they can be used as bargaining chips in the forthcoming negotiation. Sometimes the hackers will install malicious software called ransomware to scramble the company’s data and make it unreadable and useless. This can often plunge modern companies back to the dark ages of using pen and paper to carry out everyday business. The hackers usually direct the victim to their darknet leak site – sometimes with a sinister note that flashes up on staff computer screens. On these sites, they begin the extortion. Small samples of the stolen data are shared next to an organisation’s logo and a big red countdown timer ticks away to pile on the pressure. If the victim doesn’t pay the ransom (normally in bitcoin) within the set time frame, then the hackers will publish all the data to the darknet leak site and refuse to provide the digital antidote to the ransomware poison that has scrambled the data. To pay or not to pay – that is the question so many companies around the world are faced with when they are hit by these cyber attacks.

It’s all part of the everyday extortion tactics used by organised cybercrime groups. And it works. According to cybersecurity company Sophos, 46 per cent of victim organisations paid a ransom to hackers in 2023,3 with a median payment of around $400,000 (so ransom_man had obviously done his research). The ones who don’t pay have to live with the inevitable embarrassment, commercial impact and potential litigation as their details are published for all to see on the darknet leak site. The leak sites of the most prolific gangs have hundreds of victims all displayed in rows like gravestones. Not only are they free to access for other criminals, or nosy sleuths, they often come with a click number showing exactly how many times the data has been ogled over.

These gangs can be as bold and arrogant as they like on their darknet sites as there’s not much the police can do to shut them down.

Ransom_man didn’t have his own darknet website on which to leak and publicise the Vastaamo hack, but he correctly guessed that Torilauta was the next best thing. The site’s administrators didn’t give a damn about the illegality or immorality of his posts and happily kept his thread alive. Interestingly though, the users of Torilauta were equally as unfriendly to him as the Ylilauta community had been. ‘What is this bullshit?’ came the first response. ‘Hopefully you kill yourself one day,’ someone else replied. ‘There is plenty of room behind the sauna for guys like you,’ wrote another, referencing a Finnish euphemism used when taking animals for slaughter on a farm.

So even on a criminal darknet forum, ransom_man got a tough reception. But none of this seemed to bother him. This was never about winning favour with fellow miscreants online. Causing a monumental stink and getting attention was the plan. He wanted his threats known far and wide. He wanted to cause panic and force the otherwise uncooperative Vastaamo executives to crack and pay his ransom. Notice, for example, that he included a press contact email address at the bottom of his announcement. He wanted his extortion to make headlines. And within hours of posting on Ylilauta, Torilauta and a Finnish section of the mainstream social site Reddit, he’d succeeded.

Every newsroom in Finland scrambled to cover the story. A day later when, true to his threat, he released another hundred patient records, the outcry went international. BBC News, CNN, the Guardian, Associated Press, Wired, the Financial Times and many others began covering the situation. This second leak came at around 1 a.m. on 22 October. Posted under the username ‘ransom_manHIbGCf’, it read: ‘We have still not heard back from the company, so we have released 100 more records.’

Another file – a letter – was also added to the website under the name ‘000readme.txt’. In it once again ransom_man tried to put pressure on Vastaamo’s CEO Ville Tapio to pay: ‘We’re not asking for much,’ it said. ‘Approximately 450,000 euros which is less than 10 euros per patient.’ (The maths here is a bit confusing to read after the fact: in the end the total number of victims was around 33,000, but at this stage ransom_man and everyone looking at the breach had overestimated the numbers as being more like 45,000.)

There were now 200 therapy patients who had had their innermost secrets published online. Reading their records was as easy as loading up the Tor browser and typing in ransom_man’s address. And many people did. Some users of Twitter (as the site was then called) ran a live thread about the situation, adding new tweets every time the story developed. It became clear that these first patients had not been chosen at random. They weren’t just scraped from the top of the pile or scooped up alphabetically. The hacker had handpicked the most salacious and dramatic ones to inflict the most harm possible. Some of the patients were children.

On the Torilauta thread, some people started getting worried about their own privacy. One Vastaamo patient offered to pay ransom_man privately to delete their records. Ransom_man agreed, demanding $600 in bitcoin. It’s not known if the money was sent. Another user begged him to delete their patient notes, sharing on the public message board: ‘I have discussed with my therapist very private things and will literally kill myself if they are released.’ Ransom_man didn’t reply.

By now police and appalled cybersecurity experts from all over the world were investigating the hack and logging every move ransom_man made. Many began scratching their heads about his strange behaviour. Hand-picking patient records and choosing the worst ones was cruel and unusual – but it was also very time-consuming. Not at all the sort of thing you’d expect from a well-drilled and dispassionate hacking gang who would usually try the quickest and easiest methods of extortion and move on to the next victim if they weren’t getting their own way.

Like clockwork, ransom_man posted again the next day – 23 October – just after midnight. Clearly getting angry that his plan wasn’t working, he posted the Vastaamo CEO’s home address alongside the next one hundred patient records. One onlooker on the Torilauta thread asked him if there were any politicians or celebrities in the published files. Ransom_man replied with a screenshot of the email addresses of six Finnish police officers. ‘Hehe,’ he wrote.

But later that night, at around 2 a.m., he made possibly the biggest blunder in the history of cybercrime.

#

Mikko Hypponen is the most famous cybersecurity expert in Finland and well known around the world. He’s given three extremely popular TED Talks and is a major social media influencer with 230,000 followers on X. His posts and analysis on cyber issues reach global audiences. With his distinctive long blond ponytail and thin-rimmed glasses, he is the face of global cybersecurity company WithSecure – one of Finland’s most successful tech firms. So naturally, when the Vastaamo hack kicked off in his native country, his phone blew up. In his semi-autobiographical book If It’s Smart It’s Vulnerable, he recounts those manic days of never-ending phone calls and press appearances. News organisations around the world and friends of friends in Finland begged to get time with him.

On that third day, Friday 23 October, he was in the green room waiting area at Finnish TV channel MTV preparing to go on set. Overnight ransom_man had published his third batch of records and people were getting extremely anxious. The news team wanted to ask Mikko what victims could do, if anything, to stop their deepest and darkest secrets from being exposed on the internet. Before his slot on the news show at 7.20 a.m. Mikko logged onto ransom_man’s Tor server from his iPad and found the latest folder of a hundred more victims. But he was also surprised to see a new file called ‘vastaamo.tar’.

A ‘tar’ file is a type that contains lots of other files, like a zip folder. What caught Mikko’s attention was the size of this new file. Up to that point, the attacker had only been sharing text files of less than 100 kilobytes (KB) in size but the vastaamo.tar file was a massive 10.9 gigabytes (GB). Mikko was called onto the television set before he had a chance to delve any deeper. But all the time he was being interviewed by the concerned news presenters he was desperate to investigate and discover what the huge file could contain. What new devilry could ransom_man be up to? By the time he got back online to check the Tor link again, the file was gone. In fact, no one was able to connect to any of ransom_man’s files at all after 11.45 a.m. when everything mysteriously went offline.

However, some fast-fingered people lurking on the Torilauta forum had been able to download some of it. They were surprised by what they found. After uploading the latest batch of a hundred patient records, ransom_man had helpfully put all three of the released batches into one file for easy referencing. ‘There’s a vastaamo.tar in the directory that you can use for a bulk download,’ he said, adding a download link. But instead of only uploading the 300 patient records he had accidentally uploaded the entire stolen Vastaamo database.

Ransom_man’s next (and last) post on the forum came eight hours later, presumably after a monumental bout of self-flagellation:

whoopsie :D

enjoy big tar

But his flippant post belies just how bad this was for him. Not only had he accidentally given away all his bargaining chips, he’d also inadvertently handed over a treasure trove of clues about himself to investigators. He had uploaded the entire home directory of his computer. It was like forwarding someone your entire email inbox and all the files and folders on your desktop instead of just the one email you wanted to share.

‘It contained information the attacker absolutely did not want to publish: server user logs, passwords, source codes,’ Mikko recalls. Vastaamo.tar included several leads and usable evidence, which made it far more likely that the hacker would be caught.

Ransom_man had one piece of luck though: his Tor server had run out of storage space so the tar file was only downloadable for one hour and forty-one minutes until the darknet website stopped working. Connecting to websites and servers via the darknet is very slow because of the way users’ traffic is bounced around various parts of the world to obscure the origin of senders and receivers. With increased privacy comes what can often be a painfully slow connection. Think about the early days of the internet when it could take a full minute to load up a page. On the darknet, that’s not an uncommon experience, so very few people, if any, actually managed to download the entire 10.9GB folder.

On the Torilauta thread one person said they’d only had time to download 1GB. Another said they had grabbed a paltry 16 megabytes (MB). Unfortunately for Vastaamo’s victims, the patient data was contained in the first portion of the folder and, as it was only in the form of text files, it was relatively quick to download. If you’d managed to grab more than 500MB, you would have the full patient notes of all the victims. For investigators – and there were a lot of them in both the public and private sector at this stage – getting hold of as much of the tar archive as possible became the focus.

Mikko’s firm, WithSecure, took an early decision not to download any of the ransom_man data. The company’s Head of IT Security put out a notice to staff explicitly telling them not to access or save the files even though they were obviously professionally curious. This prohibition was made out of an abundance of caution both legally and morally, but in retrospect, Mikko thinks it was a mistake. They should have gathered as much evidence as they could to help search for answers about the hack while also ensuring that none of the patient data was ever accessed internally.

But there was another company that had quietly been investigating the Vastaamo hack long before it had hit the newsfeeds and they’d been patiently watching, waiting and hoping that ransom_man would slip up.

#

Antti Kurittu didn’t believe it at first. He was sitting in front of his computer with his first cup of coffee of the day and easing himself into the cold and dark Helsinki morning when he saw the torrent of emails from colleagues. With his large curly auburn beard and bald head, Antti looks like he should be sailing the seas as a Scandi Viking, but he’s far more comfortable, and equally formidable, in front of a PC as a cyber expert. Skim-reading the messages, he saw that his team at cybersecurity company Nixu were celebrating: ransom_man had messed up big time. Three days earlier they had set up an automatic scraper bot to check every hour for any new posts or file uploads from ransom_man and download them just in case something like this happened. While the team had been asleep, their bot had diligently slurped up as much of the data as it could before the server went down: around 1.1GB of the 10.9GB folder. It doesn’t sound like a lot but it’s one of the largest publicly known copies of vastaamo.tar. The police got a smidge more at 1.2GB. And the largest came in at 2.1GB, which was handed to police by an unnamed person or organisation who presumably had a rapid internet connection – and a lot of luck.

‘What the fuck!’ Antti said out loud through hurried slurps of his coffee as he clicked and scrolled his way through the tar folders. The jokes and memes flowed between his team chats as the rest of the experts celebrated a rare moment of utter stupidity from an otherwise calculating cyber criminal. More and more nuggets of gold were unearthed in the data and shared amongst the team with theories beginning to emerge about what the information could tell them about who ransom_man was.

But Antti has been investigating cybercrime long enough to be suspicious. Of EVERYTHING. He had a nagging feeling that it was all too good to be true. Slick cyber criminals can run for years fully in the public eye without ever giving away a crumb of evidence as to their locations or identities. Could this be some sort of diversion tactic or a plant to throw them off the real trail?

Such doubts, however, were slowly dissolved throughout the day as he and his team took a deep dive into vastaamo.tar. There were so many breadcrumbs leading to so many clues that this couldn’t have been deliberate. ‘The more I looked into it, the more it looked like a deliciously horrible OpSec failure,’ he says. (OpSec is shorthand for Operational Security, which in the context of cybercrime boils down to the art of staying anonymous and therefore off the authorities’ radar.)

Ransom_man had made a major OpSec mistake just three days into his public Vastaamo extortion, and had so far not made a penny for his troubles. Antti had been hoping that the criminal or criminals would mess up and was over the moon that he and his team were ready to capitalise when they did: ‘I’ve always said that OpSec isn’t hard – it’s impossible, everyone makes mistakes.’ But even Antti had never imagined such a magnificent self-own from the hacker.

So how was it that Antti and his team were so well prepared and in the know about the hack? Well, while the cyber world, and especially the general public, had been stunned by the unfolding Vastaamo extortion, Antti had quietly been expecting it, and dreading it. His firm had been called in by Vastaamo weeks earlier, when ransom_man had first started trying to blackmail the company directly over email. While the company executives tried to stall for time, Nixu’s incident response team had been investigating how the data was stolen, whether the criminal was telling the truth about how much patient data he had, and how they could stop any further attacks.

It was on 28 September, three weeks before ransom_man published his threats online that Ville Tapio, the CEO of Vastaamo, had received the first email from the hacker. It had been a busy Monday full of meetings and Ville saw the email in the evening as he sat down to relax. As CEO of a famous company, he was used to getting spam but immediately he knew this email was different. The message was mostly written in English with some broken Finnish at the top saying: ‘Good day. I’m a hacker. I have copied the Vastaamo database.’ Then it read:

I have attached a small sample of your patient database to this email. If you reply within the next 6 hours we are prepared to offer you a very special discount. Any price you’ll pay us will be small compared to the damage that would be inflicted to your business if we release this information on the internet. We have over a gigabyte of your most sensitive patient data.

If you have any questions or difficulty understanding what’s happening, I’m here to help.

The email was sent not just to Ville but to the two IT executives listed on the company website. Both had also seen the email and were already investigating. Ville ordered them to come to his house urgently for a meeting. Over pizza they discussed the situation and confirmed that the sample of data attached to the hacker’s email was genuine. The next day, as Ville and the pair worked out what to do and how to respond, they also started looking for answers as to how the breach had happened but couldn’t work it out. Then, when the hacker sent another email urging them to reply, Ville called Antti Kurittu and the team at Nixu to begin a deep search of Vastaamo’s activity logs to find out how the hacker had got in.