{"id":21162,"date":"2023-02-05T10:17:01","date_gmt":"2023-02-05T18:17:01","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2023\/02\/05\/news-14894\/"},"modified":"2023-02-05T10:17:01","modified_gmt":"2023-02-05T18:17:01","slug":"news-14894","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2023\/02\/05\/news-14894\/","title":{"rendered":"Finland’s Most-Wanted Hacker Nabbed in France"},"content":{"rendered":"

Credit to Author: BrianKrebs| Date: Sun, 05 Feb 2023 16:14:13 +0000<\/strong><\/p>\n

Julius “Zeekill” Kivim\u00e4ki,<\/strong> a 25-year-old Finnish man charged with extorting a local online psychotherapy practice and leaking therapy notes for more than 22,000 patients online, was arrested this week in France. A notorious hacker convicted of perpetrating tens of thousands of cybercrimes, Kivim\u00e4ki had been in hiding since October 2022, when he failed to show up in court and Finland issued an international warrant for his arrest.<\/p>\n

\"\"<\/p>\n

In late October 2022, Kivim\u00e4ki was charged (and “arrested in absentia,” according to the Finns) with attempting to extort money from the\u00a0Vastaamo Psychotherapy Center<\/strong>. In that breach, which occurred in October 2020, a hacker using the handle “Ransom Man” threatened to publish patient psychotherapy notes if Vastaamo did not pay a six-figure ransom demand.<\/p>\n

Vastaamo refused, so Ransom Man shifted to extorting individual patients — sending them targeted emails threatening to publish their therapy notes unless paid a 500-euro ransom.<\/p>\n

When Ransom Man found little success extorting patients directly, they uploaded to the dark web a large compressed file containing all of the stolen Vastaamo patient records.<\/p>\n

But as documented by KrebsOnSecurity in November 2022<\/a>, security experts soon discovered Ransom Man had mistakenly included an entire copy of their home folder, where investigators found many clues pointing to Kivim\u00e4ki’s involvement. From that story:<\/p>\n

“Among those who grabbed a copy of the database was Antti Kurittu<\/strong>, a team lead at\u00a0Nixu Corporation<\/strong> and a former criminal investigator. In 2013, Kurittu worked on an investigation involving Kivim\u00e4ki\u2019s use of the Zbot botnet, among other activities Kivim\u00e4ki engaged in as a member of the hacker group Hack the Planet<\/a> (HTP).”<\/p>\n

\u201cIt was a huge opsec [operational security] fail, because they had a lot of stuff in there \u2014 including the user\u2019s private SSH folder, and a lot of known hosts that we could take a very good look at,\u201d Kurittu told KrebsOnSecurity, declining to discuss specifics of the evidence investigators seized. \u201cThere were also other projects and databases.\u201d<\/p>\n

According to the French news site actu.fr<\/a>, Kivim\u00e4ki was arrested around 7 a.m. on Feb. 3, after authorities in Courbevoie<\/a> responded to a domestic violence report. Kivim\u00e4ki had been out earlier with a woman at a local nightclub, and later the two returned to her home but reportedly got into a heated argument.<\/p>\n

Police responding to the scene were admitted by another woman — possibly a roommate — and found the man inside still sleeping off a long night. When they roused him and asked for identification, the 6′ 4″ blonde, green-eyed man presented an ID that stated he was of Romanian nationality.<\/p>\n

The French police were doubtful. After consulting records on most-wanted criminals, they quickly identified the man as Kivim\u00e4ki and took him into custody.<\/span><\/p>\n

Kivim\u00e4ki initially gained notoriety as a self-professed member of the Lizard Squad<\/a>, a mainly low-skilled hacker group that specialized in DDoS attacks. But American and Finnish investigators say Kivim\u00e4ki’s involvement in cybercrime dates back to at least 2008, when he was introduced to a founding member of what would soon become HTP.<\/p>\n

Finnish police said Kivim\u00e4ki also used the nicknames “Ryan”, “RyanC” and “Ryan Cleary” (Ryan Cleary was actually a member of a rival hacker group — LulzSec<\/a> — who was sentenced to prison for hacking).<\/p>\n

Kivimaki and other HTP members were involved in mass-compromising web servers using known vulnerabilities, and by 2012 Kivim\u00e4ki’s alias Ryan Cleary was selling access to those servers in the form of a DDoS-for-hire service. Kivim\u00e4ki was 15 years old at the time.<\/p>\n

\"\"<\/p>\n

The DDoS-for-hire service allegedly operated by Kivim\u00e4ki in 2012.<\/p>\n<\/div>\n

In 2013, investigators going through devices seized from Kivim\u00e4ki found computer code that had been used to crack more than 60,000 web servers using a previously unknown vulnerability in Adobe’s ColdFusion<\/strong> software.<\/p>\n

KrebsOnSecurity detailed the work of HTP in September 2013, after the group compromised servers inside data brokers LexisNexis, Kroll, and Dun & Bradstreet<\/a>.<\/p>\n

The group used the same ColdFusion flaws to break into the National White Collar Crime Center (NWC3)<\/a>, a non-profit that provides research and investigative support to the U.S. Federal Bureau of Investigation<\/strong> (FBI).<\/p>\n

As KrebsOnSecurity reported at the time, this small ColdFusion botnet of data broker servers was being controlled by the same cybercriminals who’d assumed control over ssndob[.]ms<\/strong>, which operated one of the underground’s most reliable services for obtaining Social Security Number, dates of birth and credit file information on U.S. residents.<\/p>\n

Multiple law enforcement sources told KrebsOnSecurity that Kivim\u00e4ki was responsible for making an August 2014 bomb threat<\/a>\u00a0against former\u00a0Sony Online Entertainment President John Smedley<\/strong> that grounded an American Airlines plane. That incident was widely reported to have started with a tweet from the Lizard Squad, but Smedley and others said it started with a call from Kivim\u00e4ki.<\/p>\n

Kivim\u00e4ki\u00a0also was involved in calling in multiple fake bomb threats and \u201cswatting\u201d incidents \u2014 reporting fake hostage situations at an address to prompt a heavily armed police response to that location.<\/p>\n

Kivim\u00e4ki’s apparent indifference to hiding his tracks drew the interest of Finnish and American cybercrime investigators, and soon Finnish prosecutors charged him with an array of cybercrime violations. At trial, prosecutors presented evidence showing he’d used stolen credit cards to buy luxury goods and shop vouchers, and participated in a money laundering scheme that he used to fund a trip to Mexico.<\/p>\n

Kivim\u00e4ki was ultimately convicted of orchestrating more than 50,000 cybercrimes. But largely because he was still a minor at the time (17) , he was given a 2-year suspended sentence and ordered to forfeit EUR 6,558.<\/p>\n

As I wrote in 2015 following Kivim\u00e4ki’s trial<\/a>:<\/p>\n

\n

“The danger in such a decision is that it emboldens young malicious hackers by reinforcing the already popular notion that there are no consequences for cybercrimes committed by individuals under the age of 18.<\/p>\n

Kivim\u00e4ki is now crowing about the sentence; He\u2019s changed the description on his Twitter profile to \u201cUntouchable hacker god.\u201d The Twitter account for the Lizard Squad tweeted the news of Kivim\u00e4ki\u2019s non-sentencing triumphantly: \u201cAll the people that said we would rot in prison don\u2019t want to comprehend what we\u2019ve been saying since the beginning, we have free passes.\u201d<\/p>\n<\/blockquote>\n

Something tells me Kivim\u00e4ki won’t get off so easily this time, assuming he is successfully extradited back to Finland. A statement by the Finnish police says they are seeking Kivim\u00e4ki’s extradition and that they expect the process to go smoothly.<\/p>\n

Kivim\u00e4ki could not be reached for comment. But he has been discussing his case on Reddit<\/a> using his legal first name — Aleksanteri<\/strong> (he stopped using his middle name Julius when he moved abroad several years ago). In a post dated Jan. 31, 2022, Kivim\u00e4ki responded to another Finnish-speaking Reddit user who said they were a fugitive from justice.<\/p>\n

“Same thing,” Kivim\u00e4ki replied. “Shall we start some kind of club? A support organization for wanted persons?”<\/p>\n

https:\/\/krebsonsecurity.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

<\/p>\n

Credit to Author: BrianKrebs| Date: Sun, 05 Feb 2023 16:14:13 +0000<\/strong><\/p>\n

Julius “Zeekill” Kivim\u00e4ki, a 25-year-old Finnish man charged with extorting a local online psychotherapy practice and leaking therapy notes for more than 22,000 patients online, was arrested this week in France. A notorious hacker convicted of perpetrating tens of thousands of cybercrimes, Kivim\u00e4ki had been in hiding since October 2022, when he failed to show up in court and Finland issued an international warrant for his arrest.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10643,10642],"tags":[28511,27899,28512,27900,12086,16696,28513,28514,27905],"class_list":["post-21162","post","type-post","status-publish","format-standard","hentry","category-independent","category-krebs","tag-antti-kurittu","tag-hack-the-planet","tag-htp","tag-julius-kivimaki","tag-lizard-squad","tag-neer-do-well-news","tag-ryan-cleary","tag-vastaamo-psychotherapy-center","tag-zeekill"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/21162","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=21162"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/21162\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=21162"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=21162"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=21162"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}