Darknet Diaries - 159: Vastaamo
Episode Date: June 3, 2025Joe Tidy investigates what may be the cruelest and most disturbing cyber attack in history. A breach so invasive it blurred the line between digital crime and psychological torture. This stor...y might make your skin crawl.Get more from Joe linktr.ee/joetidy.Get the book Ctrl + Alt + Chaos: How Teenage Hackers Hijack the Internet (https://amzn.to/3He7GNs).SponsorsSupport for this show comes from ThreatLocker®. ThreatLocker® is a Zero Trust Endpoint Protection Platform that strengthens your infrastructure from the ground up. With ThreatLocker® Allowlisting and Ringfencing™, you gain a more secure approach to blocking exploits of known and unknown vulnerabilities. ThreatLocker® provides Zero Trust control at the kernel level that enables you to allow everything you need and block everything else, including ransomware! Learn more at www.threatlocker.com.This show is sponsored by Red Canary. Red Canary is a leading provider of Managed Detection and Response (MDR), helping nearly 1,000 organizations detect and stop threats before they cause harm. With a focus on accuracy across identities, endpoints, and cloud, we deliver trusted security operations and a world-class customer experience. Learn more at redcanary.com.
Transcript
Discussion (0)
So you first came on my radar when I was researching the story.
I think it was video game cheats.
And I was like trying desperately to find video game,
people who are selling video game cheats.
And nobody wanted to talk with me on the record.
I found a couple people that were just willing to chat only,
but never like audio.
And then I found an interview you did with somebody who's just like,
yeah, I sell video game cheats. He's like 14 or something.
And I'm like, how did you find this guy?
And so ever since then, I've had just so much respect.
And reading this book is once again a testament of just how deep you can get into this community
and reach these people.
And so really hats off to your ability to infiltrate the hacking world.
Thank you very much.
Yeah, it's become something of a specialty.
But I mean, really, I'm always surprised they want to talk.
But they do.
I think there is a thing in hacking and cybercrime where, as well as the kind of anonymity that
it brings, I think people like to brag and they like to show off.
Yeah. Yeah. So I think that leads us right into the first question, which is who are
you and what do you do? And how did you get there?
Well, my name is Joe Tidy and I'm the BBC's cyber correspondent. That means I cover hacking,
cybersecurity, data protection, online harms, AI, and a bit of crypto as well.
And I've been working at the BBC now for about, I think it's seven years in this role.
And before that, I was at Sky News.
And I was a general correspondent at Sky News doing all sorts of bits and bobs.
But then in 2014, there was this amazingly huge and incredible DDoS attack on Sony PlayStation Network and Xbox Live,
which took down those services over Christmas, Christmas Eve and Christmas Day.
And it was headline news and my boss came in and said to me, right, these gang, these
teenagers called Lizard Squad, you've got to find one of them.
We want a lizard on air tonight is his the phrase.
A lizard on air. Get me a lizard on air tonight is the phrase. A lizard on air?
Get me a lizard on air tonight.
Do they know what kind of ridiculous ask that is
to get a lizard on air tonight?
Like on camera even?
Yeah, exactly.
Not even just a text interview.
They wanted them on camera within, I think it was 10 hours
when we were going to be on air.
And I thought to myself, well, this is impossible.
Joe miraculously pulled it off.
He got someone from Blizzard Squad to come on TV
and answer questions.
Speaking to us from Finland,
this man who calls himself Ryan says he is one of the hackers.
Why? Why did you do this?
It affected so many people.
It ruined Christmas for potentially millions of people.
Why we did it? Mostly to raise awareness, to amuse ourselves.
Also, one of the big aspects here was raising awareness
regarding the low state of computer security at these companies.
Because these companies make tens of millions every month
from just their subscriber fees.
And that doesn't even include purchases
made by their customers. They should have more than enough funding to be able to protect
against these attacks.
Do you not feel guilty that you've taken so much enjoyment of gaming away from more
than a hundred million people over this Christmas period?
I'd be rather worried if those people didn't have anything better to do than play games
on their consoles on Christmas Eve and Christmas Day.
I mean, I can't really say I feel bad.
I might have forced a couple of kids to play, spend their time with their families instead
of playing games.
I can't believe that clip.
This kid calling himself Ryan, appearing on Sky News, not hiding his face or voice at all,
admitting to taking down Xbox Live and PlayStation.
And I just can't believe Joe got that interview.
It takes a certain amount of finesse and diligence to get hackers to talk.
I should know.
But he's got just what it takes to make it happen.
And he just didn't give a damn.
He didn't care.
All the chaos that he was causing, all the headlines around the world, people going,
what is going on with Xbox and Sony PlayStation?
This is absolutely a monumental cyber security issue here.
And this kid was laughing at the whole thing.
And that just made me think, wow, the power that they can wield from keyboard and mouse.
And it just really struck me. And from then on out, I was just hooked on hacking and cyber,
and have been ever since.
These are true stories from the dark side of the internet.
These are true stories from the dark side of the internet. I'm Jack Reisider.
This is Darknet Diaries. This episode is sponsored by ThreatLocker.
Ransomware, supply chain attacks, and zero-day exploits can strike without warning, leaving
your business' sensitive data and digital assets vulnerable.
But imagine a world where your cybersecurity strategy could prevent these threats.
That's the power of ThreatLocker's
Zero Trust Endpoint Protection Platform. Robust cybersecurity is a non-negotiable to safeguard
organizations from cyberattacks. ThreatLocker implements a proactive, deny-by-default approach
to cybersecurity, blocking every action, process, and user unless specifically authorized by your
team. This least-privileged strategy mitigates the exploitation of trusted applications and ensures
24-7-365 protection of your organization.
The core of ThreatLocker is its Protect Suite, including application allow listing, ring
fencing and network control.
Additional tools like the ThreatLocker detect EDR, storage control, elevation control and
configuration manager enhance your cybersecurity posture, and streamline
internal IT and security operations. To learn more about how ThreatLocker can help mitigate
unknown threats in your digital environments and align your organization with respected
compliance frameworks, visit threatlocker.com. That's threatlocker.com.
This episode is sponsored by Red Canary. Red Canary is a leader in managed detection and response, MDR.
They serve companies of every size and industry focusing on finding and stopping threats before
they can have a negative impact.
As the cornerstone security operations partner for nearly a thousand organizations, they
provide MDR with industry-leading threat accuracy across identities, endpoints, and cloud, and a world-class customer experience.
For more information about Red Canary, visit redcanary.com.
That's redcanary.com.
The reason why I wanted to talk with Joe Tidy today is because he just published a book
called Control Alt Chaos and I just finished reading it.
It's great.
It starts out in 2020 with a cyber attack in Finland.
There was this incredibly sinister and cruel cyber attack in Finland and it shocked the world and it was, for my money, the worst
and most nasty, cruelest, darkest cyber attack in history.
The worst, most nasty, cruelest and darkest cyber attack in history?
Oh, I'm in.
I want to drive straight into that story.
Before we hit the gas, let's try to guess at what it could be.
What comes to mind when you hear that?
Like maybe a hospital system brought to its knees where lives are on the line?
Or maybe a pipeline gets shut down.
There's fuel shortages, chaos everywhere.
Or maybe an entire government agency gets compromised and state secrets are exposed.
Well, those are all serious and probably scary, but I don't sound like the nastiest to me.
Let's think smaller, closer to home, more personal.
Is there something, some piece of data on you that, if exposed, would make you feel
fear?
Like a deeply disturbing fear.
Maybe it's your photos getting out.
You probably just publish your photos online anyway,
so that's probably not it.
Okay, well what about your text messages?
Are those private enough that would cause a lot of fear if they got out?
Maybe.
Or your location data?
Or maybe your password getting leaked? Alright, fine.
Guessing game is over. Let's hear what it was.
So the Vestamo cyber attack was in October 2020. And the first we heard of it was that
there was someone on a forum in Finland on the darknet who was saying that they're calling themselves Ransom Man and
they were saying I have hacked the Vestamo Psychotherapy Center. I have got all the personal
details of all the clients of this ginormous chain of psychotherapy centers. So this is a
really well-known company in Finland, a kind of social good company that was very,
very popular. They were offering people psychiatrists, psychotherapists, that kind of thing. And
they had dozens of centers popping up all over Finland. They had a very famous and recognizable
logo of a green speech mark. I think Vestamo translates as the answer machine
or the place to go for answers. So in a small country like Finland, everyone knew Vestamo
because if you didn't go to it, you knew someone that probably went to it. So when this ransom
man popped up on the dark net on a website, which is now gone, but it was called Turilauta,
and he said, I have hacked Vestamo, I've got all of this information. Not only have I got the information from the patients about like
name, address, email, phone number, social security number, I've also, crucially and
cruelly, got all their therapy notes as well. So that's 33,000 people who are potentially
going to have their deepest, darkest secrets exposed
online.
There it is, the notes your therapist took when you spilled your most personal and private
thoughts to them.
That in my opinion is in fact the cruelest piece of personal data that someone could
hold for ransom.
Especially because you didn't do anything wrong, you were just talking to your therapist.
But this ransom man guy was talking with Vestamo telling them, hey, I hacked your company,
I stole your patient records, and all I want is Bitcoin or else I'm going to release it
to the world.
Vestamo contacted the police who took over communication
directly with this hacker and they were trying to get as much information as they could from
this guy. But that went on for six weeks and Ransom Man felt like it wasn't going anywhere
and needed to up the pressure to show that he's serious.
And Ransom Man said, I have been trying to get 400,000 euros, which I forget how many
bitcoins it was at the time, but that's how much it equated to.
I've been trying to get that off the CEO of Vistamo and the company's refusing to pay.
So now I'm going to release 100 records every day until they pay me.
Of course, the Finnish police were already very aware of this situation
because they were working with Vestamo to try to catch this guy.
So they noticed this post right away and start archiving anything,
looking for clues.
And yes, the first day he did release 100 records.
Everyone's worst fears were a reality.
It's the kind of stuff that is a nightmare for people who are vulnerable,
they're struggling already with their mental health,
and then to have this kind of information out there,
it's anything you can imagine.
So we know now that Ransom Mann took a lot of time choosing which 100 to release.
He wanted the most salacious ones he could find,
he wanted the most harmful ones he could find. So he did searches for things like rape fantasies, child abuse,
police as well. At one stage he was searching for that kind of key words in the database.
And he posted these first 100. Now typically when you see someone post a snippet of breach data to a
darknet forum saying you hacked into something, people think it's funny and maybe even cheer for you.
But he didn't see any of those kind of reactions.
He chose sites that you'd think that would be acceptable to this kind of crime and this
kind of maverick approach to morals, I suppose you could put it that way. As well as posting
on Turilauta, he posted it to a clear web forum called Yulauta, which was known as like
Turilauta, known for being a place a bit like 4chan, you know, that horrible website 4chan
where anything goes and edgelords rule and the more offensive you can be the better and the
two places that he posted what I was really surprised that
looking back through the logs in research for the book was just how much
hatred he got straight away there was no respect for him there was no wow well
done you've done a crazy thing awesome everyone was very was very, very angry. There wasn't much love
at all for Ransom Man. And what I found really interesting is if you look through the back
and forth that he has over the hours, that he's on both those websites, people are saying,
you're a script kiddie, go and kill yourself. There's a special place in hell for you, all these things
being thrown at him and quite quickly it got his post got marked as being a sign
of criminality on the Yalta website so they took it down but on the
darknet one it stayed there and he carried on he carried through with his
threats every day he posted a hundred more records.
I mean, I think this might even be an instance where I'd call him a Script Kitty myself.
Normally I would never call anybody that except maybe myself, because the term is usually
derogatory.
Script Kitty is just a beginner hacker who doesn't know what he's doing.
But I like beginners.
We all have to start somewhere.
Beginners aren't a problem.
But the reason why I might call this guy a ScriptKitty is more because of the you don't
know what you're doing part.
Holding this kind of sensitive data hostage?
Dude, that's messed up.
You can't mess around with that kind of data like that.
This whole thing just strikes me as being so reckless and careless for other people's
most inner private details getting out.
He's got an unbelievable amount of highly personal data and he's weaponizing it in
order to profit from it.
It's like he doesn't care how much people he hurts from this just so he can try to extort
this company. It does seem like he can try to extort this company.
It does seem like he's really grasping for something here.
What fame, money, respect?
But he's just not getting it from anyone.
Ransom Man even joked about that.
He said that getting into this database that was holding all this really private data was
really easy.
He said there was no password.
It was really easy. He said there was no password, it was root root. And he put that
on the forum and people kind of laughed along with it in a sense. But then there was also
the idea that he was out of his depth. People were accusing him, Ransom Man, of being an
amateur, of not knowing the difference between profit grows, profit net, accusing him of
asking the company for too much money. And what's funny about the exchanges on the forum is that he's constantly having to defend
his actions as a hacker.
He's saying like, no, no, no, I've done loads of hacks and this is just one of them and
I know what I'm doing and trust me, I'm a serious cyber criminal.
But people weren't really buying it.
But what was also quite troubling and scary is that there were a couple of people, whilst
most people on the forum were having a laugh with it and trying to make him feel bad for
what he's done, some of them were posting saying, hang on a minute, this is my data.
Please, please don't post it.
So that was the first day.
Already it stirred up some people pretty bad. But
Ransom Man promised another 100 more every day. And then light clockwork the next day,
another 100. And then light clockwork the next day, another 100. And obviously, as you
can imagine, it was getting picked up now by news organizations around the world. People
in Finland were getting extremely worried and concerned about it. And there was nowhere to turn to because Vestamo was in absolute
chaos.
Vestamo stayed quiet through all this, partially because they were working with the police
to try to catch them, partially because they were speaking directly with Ransom Man over
email. Their customers were freaking out and they were trying to focus on this catastrophe at
hand.
So 300 different patient records now on the internet for anyone to download.
And all you had to do was click on one of the links and then you've got access to all
of the data.
And in some cases, some of these people would be regular clients and patients of Vistamo.
So they would have maybe a year's worth of therapy notes.
And these are kind of like typed out by the therapist.
And it will be things like, today we talked about this.
They wanted to say this.
I think it could be to do with this.
So you can imagine what types of information
and details there are put in there by the therapist.
And if you look at the whole thousands of people that were affected by this some of them were regular
Postalmo patients, so they would have had a huge amount of detail
Some of them were infrequent and some of them were you know only one or two visits
But the first 300 people that had their notes exposed they were chosen specifically because they were the most
Deep and upsetting and I think you know we know now that he knew exactly what he was doing when he chose
those.
Gosh, how awful to be one of those people who trusted this company with their innermost
secrets, only to have it all posted publicly for anyone to see.
That would absolutely rattle me to my core.
I would simply be frozen for a solid week, unable to move,
not knowing how my friends or family or coworkers will react if they read it.
And I guess this is another lesson in protecting your own data.
Just because something is supposed to be safe and secure doesn't mean it is.
Companies might say they treat your data with the utmost privacy, but
actually they don't do as good of a job as they should. And it's just one of those reminders
that you are the only one who will treat your data with the privacy it deserves. So make
sure you're doing it.
But what he did next was he made probably the biggest mistake in the history of cybercrime
because he thought I'm going to be helpful here. So he told the forum users, here's a large folder.
You can download the whole thing instead of having to go to 123, download links, here it all is.
But what he accidentally did was posted his entire home directory and the entire list
and all the data from the 33,000 patients.
So in that one upload, he gave away all his bargaining chips.
He posted it late at night and went to sleep before realizing his mistake.
Of course, by this point, a lot of cybersecurity researchers were keeping a close eye on him including the police
And when they saw this post they all immediately tried grabbing this tar folder with all the data
But since he posted it on the darknet on tour, it was an extremely slow connection
So nobody could really grab it
There just wasn't enough bandwidth and everyone was getting extremely slow download speeds.
There was a couple of people on the forum in the morning who were talking about, oh,
I got five megabytes here, one megabyte here, but this file was 10 gigs big.
So, you know, and the kind of the slowest internet speeds that you get on the darknet
meant that people weren't able to download the full thing.
Plus, there was a strict, there was a little bit of luck that Ransom Man had as well.
He ran out of storage space or something and it kind of it locked out and went down overnight.
So it didn't allow many people to have full access to it.
But there were some who did and there were some that managed to get a decent chunk of
that file.
So nobody got the full file.
But even just getting the first of five megabytes
had a lot of very interesting data in it. People were extracting what they could out of it and
looking through it and it had loads of patient details. But there was some other stuff in there,
details about Ransom Man himself. Well, there's this moment where he wakes up and he realizes his mistake and he posts on
on Turilauta, whoopsie, enjoy big tar and he puts a smiley face emoticon.
What's interesting about that, of course, is that he's playing down what is a serious
situation for him.
He hasn't just given away his entire bargaining chip, he's given away really, really important information that he wanted to keep secret about himself.
So very quickly it becomes clear to the police that if he knows what's happened, they need to be quick.
And they very quickly in the early hours of that morning, they started tearing through this two gigabyte file that they managed to download from the
big tar and they found an IP address, a crucial IP address. It was a massive stroke of luck
from the police. Not only that, bizarrely, the IP address was for a cloud hosting provider
in Helsinki where the investigation was taking place.
So, there was this... I spoke to the head detective, Marko Leponen, and he said there
was this mad race to try and get to the cloud service provider, get that computer off the
internet as quickly as possible to stop Ransom Man having any control over it. And he says there was a race against time between Ransom Man himself. He could see the
files being deleted somehow and he said that he had to get two police officers in a car,
sirens going right the way across town to try and get to this place. They had another
officer on the phone trying to get through to them in the early hours. They eventually
got through on the phone. They had a guy from the company running through the warehouse, finding the server, unplugging
it so that Ransom Man had his connection severed. Ransom Man trying to delete the evidence from
his massive server, which had way more than the big tar, of course, that had everything
on there. And he was only able to delete a certain amount because they got there just
in time and pulled the plug.
Wow, the police were really on the ball here. I mean, holy cow.
See, when you're on tour, the darknets, IP addresses are hidden.
These files could be hosted anywhere in the world and the police would have absolutely no idea where to look to find Ransom Man or where the files are hosted.
But this file he posted pointed exactly to where those files were hosted.
It was a big mistake and it gave the police their first huge piece of evidence.
With this server seized, they took it back to the police station to analyze it.
Yeah, they took the server back to their lab in the cyber bureau, the HQ in Helsinki,
and they started going into it and it gave them a wealth of information.
Not just about that particular hack that took place,
but also about the kind of the network and the infrastructure that was being used,
what other cloud service storage providers that the ransom man was using, receipts from
certain things, other little nuggets and little breadcrumbs that took them to online accounts,
which they could, you know, subpoena Google for or whoever it was to get information about
individuals.
It was a treasure trove. It was an absolute, you know, a boon for the police.
Sounds like Ransom Mann has screwed up way too many times and the cops are closing in
on him. What would you do if you were in a situation? Stay with us. We're going to take
a quick break. But I guarantee you, he does something that you would never think to do. Hey, it's Jack. Do you like what you hear? I mean, really like it? If this is your first
episode you're listening to, skip ahead a minute. But if you've been binge listening
and cannot wait to hear what happens next, then I want to talk to you. I give you this
show for free because I want it to spread as far and wide as possible.
I like educating and entertaining people, but if you are finding this podcast valuable to you,
I could really use your direct donation.
And I'm just asking for you to buy me a cup of coffee once a month. And hey, as a thank you for supporting the show directly,
I will give you an ad-free version of the show and a bunch of bonus episodes that are exclusive to supporters.
I hope you visit plus.darknetdiaries.com or just Google Darknet Diaries Plus. Also, I
want you to know that I have your next favorite shirt ready for you. Go to shop.darknetdiaries.com
and you'll see it there. And no, it's not just a shirt with the show logo on it. It's
way cooler than that. And when you get it, show me a picture of you wearing it.
So Ransom Man was toast.
All the data he was holding for Ransom is now out there.
So he's got nothing left to threaten Vestama with.
And if it was me, I'd be like, oh crap, and I'd delete everything on my machine and close
it and set it on fire and try to disappear as fast as I could. I don't know what goes through his mind but he
sort of thinks okay how can I make some money? I've come I've come this far I
need to make some money out of this. So the next step is really really nasty. He
finds the email addresses obviously in the stolen data of as many people of
those 33,000 patients as he can find.
I think it was something like 27,500 email addresses.
And then he emails them, every single person, all in one batch, with their name in the email,
personalized to them with their social security numbers, and he says,
I've been trying to get for Stamo to pay me so I don't release your data.
They are not paying me. So you're going to have to pay me now.
Oh, wow. He contacts every person he can to try to extort the users individually. That is cruel.
Like already they're reeling from their deepest secrets being out there. And now
he's hitting them when they're down saying, give me money
and I'll delete your data.
Which is 200 euros worth of Bitcoin.
And if they don't pay within 24 hours, it goes up to 500 euros in Bitcoin.
Otherwise their data will be published online.
And of course he CC'd the CEO of Vistamo and their executives.
Vistamo goes into full panic mode at that point.
Tons of people started calling in who are just now hearing about this, really worried.
Not only were they calling Vistamo, but floods of people were calling the police too.
And honestly, I can't recall a data breach where the hacker tried to extort all the victims
whose data was in the breach.
Yes, I know that people comb through data breaches looking for targets to hit.
And so the people in the data breach are often victims themselves.
But to extort them all like this, that is, that's just something new to me.
Yeah, certainly at this scale, never before seen.
And if you speak to some of the security experts who are looking at the time, you know, this
is a real nadir in cybercrime.
This is the lowest of the low. This is a cybercriminel who did something despicable in the first place,
failed in trying to extort the company, and now is going directly into the inboxes of
these vulnerable people. And the impact that this had is just awful.
I've spoken to probably, I think about 15 of the victims,
and you hear some of the stories of the impact it had on them.
One of the women that I spoke to said it was,
it felt like digital rape, she said,
which really has always struck me as just
such a horrible proposition and such a horrible description,
but it does bring to life for me what it feels like.
You know, having your data stolen,
you know, your private data can feel like a burglary
is what some of the victims said,
but having this particular type of information stolen,
it's just such an invasion.
Joe spoke to the lawyer of some of these victims who told him that some people
couldn't handle this news and they chose to end their own life rather than to
face the shame of their data getting out there. It was truly an awful, dark, cruel
time for these victims.
Yeah, so at this point, the story went completely stratospheric, as you can imagine, because
people started going online saying, I've got this email, I'm being ransomed directly.
And if the country hadn't been doing much to help people up to this point, suddenly
it kind of burst into gear.
You had statements from the president and the prime minister.
There were meetings held at the highest level of government,
trying to work out what you can do for these people.
Because of course, the data is already out there.
Although Ransom Man was asking for payment, not many people paid.
I think about, we know for a fact about 20
people sent ransom man money. But a lot of people were advised and they got the advice
don't pay. It's too late. The data is out there. If you pay you're wasting your money.
And that was the advice that was given. But the police were getting calls from we're talking
at 33,000 people, potentially thousands
of people all on that same night hit with this same email, the same threats.
So that's an instant spike in criminal complaints, criminal records and reports needed to be
filed.
They couldn't cope.
There was phone lines set up by Vistamo to try and help people, but they were overwhelmed.
The police were overwhelmed. They said, please
don't call 999 or whatever the equivalent is in Finland, with
an emergency, you need to go to this specific number. This was
all happening during COVID as well. This was October 2020. So
the country was already, you know, in a state of panic.
There's this picture that I dug up for the book from Twitter,
which showed the Prime Minister and her cabinet sat around a circular table, all socially distanced, all with surgical masks on,
looking at this big screen with the Vistamo details on it. And that just really hit home to me.
This is such a time of already peril for society. And then suddenly you've got this ginormous hack,
which in a small country like Finland, five and a half million people,
as Mikko Hypponen said, you know, everyone knows someone who was affected by this.
Twenty people paid the ransom.
That's what, like, $6,000 worth of ransom payments that he made from all this.
And in total, that's about all he made from this whole thing.
Not a very big payday for him compared to how much damage he caused these victims.
At this point, the police had been working on this case for almost six weeks and have
started to collect some pretty interesting evidence.
Well, the main detective Marco Leponen, obviously he's very, very happy that they managed to secure
this server that Ransom Man was using and running. And he thinks, great, I've managed to
get something here that's going to really help us. But then of course, it all comes crashing down
for him when his phone just doesn't stop ringing because of victims who've managed to get hold of
his number who are calling for help.
And there's a sort of scene in the book where Marco feels relieved, but then the phone is
going and people are calling saying, what am I going to tell my husband about my affair?
What am I going to, how am I going to go into the office on Monday with my colleagues, find
out what I've said about them?
And he, he really, really hits
him hard and he breaks down and he's crying and he decides to change his phone number
and concentrate on the criminal investigation, which is what he does. And he spends the next
best part of the over a year trying to figure out who ransom man is.
Over a year, wow. Yeah, and slowly it dawns on him that this kid or this cyber
criminal who was famous when he was a kid, infamous rather, is probably the prime suspect.
And the name Julius Kivimaki just keeps coming up. Julius Kivimaki? Of course his name would come up as a person of interest.
It was in the back of a lot of people's minds from the beginning that it might be him.
And you know what?
You already know who that is.
Julius Kivimaki is the guy who took down the Xbox and PlayStation Network on Christmas
2014.
The guy that Joe interviewed live on Sky News.
You heard his voice at the beginning of this episode.
The notorious hacker from Lizard Squad.
He's from Finland.
He's been involved with some pretty high profile hacks in the past and he just doesn't seem
to care how much trouble he gets in or chaos he causes.
Could Ransom Man be him?
Speculators were thinking it, but the investigator, Marco, was finding actual evidence that was
pointing to him.
But he can't find him.
He can't find where Julius Kibumaki is to bring him in for an interview.
He could be anywhere in the world.
Nobody knows where he is.
So Marco does the quite extreme move of putting out an Interpol red notice to try and find
out where he is.
And I think it was in November 2022
that he put out the red notice,
which means that if there is a police force in Europe
that comes across anyone that bears the liking
of Julius Kivimaki or has any likeness to him
in terms of the kind of aliases
that he's using, that kind of thing,
need to arrest him on site
in order to send him back
to Finland. And Marco puts out this red notice and obviously carries on with other cases
and things and just hopes that somebody somewhere recognizes Kivimaki and brings him in.
Julius was smart about evading capture. He was in hiding, using fake IDs and in some
other country. There was just no trace
of him anywhere. But this is when Joe realized he's talked to this hacker before. As soon as the name
came out, as soon as he was wanted with the Interpol red notice, the cybersecurity world
were like, hang on a minute, this is the same kid or not kid anymore, but this is the same person
that was this notorious cyber criminal
when he was a teenager. And I was like, wow, I couldn't believe it because I was trying
to keep tabs on this kid. I had a feeling that he would be back after the lizard squad
attacks. And then he comes up and does this. And he just think, wow, this goes to show
that if you don't catch and deal with some
of these cyber criminals they will just keep coming back for more. It's sort of like an addiction.
If you look at the history of people like Kibumaki and in the book we go into great detail about
what he did as a teenager, what kind of gangs he was in, the people around him, the culture around him. There is a kind of element of just addiction and power and greed when it comes to these
individuals.
And once you get a taste for that hacking life, I think it's hard to let go.
Meanwhile, Vistamo is still reeling from this attack.
So if you ask the CEO of Vistamo and the founder of Vistamo, Villa Tapio, he would say that
the company
could have survived if he'd have been allowed to keep operating it and kind of steered the
ship through this crisis.
But he was dropped very, very quickly as soon as the investigators began poking around.
When Vistamo got the ransom note from Ransom Man, they called the police and the police
took over the situation.
They took over the CEO's email and they were responding to Ransom Man, posing as the CEO.
They were advising Vistamo how to react to everything.
And the police weren't trying to save the reputation of the company.
They were trying to solve the case of who did it.
So they had a totally different priority than maybe the Vistamo leadership.
So the CEO of Vistamo didn't have control of the ship in the middle of this crisis.
The police did.
Not only had Ransom Man managed to get hold of this data in 2018, someone else, somewhere,
we don't know who, we don't know what happened, they got hold of it in 2019 or they had access
to it. And there was, there's still a lot of confusion here about whether or not there
was a cover up. Tapio denies that vociferously. The IT team that he hired have gone dark.
They don't talk, haven't spoken to anybody.
So we don't know exactly the nature of that, but the Vistamo
hack, Ransom Man, plus this incident in 2019, it just meant
the company was in absolute chaos and crisis and legal
problems as well.
You can imagine data protection authorities breathing down their necks.
They had fines to pay. And then you've just got the fact that there was tens of thousands of people who just could no longer trust the company.
And the way they handled it was atrocious. People were turning up at the therapy centers demanding their notes to be handed over and some of the staff were in tears and it was just utter, utter devastation and the company collapsed into administration.
The company collapsed. Wow. It's pretty rare for a company to be damaged so badly from
a cyber attack that it can't recover and has to shut down like this? And it's wild to think that your whole business
could come to a catastrophic end all because of a hacker.
But all this does make you wonder,
whose fault is it for not securing the customer's data
better?
And shouldn't they be held responsible?
Well, Villa Tapio, the CEO, he has
been prosecuted for failing to protect the data, but he's
appealing that and we don't know what's going to happen with that.
The CEO blames his IT team for failing to protect the data and he blames the police
for how badly the fallout was handled.
He says when he called the NBI, the National Bureau of Investigation, they locked him out
of all decision-making and he didn't even know what was being said in emails using his
name.
And pretty early in the investigation, the NBI filed a criminal complaint against the
CEO accusing him of a data protection violation, which led the board to remove him as CEO in
the middle of this crisis,
while people were trying to call 24-7 looking for help.
The company was leaderless during all this,
and not only was he dismissed as the CEO, but the parent company of Vistamo also sued him,
accusing him of failing to protect user data.
Villa Tapio, the CEO, was convicted in the District Court of Helsinki for data protection
violations under the EU's General Data Protection Regulations.
He was sentenced to a three-month suspended prison sentence in April 2023 after being
found guilty of not anonymizing or encrypting the personal data processed at Vestamo.
But he doesn't agree with that, and he's actively trying to fight that to clear his name,
so it's still yet to be seen where he lands.
Around that time, someone phones up the Paris police and reports that there's a domestic
abuse situation happening.
They said, there's scary noises.
Sounds like a scared woman, an angry man, something's going on, check it out. They get called out to a domestic
abuse situation in Paris in early 2023 and the police arrive in the early
hours, I think it's something like half past six, seven o'clock in the morning, to
a very quiet part of Paris in the north, I think it's the northwest,
and they approach the door expecting potentially for there to be a serious situation of you know
potentially a man abusing a girl or woman and they knock on the door and eventually
a very bleary tired looking girl answers the door and she's fine and the police go in and they find
a um a six foot three blonde hair green-eyed man um who's traveling under the uh name Assam Amit
and they think hang on a minute uh this person doesn't look like they uh they they should be from
this person doesn't look like they should be from Romania.
So they run some checks and it turns out this isn't a Romanian living in Paris with his girlfriend or wife at the time.
This is the wanted cyber criminal, Julius Kivimaki.
So the Vistamo hack happened in 2018, but the ransom attempt and public posting of
this data didn't happen until two years later in 2020.
And now Julius is arrested in 2023.
So they very quickly arrest him and drive him to the police station.
And then of course, the call goes into Marco and the team in Finland and they are high
fiving around the office.
They're screaming for joy because they didn't think that this red notice would be so successful.
This was only a few months after they put the call out to other police for help and
they had no idea where he was.
So suddenly to have this arrest take place in Paris meant that they got their guy.
So he's sent to jail in Helsinki, Finland and has to face a judge there.
So it takes them a good few months to get together the evidence that they need to start
the trial.
And the trial takes place in Finland, just outside Helsinki.
And it's the biggest criminal case in Finland's history because of the number of victims.
And I went along to the first day when Kivimaki was in the dock doing his cross-examination.
And it was an absolutely ram-packed courthouse, as you can imagine.
So many people there wanted to know what he would say and how he would sort of get around
it.
What was interesting as well was there was lots of people watching who were victims in
a cinema, in a secret location as well, watching the live feed. But during the trial, about halfway through the trial, somehow Kivuamaki's legal
team managed to convince the judges to let him out on bail because they thought that
he wasn't a flight risk. So he was released from prison and he was allowed to do what
he wanted as long as he was under certain conditions like he had to keep his phone on
him and go to a police station every couple of days. But just as
soon as he was released, the police were like, Whoa, whoa, whoa, you cannot let this guy
go because he's gonna be he is a flight risk, he's gonna disappear again. Because that don't
forget he's been he was wanted and there was a manhunt from previously plus you've got
this massive history as well where he just doesn't seem to give a damn about the police. So lo and behold, they say, the judges change their
mind and they say, right, come back to prison, please, Kivamaki. We don't know where you
are, but come in because you've got to come back to prison. And he just refuses. He just
says, he answers the phone saying, no, I'm staying where I am. I'll see you in court,
but I'm still I'm chilling. I'm not going to come into the police. I'm staying where I am. I'll see you in court, but I'm still, I'm chilling. I'm not
going to come into the police. I'm not going to come to prison again until the court case
starts. So you had this absolutely absurd situation where a wanted cyber criminal who
was found by accident in Paris, brought to Helsinki, largest criminal case in Finland's
history, released on bail. Now they want him back and he's saying no. Mid trial. I just think it's incredible because of course all the cases
that I've covered, the defendants are always trying to be as good as possible and try and
convince the jury and the judges that they are upstanding members of society and Kivimaki
just doesn't care. So the police had to start another manhunt to
find out where he is. And Marco is so angry about this. And he's got all the police resources
are out there trying to find him and eventually they managed to track Kivimaki down because
he posts a picture of himself or post a picture of a hand holding a really expensive champagne
bottle and they recognize the room might be something from an Airbnb,
and they manage to locate the Airbnb he's in and re-arrest him.
9,600 counts of aggravated invasion of privacy.
21,000 attempted aggravated extortion attempts.
So those are the emails that they know about.
Yeah, and 20 counts of aggravated blackmail.
I mean, this is crazy.
21,000 aggravated extortion attempts.
Like, I've heard people get arrested for like seven counts of this, 13 counts of that.
21,000 counts.
Holy mackerel.
Yeah.
And well, that's the kind of preposterous thing about the Finnish justice system because when
you look at it, it's outrageous, isn't it?
But actually, if you look at the numbers in detail, so the 9,231 aggravated dissemination
of information infringing private life, those are the people that actually filed complaints.
So really 9,000 people.
Yeah.
It was like almost like a class action lawsuit with 9,000 complain. Yeah, like it almost like a class-action lawsuit with 9,000 complainers
Yeah, wow, and then the 20,000 are the emails that they know of so they were 27,000
I think there was some duplicates and
20,000 were the ones that they kind of confirmed as being aggravated and then you've got the 20 aggravated which is the people that paid
Yeah in the US we have civil cases, which is like, you know, a user of the site is claiming
damage that the site caused them, you know, reputational damage or whatever.
But this is a criminal case where people complained that this particular person, Kimva Mackey,
has harmed their life and in ways that I think that's also unusual.
Yeah, and they're actually thinking of changing the Finnish justice system to cope with this
kind of thing.
They've never had a court case on this scale where so many individuals go after and accuse
one individual of issues of criminality.
So there's discussions in the country about how they're going to cope with something that
if this happens again, because they, you know, they had. Because they're still working through it, to be honest. They are still working through
the backlog of potential compensation to be paid. The company, Vistamo, is bankrupt, so
they can't really pay very much. But Kivimaki has agreed to pay some people, but it's not
going to be much. And of course, the kind of the scale of harm is very different depending on who you are
as well.
So there will be some people, I spoke to one guy who went there twice with his wife to
help them with their divorce.
And he doesn't feel particularly aggrieved or, you know, he's not feeling too invaded
by that.
But then you've got people who have been there going there for years and they poured their hearts out to the therapist and now they're absolutely terrified. If someone
looks at them funny in the street, they're worried that that person's read their notes
and they know the deepest, darkest secrets. There is a real difference in how it's affected
people. Yeah, so it's, I mean, in the court there, they mention how many other crimes this guy
has committed and how it just goes back for almost a decade that this guy was a cyber
thug.
And that's where I think there's just so much more to your book, right? Yeah, and you mentioned the 30,000 crimes that the court accused him of or convicted
him of.
But if you go back not that long, Kivimaki has a history of cybercrime.
He got convicted of 50,000 cybercrimes when he was a teenager because of various things
he did. Because this guy was really brought up in a time when teenage cybercrime gangs were absolutely coming to the fore.
They were prolific.
There's this period of time in the 2010s where you had this conveyor belt of cybercriminal teenage gangs
that were one after the other, passing the baton, upping the ante. They were
worse than each other each time. They tried to outdo each other in terms of the kind of
things they could do, get away with the kind of criminality and cruelty they could be responsible
for. I don't know if you remember any of these gangs, but I'll go through some of them. So
LulzSec probably started this whole thing, I don't know if you remember them, 2011. And then after that, you had HTTP, which Kivimaki was part of and convicted for. He was actually, he was collared
when he went to DEFCON in, I think it was 2012, 2013, when he was a teenager. And the
police, the FBI managed to get him in a room, in a hotel room and interrogate him for some
of the stuff he was doing. And then he was arrested by the Finnish police and spent time
in prison. And then eventually, the long, slow way that the justice system works, he
was convicted. But of course, in that time, he didn't stop and he carried on. And then
there were other gangs he was part of like Lizard Squad and Eugene Artsy
ISIS gang all these types of gangs just came and went in this period causing damage as they as they did
So he was convicted of fifty thousand cyber crimes in the past
Look what we've covered in this episode is only the first few chapters of Joe Tidy's book Control Alt Chaos.
You've got to hear what else this guy did.
So I encourage you to go get his book and hear the rest of the story.
We only covered one of his hacks here, but there are so many more this guy did.
And I have a strong feeling that Julius Kivimaki will go down as one of the most notorious
hackers in history.
And it's really amazing how close Joe was following
this whole story, especially in this Vestamo case. Like Joe was in the courtroom watching
all this unfold.
Yeah, I was there on the first day that he gave evidence. And it was packed full of journalists
from all over Finland and also international journalists as well. Because of course, by
this time, this was known as the biggest case in Finland's history and the Vestamo court case and the Vestamo case itself was just such
a big nasty story. And I went in and it was really interesting because Kivimaki sat there
and he had a laptop in front of him and he was answering all his prepared questions from
his lawyer and he was just not even thinking about it, just
kind of like stroking the mouse keypad on the laptop back and forth, back and forth
and smiling while he was talking and cracking little jokes. He seemed really relaxed and
of course when you look at his history, when you look at the amount of cybercrime that
he's carried out, the amount of run-ins with the police, convictions, that makes sense
to me. This is the kind of world that he operates in. He doesn't seem to have much care for
anything.
Yeah. Yeah, it does seem like that. Just what can I do to set the world on fire kind of
thing.
Yeah, I think it is a bit of that. It's one of the really weird things about this whole case is like I've followed
this guy for 10 years since he was a teenager and the people that speak to him and know
him he's not a popular hacker. He falls out with people all the time. He did some nasty
stuff even before the Vistamo hack. I would argue that he's probably the most hated hacker in history because he didn't give a damn and doesn't give a damn. And people are confused by him,
what his morals are, because he's got the money. Some people said that he just likes
to cause damage and likes to cause chaos and enjoys it.
In April 30th, 2024, Julius Kibumaki was sentenced to six years and three months in prison.
He's currently sitting in prison right now, serving his time.
Thank you so much to Joe Tidy for sharing this incredible story with us.
You have to hear the rest of the story though, so go get his book.
It's called Control Alt Chaos and it releases this month.
I have to take a moment to just thank my premium subscribers.
They are the real heroes to me.
For supporting this show, it really helps keep it going.
I love you so much.
Thank you.
And if you're not already a premium subscriber and you want
kisses from me, visit plus.darknetdiaries.com. And if you sign up, you'll get an ad free
version of the show plus 11 bonus episodes. This episode was created by me, the root canal,
Jack Reissider. Our editor is the drop tables, Tristan Ledger, mixing done by proximity sound
and the intro music is by the mysterious breakmaster cylinder. Of course I use a password manager.
It's called the Dark Web.
Have you heard of it?
It's got everyone's password on there.
You can look up mine or anyone else's.
It's real easy.
This is Darknidari's.