Deep Dive
Shownotes Transcript
So you first came on my radar when I was researching a story. I think it was video game cheats. And I was like trying desperately to find video game people who are selling video game cheats. And nobody wanted to talk with me on the record. I found a couple people that were just willing to chat only but never like audio.
And then I found an interview you did with somebody who's just like, yeah, I sell video games. He's like 14 or something. And I'm like, how did you find this guy? And so ever since then, I've had just so much respect. And reading this book is once again a testament of just how deep you can get into this community and reach these people. And so really hats off to your ability to infiltrate the hacking world. Yeah.
Thank you very much. Yeah, it's become something of a speciality. But I mean, really, I'm always surprised they want to talk, but they do. I think there is a thing in hacking and cybercrime where, as well as the kind of anonymity that it brings, I think people like to brag and they like to show off. Yeah. Yeah. So I think that leads us right into the first question, which is, who are you and what do you do? And how did you get there?
Well, my name is Joe Tidy and I'm the BBC's cyber correspondence. That means I cover hacking, cybersecurity, data protection, online harms, AI and a bit of crypto as well. And I've been working at the BBC now for about, I think it's seven years in this role. And before that, I was at Sky News.
And I was a general correspondent at Sky News doing all sorts of bits and bobs. But then in 2014, there was this amazingly huge and incredible DDoS attack on Sony PlayStation Network and Xbox Live, which took down those services over Christmas, Christmas Eve and Christmas Day. And it was headline news. And my boss came in and said to me,
Right. These gang, these teenagers called Lizard Squad, you've got to find one of them. We want a lizard on air tonight is the phrase. A lizard on air. Get me a lizard on air tonight. Yeah. Do they know what kind of ridiculous ask that is to get a lizard on air tonight? Like on camera even? Yeah, exactly. Yeah. Not even just a text interview. They wanted them on camera within, I think it was 10 hours when we were going to be on air.
And I thought to myself, well, this is impossible. Joe miraculously pulled it off. He got someone from Blizzard Squad to come on TV and answer questions. Speaking to us from Finland, this man who calls himself Ryan says he is one of the hackers. Why? Why did you do this? It affected so many people. It ruined Christmas for potentially millions of people. Why we did it? Mostly to raise awareness, to amaze ourselves.
Also, one of the big aspects here was raising awareness regarding the low state of computer security at these companies. Because these companies make tens of millions every month from just their subscriber fees, and that doesn't even include purchases made by their customers. They should have more than enough funding to be able to protect against these attacks. Do you not feel guilty that you've taken so much enjoyment of gaming away from more than 100 million people over this Christmas period?
I'd be rather worried if those people didn't have anything better to do than play games on their consoles on Christmas Eve and Christmas Day. I mean, I can't really say I feel bad. I might have forced a couple of kids to play, spend their time with their families instead of playing games. I can't believe that clip. This kid calling himself Ryan, appearing on Sky News, not hiding his face or voice at all, admitting to taking down Xbox Live and PlayStation 4,
And I just can't believe Joe got that interview. It takes a certain amount of finesse and diligence to get hackers to talk. I should know.
but he's got just what it takes to make it happen. And he just didn't give a damn. He didn't care. All the chaos that he was causing, all the headlines around the world, people going, what is going on with Xbox and Sony PlayStation? This is absolutely a monumental cybersecurity issue here. And this kid was laughing at the whole thing. And that just made me think, wow, the power that they can wield from keyboard and mouse.
And it just really struck me. And from then on out, I was just hooked on hacking and cyber and have been ever since. These are true stories from the dark side of the internet. I'm Jack Recider. This is Darknet Diaries. Darknet Diaries
This episode is sponsored by ThreatLocker. Ransomware, supply chain attacks, and zero-day exploits can strike without warning, leaving your business's sensitive data and digital assets vulnerable.
But imagine a world where your cybersecurity strategy could prevent these threats. That's the power of ThreatLocker's Zero Trust Endpoint Protection Platform. Robust cybersecurity is a non-negotiable to safeguard organizations from cyber attacks. ThreatLocker implements a proactive, deny-by-default approach to cybersecurity,
blocking every action, process, and user unless specifically authorized by your team. This least privileged strategy mitigates the exploitation of trusted applications and ensures 24/7, 365 protection of your organization. The core of ThreatLocker is its Protect Suite, including application allow listing, ring fencing, and network control. Additional tools like the ThreatLocker Detect EDR, Storage Control, Elevation Control, and Configuration Manager enhance your cybersecurity posture
and streamline internal IT and security operations. To learn more about how ThreatLocker can help mitigate unknown threats in your digital environments and align your organization with respected compliance frameworks, visit ThreatLocker.com. That's ThreatLocker.com.
This episode is sponsored by Red Canary. Red Canary is a leader in Managed Detection and Response, MDR. They serve companies of every size and industry, focusing on finding and stopping threats before they can have a negative impact.
As the cornerstone security operations partner for nearly a thousand organizations, they provide MDR with industry-leading threat accuracy across identities, endpoints, and cloud, and a world-class customer experience. For more information about Red Canary, visit redcanary.com. That's redcanary.com.
The reason why I wanted to talk with Joe Tidy today is because he just published a book called Control Alt Chaos, and I just finished reading it. It's great. It starts out in 2020 with a cyber attack in Finland.
There was this incredibly sinister and cruel cyber attack in Finland and it shocked the world and it was, for my money, the worst and most nasty, cruelest, darkest cyber attack in history. The worst, most nasty, cruelest and darkest cyber attack in history? Oh, I'm in. I want to drive straight into that story.
But before we hit the gas, let's try to guess at what it could be. What comes to mind when you hear that? Like maybe a hospital system brought to its knees where lives are on the line? Or maybe a pipeline gets shut down, there's fuel shortages, chaos everywhere. Or maybe an entire government agency gets compromised and state secrets are exposed. Those are all serious and probably scary, but they don't sound like the nastiest to me. Let's think smaller, closer to home, more personal.
Is there something, some piece of data on you that if exposed would make you feel fear? Like a deeply disturbing fear. Maybe it's your photos getting out. You probably just publish your photos online anyway, so that's probably not it. Okay, well, what about your text messages? Are those private enough that would cause a lot of fear if they got out? Maybe. Your location data?
Or maybe your password getting leaked? All right, fine. Guessing game is over. Let's hear what it was.
So the Vestamo cyber attack was in October 2020. And the first we heard of it was that there was someone on a forum in Finland on the dark net who was saying that they were calling himself Ransom Man. And they were saying, I have hacked the Vestamo psychotherapy center. I have got all the personal details of all the clients of this ginormous group
chain of psychotherapy centers. So this is a really well-known company in Finland, a kind of social good company that was very, very popular. They were offering people psychiatrists, psychotherapists, that kind of thing. And they had dozens of centers popping up all over Finland. They had a very famous and recognizable logo of a green speech mark. I think Vistamo translates as
the answer machine or the place to go for answers. So in a small country like Finland, everyone knew Vestamo because if you didn't go to it, you knew someone that probably went to it. So when this ransom man popped up on the dark net, on a website which is now gone, but it was called Turilauta, and he said, I have hacked Vestamo, I've got all of this information. Not only have I got the information from the patients about name, address, email, phone number, social security number, I've also...
crucially and cruelly got all their therapy notes as well. So that's 33,000 people who are potentially going to have their deepest, darkest secrets exposed online. There it is, the notes your therapist took when you spilled your most personal and private thoughts to them. That, in my opinion,
is in fact the cruelest piece of personal data that someone could hold for ransom, especially because you didn't do anything wrong. You were just talking to your therapist. But this ransom man guy was talking with Vestamo, telling them, hey, I hacked your company, I stole your patient records, and all I want is Bitcoin or else I'm going to release it to the world.
Vestamo contacted the police, who took over communication directly with this hacker, and they were trying to get as much information as they could from this guy. But that went on for six weeks.
And Ransom Man felt like it wasn't going anywhere and needed to up the pressure to show that he's serious. And Ransom Man said, I have been trying to get 400,000 euros, which I forget how many bitcoins it was at the time, but that's how much it equated to. I've been trying to get that off the CEO of Estamo and the company's refusing to pay. So now I'm going to release 100 records every day until they pay me.
Of course, the Finnish police were already very aware of this situation because they were working with Vistamo to try to catch this guy. So they noticed this post right away and start archiving anything, looking for clues. And yes, the first day he did release 100 records, everyone's worst fears were a reality. It's the kind of stuff that is a nightmare for people who are vulnerable. They're struggling already with their mental health.
And then to have this kind of information out there, it's anything you can imagine. So we know now that Ransom Man took a lot of time choosing which 100 to release. He wanted the most salacious ones he could find. He wanted the most harmful ones he could find. So he did searches for things like rape fantasies, child abuse, police as well. At one stage, he was searching for that kind of keywords in the database. And he posted these first 100.
Now, typically, when you see someone post a snippet of breach data to a darknet forum saying you hacked into something, people think it's funny and maybe even cheer for you. But he didn't see any of those kind of reactions. He chose sites that you'd think that would be, you know, acceptable to this kind of
crime and this kind of maverick approach to morals, I suppose you could put it that way. As well as posting on Turilauta, he posted it to a clear web forum called Yolauta, which was known as like Turilauta, known for being a place a bit like 4chan, you know, that horrible website 4chan where anything goes and edgelords rule and the more offensive you can be, the better.
And those two places that he posted, what I was really surprised at looking back through the logs and research for the book was just how much hatred there
he got straight away. There was no respect for him. There was no, wow, well done. You've done a crazy thing. Awesome. Everyone was very, very angry. There wasn't much love at all for Ransom Man. And what I found really interesting is if you look through the back and forth that he has over the hours that he's on both those websites, people are saying you're a script kiddie.
go and kill yourself, there's a special place in hell for you. All these things being thrown at him. And quite quickly, his post got marked as being a sign of criminality on the Yalauta website. So they took it down. But on the Darknet one, it stayed there. And he carried on, he carried through with his threats every day. He posted 100 more records.
I mean, I think this might even be an instance where I'd call him a script kitty myself. Normally, I would never call anybody that except maybe myself because the term is usually derogatory. Script kitty is just a beginner hacker who doesn't know what he's doing. But I like beginners. We all have to start somewhere. Beginners aren't a problem. But the reason why I might call this guy a script kitty is more because of the you don't know what you're doing part.
Holding this kind of sensitive data hostage, dude, that's messed up. You can't mess around with that kind of data like that.
This whole thing just strikes me as being so reckless and careless for other people's most inner private details getting out. He's got an unbelievable amount of highly personal data and he's weaponizing it in order to profit from it? It's like he doesn't care how much people he hurts from this, just so he can try to extort this company. It does seem like he's really grasping for something here. What, fame? Money? Respect?
but he's just not getting it from anyone. Ransom Man even joked about that. He said that getting into this database that was holding all this really private data was really easy. He said there was no password, it was root root. And he put that on the forum and people kind of laughed along with it in a sense.
But then there was also the idea that he was out of his depth. People were accusing him, Ransom Man, of being an amateur, of not knowing the difference between profit gross, profit net, accusing him of asking the company for too much money. And what's funny about the exchanges on the forum is that he's constantly having to defend his actions.
as a hacker. He's saying like, no, no, no, I've done loads of hacks and this is just one of them and I know what I'm doing and trust me, I'm a serious cyber criminal. But people weren't really buying it. But what was also quite troubling and scary is that there were a couple of people, whilst most people on the forum were
having a laugh with it and trying to make him feel bad for what he's done. Some of them were posting saying, "Hang on a minute. This is my data. Please, please don't post it." So that was the first day. Already it stirred up some people pretty bad. But Ransom Man promised another 100 more every day. And then, like clockwork, the next day, another 100. And then like clockwork, the next day, another 100.
And obviously, as you can imagine, it was getting picked up now by news organizations around the world. People in Finland were getting extremely worried and concerned about it. And there was nowhere to turn to because Vistamo was in absolute chaos.
Vostamo stayed quiet through all this, partially because they were working with the police to try to catch him, partially because they were speaking directly with Ransom Man over email. Their customers were freaking out and they were trying to focus on this catastrophe at hand. So 300 different patient records now on the internet for anyone to download. And all you had to do was click on one of the links and then you've got access to the
all of the data. And in some cases, some of these people would be regular clients and patients of Vistarmo. So they would have maybe a year's worth of therapy notes. And these are kind of like typed out by the therapist. And it will be things like, "Today we talked about this." "They wanted to say this." "I think it could be to do with this." So you can imagine what types of information and details there are put in there by the therapist.
And if you look at the whole thousands of people that were affected by this, some of them were regular Pestamo patients, so they would have had a huge amount of detail. Some of them were infrequent and some of them were, you know, only one or two visits. But the first 300 people that had their notes exposed, they were chosen specifically because they were the most deep and upsetting. And I think, you know, we know now that he knew exactly what he was doing when he chose those.
Gosh, how awful to be one of those people who trusted this company with their innermost secrets, only to have it all posted publicly for anyone to see. That would absolutely rattle me to my core. I would simply be frozen for a solid week, unable to move, not knowing how my friends or family or co-workers will react if they read it.
And I guess this is another lesson in protecting your own data. Just because something is supposed to be safe and secure doesn't mean it is. Companies might say they treat your data with the utmost privacy, but actually they don't do as good of a job as they should. And it's just one of those reminders that you are the only one who will treat your data with the privacy it deserves.
So make sure you're doing it. But what he did next was he made probably the biggest mistake in the history of cybercrime because he thought, I'm going to be helpful here. So he told the forum users, here's a large folder. You can download the whole thing. Instead of having to go to one, two, three, download links, here it all is. But what he accidentally did was posted his entire home directory and
and the entire list and all the data from the 33,000 patients. So in that one upload, he gave away all his bargaining chips. He posted it late at night and went to sleep before realizing his mistake.
Of course, by this point, a lot of cybersecurity researchers were keeping a close eye on him, including the police. And when they saw this post, they all immediately tried grabbing this TAR folder with all the data. But since he posted it on the darknet, on Tor, it was an extremely slow connection. So nobody could really grab it.
There just wasn't enough bandwidth and everyone was getting extremely slow download speeds. There was a couple of people on the forum in the morning who were talking about, oh, I got five megabytes here, one megabyte here, but this file was 10 gigs big. So, you know, and the kind of the slow internet speeds that you get on the darknet meant that people weren't able to download the full thing. Plus, there was a little bit of luck that Ransom Man had as well. He ran out of
storage space or something and it kind of it locked out and went down overnight so it didn't allow many people to have full access to it but there were some who did and there were some that managed to get a decent chunk of that file so nobody got the full file
But even just getting the first five megabytes had a lot of very interesting data in it. People were extracting what they could out of it and looking through it, and it had loads of patient details. But there was some other stuff in there, details about Ransom Man himself. Well, there's this moment where he wakes up and he realizes his mistake.
And he posts on Turilauta, whoopsie, enjoy big tar. And he puts a smiley face on.
emoticon. What's interesting about that of course is that he's playing down what is a serious situation for him. He hasn't just given away his entire bargaining chip, he's given away really, really important information that he wanted to keep secret about himself. So very quickly it becomes clear to the police that if he knows what's happened they need to be quick.
And they very quickly in the early hours of that morning, they started tearing through this two gigabyte file that they managed to download from the big tar. And they found an IP address, a crucial IP address. It was a massive stroke of luck from the police. Not only that, bizarrely, the IP address was for a cloud hosting provider.
in Helsinki, where the investigation was taking place. So there was this, I spoke to the head detective, Marco Leponen, and he said there was this mad race to try and get to the cloud service provider, get that computer off the internet as quickly as possible to stop Ransom Man having any control over it. And he says there was a race against time between Ransom Man himself, he could see the files online,
being deleted somehow. And he said that he had to get two police officers in a car, sirens going right the way across town to try and get to this place. They had another officer on the phone trying to get through to them in the early hours. They eventually got through on the phone. They had a guy from the company running through the warehouse, finding the server.
unplugging it so that Ransom Man had his connection severed. Ransom Man trying to delete the evidence from his massive server, which had way more than the big tar, of course, that had everything on there. And he was only able to delete a certain amount because they got there just in time and pulled the plug.
Wow, the police were really on the ball here. I mean, holy cow. See, when you're on tour, the dark nets, IP addresses are hidden. These files could be hosted anywhere in the world and the police would have absolutely no idea where to look to find Ransom Man or where the files are hosted.
But this file he posted pointed exactly to where those files were hosted. It was a big mistake, and it gave the police their first huge piece of evidence. With this server seized, they took it back to the police station to analyze it. Yeah, they took the server back to their lab in the cyber bureau, the HQ in Helsinki, and they started going into it. And it gave them a wealth of information, not just about that particular hack that took place, but also about the kind of the network and the infrastructure that was being used.
what other cloud service storage providers that the ransom man was using, receipts from certain things, other little nuggets and little breadcrumbs that took them to online accounts, which they could, you know, subpoena Google for or whoever it was to get information about individuals. It was a treasure trove. It was an absolute, you know, a boon for the police. Sounds like ransom man has screwed up way too many times and the cops are closing in on him. What would you do if you were in a situation?
Stay with us. We're going to take a quick break. But I guarantee you, he does something that you would never think to do. Hey, it's Jack. Do you like what you hear? I mean, really like it?
If this is your first episode you're listening to, skip ahead a minute. But if you've been binge listening and cannot wait to hear what happens next, then I want to talk to you. I give you this show for free because I want it to spread as far and wide as possible. I like educating and entertaining people. But if you are finding this podcast valuable to you,
I could really use your direct donation. And I'm just asking for you to buy me a cup of coffee once a month. And hey, as a thank you for supporting the show directly, I will give you an ad-free version of the show and a bunch of bonus episodes that are exclusive to supporters.
I hope you visit plus.darknetdiaries.com or just Google Darknet Diaries Plus. Also, I want you to know that I have your next favorite shirt ready for you. Go to shop.darknetdiaries.com and you'll see it there. And no, it's not just a shirt with the show logo on it. It's way cooler than that. And when you get it, show me a picture of you wearing it.
So Ransom Man was toast. All the data he was holding for ransom is now out there. So he's got nothing left to threaten Vestama with. And if it was me, I'd be like, oh, crap. And I'd delete everything on my machine and close it and set it on fire and try to disappear as fast as I could. I don't know what goes through his mind, but he sort of thinks, okay, how can I make some money? I've come this far. I need to make some money out of this. So the next step is...
really, really nasty. He finds the email addresses, obviously in the stolen data, of as many people of those 33,000 patients as he can find. I think it was something like 27,500 email addresses. And then he emails them, every single person, all in one batch, with their name in the email, personalized to them with their social security numbers. And he says, I've been trying to get Vestamo to pay me so I don't release your data. And
They are not paying me, so you're gonna have to pay me now. Oh, wow. He contacts every person he can to try to extort the users individually? That is cruel. Like, already they're reeling from their deepest secrets being out there, and now he's hitting them when they're down, saying, give me money and I'll delete your data. Which is 200 euros worth of Bitcoin. And if they don't pay within 24 hours, it goes up to 500.
euros in Bitcoin. Otherwise, their data will be published online. And of course, he CC'd the CEO of Vestamo and their executives. Vestamo goes into full panic mode at that point. Tons of people started calling in who are just now hearing about this, really worried. Not only were they calling Vestamo, but floods of people were calling the police too. And honestly, I can't recall a data breach where the hacker tried to extort all the victims whose data was in the breach.
Yes, I know that people comb through data breaches looking for targets to hit. And so the people in the data breach are often victims themselves. But to extort them all like this, that is, that's just something new to me. Yeah, certainly at this scale, never before seen. And if you speak to some of the security experts who are looking out at the time, you know, this is a real nadir in cybercrime. This is the lowest of the low. This is a cybercriminal who did something despicable in the first place.
failed in trying to extort the company and now is going directly into the inboxes of these vulnerable people. And the impact that this had is just awful. I've spoken to probably, I think, about 15 of the victims and you hear some of the stories of the impact it had on them. One of the women that I spoke to said it was, it felt like digital rape, she said, which really has always struck me as just
such a horrible proposition and such a horrible description, but it does bring to life for me what it feels like. You know, having your data stolen, you know, your private data can feel like a burglary is what some of the victims said, but having this particular type of information stolen, it's just such an invasion. Joe spoke to the lawyer of some of these victims
who told him that some people couldn't handle this news and they chose to end their own life rather than to face the shame of their data getting out there. It was truly an awful, dark, cruel time for these victims.
Yeah, so at this point, the story went completely stratospheric, as you can imagine, because people started going online saying, I've got this email, I'm being ransomed directly. And if the country hadn't been doing much to help people up to this point, suddenly it kind of burst into gear. You had statements from the president and the prime minister. There were meetings held at the highest level of government.
Trying to work out what you can do for these people because of course the data's already out there. Although Ransom Man was asking for payment, not many people paid. I think about, we know for a fact about 20 people sent Ransom Man money, but a lot of people were advised and they got the advice, don't pay, it's too late, the data's out there.
If you pay, you're wasting your money. And that was the advice that was given. But the police were getting calls from, we're talking, yeah, 33,000 people, potentially thousands of people, all on that same night, hit with this same email, the same threats. So that's an instant spike in criminal complaints, criminal records and reports needed to be filed. They couldn't cope. There was phone lines set up by Vistamo to try and help people out.
but they were overwhelmed, the police were overwhelmed, they said please don't call 999 or whatever the equivalent is in Finland with an emergency, you need to go to this specific number. This was all happening during Covid as well, this was October 2020, so the country was already in a state of panic. There's this picture that I dug up for the book from Twitter,
which showed the Prime Minister and her cabinet sat around a circular table, all socially distanced, all with surgical masks on, looking at this big screen with the Vestamo details on it. And that just really hit home to me, you know, this is such a time of already, you know, peril for society. And then suddenly you've got this ginormous hack, which in a small country like Finland, five and a half million people
As Mikko Hypenen said, everyone knows someone who was affected by this. 20 people paid the ransom. That's what, like $6,000 worth of ransom payments that he made from all this? And in total, that's about all he made from this whole thing. Not a very big payday for him compared to how much damage he caused these victims.
At this point, the police had been working on this case for almost six weeks and have started to collect some pretty interesting evidence. Well, the main detective, Marco Leponen, obviously he's very, very happy that they managed to secure this server that Ransom Man was using and running. And he thinks, great, I've managed to get something here that's going to really help us. But then, of course, it all comes crashing down for him when his phone just doesn't stop ringing.
because of victims who've managed to get hold of his number who are calling for help. And there's a sort of scene in the book where Marco feels relieved, but then the phone is going and people are calling saying, what am I going to tell my husband about my affair? How am I going to go into the office on Monday with my colleagues, find out what I've said about them?
And he... It really, really hits him hard and he breaks down and he's crying and he decides to change his phone number and concentrate on the criminal investigation, which is what he does. And he spends the next best part of over a year trying to figure out who Ransom Man is. Over a year? Wow. Yeah. And slowly...
It dawns on him that this kid or this cybercriminal who was famous when he was a kid, infamous rather, is probably the prime suspect. And the name Julius Kivamaki just keeps coming up. Julius Kivamaki? Of course his name would come up as a person of interest. It was in the back of a lot of people's minds from the beginning that it might be him. And you know what? You already know who that is.
Julius Kivamaki is the guy who took down the Xbox and PlayStation Network on Christmas 2014. The guy that Joe interviewed live on Sky News. You heard his voice at the beginning of this episode. The notorious hacker from Lizard Squad. He's from Finland. He's been involved with some pretty high-profile hacks in the past, and he just doesn't seem to care how much trouble he gets in or chaos he causes. Could Ransom Man be him?
Speculators were thinking it, but the investigator, Marco, was finding actual evidence that was pointing to him. But he can't find him. He can't find where Julius Kivamaki is to bring him in for an interview. He could be anywhere in the world. Nobody knows where he is. So Marco does the quite extreme move of putting out an Interpol red notice saying,
to try and find out where he is. And I think it was in November 2022 that he put out the red notice, which means that if there is a police force in Europe that comes across anyone that bears the liking of Julius Kivamaki or has any likeness to him in terms of the kind of aliases that he's using, that kind of thing, need to arrest him on sight.
in order to send him back to Finland. And Marco puts out this red notice and obviously carries on with other cases and things, and just hopes that somebody somewhere recognizes Kivamäki and brings him in. Julius was smart about evading capture. He was in hiding, using fake IDs and in some other country. There was just no trace of him anywhere.
But this is when Joe realized he's talked to this hacker before. As soon as the name came out, as soon as he was wanted with the Interpol Red Notice, the cybersecurity world were like, hang on a minute, this is the same kid, or not kid anymore, but this is the same person that was this notorious cybercriminal when he was a teenager. And I was like, wow, I couldn't believe it because I was trying to keep tabs on this kid unnoticed.
I had a feeling that he would be back after the Lizard Squad attacks. And then he comes up and does this. And you just think, wow, this goes to show that
If you don't catch and deal with some of these cyber criminals, they will just keep coming back for more. It's sort of like an addiction. If you look at the history of people like Kivamaki, and in the book we go into great detail about what he did as a teenager, what kind of gangs he was in, the people around him, the culture around him. There is a kind of element of just addiction and power and greed when it comes to these individuals. And once you get a taste for that hacking life...
I think it's hard to let go. Meanwhile, Vestamo is still reeling from this attack. So if you ask the CEO of Vestamo and the founder of Vestamo, Villa Tapio, he would say that the company could have survived if he'd have been allowed to keep operating it and kind of steer the ship through this crisis. But
He was dropped very, very quickly as soon as the investigators began poking around. When Vestamo got the ransom note from Ransom Man, they called the police and the police took over the situation. They took over the CEO's email and they were responding to Ransom Man, posing as the CEO. They were advising Vestamo how to react to everything. And the police weren't trying to save the reputation of the company. They were trying to solve the case of who did it. So they had a totally different priority than maybe the Vestamo leadership.
So the CEO of Vestamo didn't have control of the ship in the middle of this crisis. The police did. Not only had Ransom Man managed to get hold of this data in 2018, someone else, somewhere, we don't know who, we don't know what happened, they got hold of it in 2019 or they had access to it. And there's still a lot of confusion here about whether or not there was a cover-up.
Tapio denies that vociferously. The IT team that he hired have gone dark. They haven't spoken to anybody. So we don't know exactly the nature of that, but the Vostamo hack, Ransom Man, plus this incident in 2019...
It just meant the company was in absolute chaos and crisis and legal problems as well. You can imagine data protection authorities breathing down their necks. They had fines to pay. And then you've just got the fact that there was tens of thousands of people who just could no longer trust the company. And the way they handled it was atrocious. People were turning up.
at the therapy centers demanding their notes to be handed over and some of the staff were in tears. It was just utter, utter devastation and the company collapsed into administration. The company collapsed. Wow. It's pretty rare for a company to be damaged so badly from a cyber attack that it can't recover and has to shut down like this. It's wild to think that your whole business could come to a catastrophic end all because of a hacker.
But all this does make you wonder, whose fault is it for not securing the customer's data better? And shouldn't they be held responsible? Well, Villa Tapio, the CEO, he has been prosecuted for failing to...
protect the data. But he's appealing that and we don't know what's going to happen with that. The CEO blames his IT team for failing to protect the data. And he blames the police for how badly the fallout was handled. He says when he called the NBI, the National Bureau of Investigation, they locked him out of all decision making and he didn't even know what was being said in emails using his name.
And pretty early in the investigation, the NBI filed a criminal complaint against the CEO, accusing him of a data protection violation, which led the board to remove him as CEO in the middle of this crisis while people were trying to call 24-7 looking for help.
to the company was leaderless during all this. And not only was he dismissed as the CEO, but the parent company of Vestamo also sued him, accusing him of failing to protect user data. Villa Tapio, the CEO, was convicted in the District Court of Helsinki for data protection violations under the EU's General Data Protection Regulations.
He was sentenced to a three-month suspended prison sentence in April 2023 after being found guilty of not anonymizing or encrypting the personal data processed at Vestamo. But he doesn't agree with that, and he's actively trying to fight that to clear his name, so it's still yet to be seen where he lands.
Around that time, someone phones up the Paris police and reports that there's a domestic abuse situation happening. They said there's scary noises. Sounds like a scared woman, an angry man. Something's going on. Check it out. They get called out to a domestic abuse situation in Paris in early 2023. And...
The police arrive in the early hours, I think it's something like half past six, seven o'clock in the morning, to a very quiet part of Paris in the north, I think it's the northwest. And they approach the door expecting potentially for there to be a serious situation of, you know, potentially a man abusing a girl, a woman, a woman.
And they knock on the door and eventually a very bleary, tired-looking girl answers the door. And she's fine. And the police go in and they find a six-foot-three, blonde-haired, green-eyed man who's traveling under the name Assam Ahmet. And they think, hang on a minute, this person doesn't look like they should be from...
Romania. So they run some checks and it turns out this isn't a Romanian living in Paris with his girlfriend or wife at the time. This is the wanted cyber criminal, Julius Kivamaki. So the Vestamo hack happened in 2018, but the ransom attempt and public posting of this data didn't happen until two years later in 2020. And now Julius is arrested in 2023. So they very quickly arrest him.
and drive him to the police station. And then, of course, the call goes into Marco and the team in Finland, and they are high-fiving around the office. They're screaming for joy because they didn't think that this Red Notice would be so successful. This was only a few months after they put the call out to other police for help, and they had no idea where he was. So suddenly, to have this call
this arrest take place in Paris meant that they got their guy. So he's sent to jail in Helsinki, Finland, and has to face a judge there. So it takes some time
a good few months to get together the evidence that they need to start the trial. And the trial takes place in Finland, just outside Helsinki. And it's the biggest criminal case in Finland's history because of the number of victims. And I went along to the first day when Kivamäki was in the dock doing his cross-examination. And it was an absolutely
ram-packed courthouse as you can imagine. So many people there wanted to know what he would say and how he would sort of get around it. What was interesting as well was there was lots of people watching who were victims in a cinema, in a secret location as well, watching the live feed. But during the trial, about halfway through the trial, somehow Kivamaki's legal team managed to convince the judges to let him out on bail because they thought that he wasn't a flight risk.
So he was released from prison and he was allowed to do what he wanted as long as he was under certain conditions, like he had to keep his phone on him and go to a police station every couple of days. But just as soon as he was released, the police were like, well, well, well, you cannot let this guy go because he is a flight risk. He's going to disappear again. Because don't forget, he was wanted and there was a manhunt for him previously. Plus, you've got this massive history as well where he just doesn't seem to give a damn about the police.
So lo and behold, they say, the judges change their mind and they say, right, come back to prison, please, Kivamaki. We don't know where you are, but come in because you've got to come back to prison. And he just refuses. He just says, he answers the phone saying, no, I'm staying where I am. I'll see you in court, but I'm still, I'm chilling. I'm not going to come into the police. I'm not going to come to prison again until the court case starts. So you had this absolutely absurd situation where
a wanted cybercriminologist who was found by accident in Paris, brought to Helsinki, largest criminal case in Finland's history, released on bail. Now they want him back and he's saying no, mid-trial. I just think it's incredible because, of course, all the cases that I've covered, the defendants are always trying to be, you know, as good as possible and try and convince the
the jury and the judges that they are upstanding members of society and Kivamaki just doesn't care. So,
the police had to start another manhunt to find out where he is. And Marco is so angry about this. And he's got all the police resources are out there trying to find him. And eventually they managed to track Kivimaki down because he posts a picture of himself or posts a picture of a hand holding a really expensive champagne bottle. And they recognize the room might be something from an Airbnb and they managed to locate the Airbnb he's in and rearrest him. Yeah.
9,600 counts of aggravated invasion of privacy. 21,000 attempted aggravated extortion attempts. So those are the emails that they know about. Yeah, and 20 counts of aggravated blackmail. I mean, this is crazy. 21,000...
extortion attempts. Like, of all the... I've heard people get arrested for like seven counts of this, 13 counts of that, but 21,000 counts? Holy mackerel. Yeah. Well, that's the kind of preposterous thing about the Finnish justice system because...
When you look at it, it's outrageous, isn't it? But actually, if you look at the numbers in detail, so the 9,231 aggravated dissemination of information infringing private life, those are the people that actually filed complaints. Really? 9,000 people? Yeah. Almost like a class action lawsuit with 9,000 complainers. Yeah. Wow. And then the 20,000 are...
the emails that they know of. So they were 27,000. I think there were some duplicates. And 20,000 were the ones that they kind of confirmed as being aggravated. And then you've got the 20 aggravated, which is the people that paid.
Yeah, in the U.S. we have civil cases, which is like, you know, a user of the site is claiming damage that the site caused them, you know, reputational damage or whatever. But this is a criminal case where people complained that this particular person, Kimimaki, has harmed their life in ways that I think that's also unusual. Yeah, and they're actually thinking of changing the Finnish justice system to cope with this kind of thing. They've never had...
a court case on this scale where so many individuals go after and accuse one individual of issues of criminality so there's discussions in the country about how they're going to cope with something if this happens again because they you know they had to they're still working through it to be honest they are still working through the backlog of potential compensation to be paid
The company Vestamo is bankrupt, so they can't really pay very much. But Kivamaki has agreed to pay some people. But it's not going to be much. And of course, the scale of harm is very different depending on who you are as well. So there will be some people, I spoke to one guy who went there twice with his wife to help them with their divorce.
and he doesn't feel particularly aggrieved or he's not feeling too invaded by that. But then you've got people who have been going there for years and they poured their hearts out to the therapist and now they're absolutely terrified. If someone looks at them funny in the street, they're worried that that person's read their notes and they know the deepest, darkest secrets. There is a real difference in how it's affected people.
Yeah, so it's, I mean, in the court there, they mention how many other crimes this guy has committed and how it just goes back for almost a decade that this guy was a cyber thug. And that's where I think there's just so much more to your book, right? Yeah, and you mentioned the 30,000 crimes that the court committed.
accused him of or convicted him of. But if you go back not that long, Kivamaki has a history of cybercrime. He got convicted of 50,000 cybercrimes when he was a teenager because of various things he did. Because this guy was really brought up in a time when teenage cybercrime gangs were absolutely coming to the fore. They were prolific.
There's this period of time in the 2010s where you had this conveyor belt of cybercriminal teenage gangs that were one after the other, passing the baton, upping the ante. They were worse than each other each time. They tried to outdo each other in terms of the kind of things they could do, get away with the kind of criminality and cruelty they could be responsible for. I don't know if you remember any of these gangs, but I'll go through some of them. So LulzSec probably started this whole thing. I don't know if you remember them, 2011.
And then after that you had H.T.P., which Kivamaki was part of and convicted for. He was actually, he was collared when he went to DEFCON in, I think it was 2012, 2013, when he was a teenager. And the police, the FBI managed to get him in a room, in a hotel room and interrogate him for some of the stuff he was doing. And then he was arrested by the Finnish police.
and spent time in prison. And then eventually, the long, slow way that the justice system works, he was convicted. But of course, in that time, he didn't stop and he carried on. And then there were other gangs he was part of, like Lizard Squad and UG Nazi, ISIS gang. All these types of gangs just came and went in this period, causing damage as they did so. He was convicted of 50,000 cyber crimes in the past? Yes.
Look, what we've covered in this episode is only the first few chapters of Joe Tidy's book, Control Alt Chaos. You've got to hear what else this guy did. So I encourage you to go get his book and hear the rest of the story. We only covered one of his hacks here, but there are so many more this guy did. And I have a strong feeling that Julius Kivamaki will go down as one of the most notorious hackers in history.
And it's really amazing how close Joe was following this whole story, especially in this Vestamo case. Like Joe was in the courtroom watching all this unfold. Yeah, I was there on the first day that he gave evidence. And it was packed full of journalists from all over Finland and also international journalists as well. Because, of course, by this time, this was known as the biggest case in Finland's history. And the Vestamo court case and the Vestamo case itself was just such a big event.
nasty story. And I went in and it was really interesting because Kivamaki sat there and he had a laptop in front of him and he was answering all his prepared questions from his lawyer. And he was just not even thinking about it, just kind of like stroking the mouse keypad on the laptop back and forth, back and forth and smiling while he was talking and cracking little jokes and
He seemed really relaxed. And of course, when you look at his history, when you look at the amount of cybercrime that he's carried out, the amount of run-ins with the police, convictions, that makes sense to me. This is the kind of world that he operates in. He doesn't seem to have much care for anything.
Yeah, it does seem like that. Just what can I do to set the world on fire kind of thing. Yeah, I think it is a bit of that. It's one of the really weird things about this whole case is like, I've followed this guy for 10 years since he was a teenager. And the people that speak to him and know him,
He's not a popular hacker. He falls out with people all the time. He did some nasty stuff even before the Vostamo hack. I would argue that he's probably the most hated hacker in history because he didn't give a damn and doesn't give a damn. And people are confused by him, what his morals are, because he's got the money and
Some people said that he just likes to cause damage and likes to cause chaos and enjoys it. On April 30th, 2024, Julius Kibamaki was sentenced to six years and three months in prison. He's currently sitting in prison right now, serving his time.
Thank you so much to Joe Tidy for sharing this incredible story with us. You have to hear the rest of the story, though. So go get his book. It's called Control Alt Chaos, and it releases this month. I have to take a moment to just thank my premium subscribers. They are the real heroes to me for supporting this show. It really helps keep it going. I love you so much. Thank you.
And if you're not already a premium subscriber and you want kisses from me, visit plus.darknetdiaries.com. And if you sign up, you'll get an ad-free version of the show plus 11 bonus episodes. This episode was created by me, The Root Canal, Jack Reisider. Our editor is The Drop Tables, Tristan Ledger. Mixing done by Proximity Sound. And the intro music is by the Mysterious Breakmaster Cylinder. Of course I use a password manager. It's called the Dark Web. Have you heard of it? It's got everyone's password on there. You can look up mine or anyone else's. It's real easy.
This is Darknet Diaries.