WEBVTT

00:00:00.357 --> 00:00:05.920
JACK: So, you first came on my radar when I was researching this story. I think it was video game

00:00:05.920 --> 00:00:11.040
cheats, and I was like, trying desperately to find video game

00:00:11.040 --> 00:00:15.760
ó people who are selling video game cheats, and nobody wanted to talk with me on the record.

00:00:15.760 --> 00:00:16.640
<!--more--> I found a couple

00:00:16.640 --> 00:00:22.320
people that were just willing to chat only, but never like, audio. Then I found an interview you

00:00:22.320 --> 00:00:26.560
did with somebody whoís just like, yeah, I sell video game cheats, and heís like, fourteen or

00:00:26.560 --> 00:00:32.400
something. Iím like, how did you find this guy? So, ever since then, Iíve had so much respect,

00:00:32.400 --> 00:00:38.480
and reading this book is once again a testament of just how deep you can get into this community

00:00:38.480 --> 00:00:46.040
and reach these people. So, really, hats off to your ability to infiltrate the hacking world.

00:00:46.040 --> 00:00:52.400
JOE: Thank you very much, yeah. Itís become something of a speciality. But really,

00:00:52.400 --> 00:00:57.920
Iím always surprised they want to talk, but they do. I think there is a thing in hacking,

00:00:57.920 --> 00:01:01.840
in cybercrime, where ó as well as the kind of anonymity that it

00:01:01.840 --> 00:01:05.360
brings ó I think people like to brag and they like to show off.

00:01:05.360 --> 00:01:09.760
JACK: Yeah, yeah. So, I think that leads us right into the first question,

00:01:09.760 --> 00:01:13.400
which is who are you and what do you do, and howíd you get there?

00:01:13.400 --> 00:01:18.160
JOE: Well, my nameís Joe Tidy, and Iím the BBCís cyber correspondent. [Music] So, that means I

00:01:18.160 --> 00:01:27.280
cover hacking, cybersecurity, data protection, online harms, AI, and a bit of crypto as well.

00:01:27.280 --> 00:01:32.400
Iíve been working with the BBC for about ó I think itís seven years in this role, and before that, I

00:01:32.400 --> 00:01:37.520
was at Sky News, and I was a general correspondent at Sky News doing all sorts of bits and bobs. But

00:01:37.520 --> 00:01:47.920
then in 2014 there was this amazingly huge and incredible DDOS attack on Sony PlayStation Network

00:01:47.920 --> 00:01:53.680
and Xbox Live which took down those services over Christmas, Christmas Eve and Christmas Day. It was

00:01:53.680 --> 00:01:59.680
headline news, and my boss came in and said to me, right, these gang ó these teenagers called

00:01:59.680 --> 00:02:04.792
Lizard Squad, you've gotta find one of them. ëWe want a Lizard on air tonightí is the phrase.

00:02:04.792 --> 00:02:05.280
JACK: A Lizard onÖ

00:02:05.280 --> 00:02:07.720
JOE: Get me a Lizard on air tonight, yeah.

00:02:07.720 --> 00:02:10.704
JACK: Do they know what kind of ridiculous ask that isÖ

00:02:10.704 --> 00:02:10.714
JOE: Nope.

00:02:10.714 --> 00:02:14.400
JACK: Öto get a Lizard on air tonight, like on camera, even?

00:02:14.400 --> 00:02:18.320
JOE: Yeah, exactly, yeah, not even just a text interview.

00:02:18.320 --> 00:02:22.080
They wanted them on camera within ó I think it was ten hours when we

00:02:22.080 --> 00:02:26.920
were gonna be on air. I thought to myself, well, this is impossible.

00:02:26.920 --> 00:02:30.800
JACK: Joe miraculously pulled it off. He got someone from

00:02:30.800 --> 00:02:34.280
Lizard Squad to come on TV and answer questions.

00:02:34.280 --> 00:02:39.200
JOE: Speaking to us from Finland, this man who calls himself Ryan says he is

00:02:39.200 --> 00:02:42.800
one of the hackers. Why? Why did you do this? It affected so many

00:02:42.800 --> 00:02:46.640
people. It ruined Christmas for potentially millions of people.

00:02:46.640 --> 00:02:51.760
RYAN: Why we did it? Mostly for ó to raise awareness, to amuse ourselves. Also,

00:02:51.760 --> 00:02:56.560
one of the big aspects here was raising awareness regarding the low state of computer security

00:02:56.560 --> 00:03:02.240
at these companies, because these companies make tens of millions every month from just

00:03:02.240 --> 00:03:07.440
their subscriber fees, and that doesn't even include purchases made by their customers.

00:03:07.440 --> 00:03:11.680
They should have more than enough funding to be able to protect against these attacks.

00:03:11.680 --> 00:03:15.520
JOE: Do you not feel guilty that you've taken so much enjoyment of

00:03:15.520 --> 00:03:20.800
gaming away from more than 100 million people over this Christmas period?

00:03:20.800 --> 00:03:25.360
RYAN: Iíd be rather worried if those people didnít have anything better to do than play games on

00:03:25.360 --> 00:03:32.160
their consoles on Christmas Eve and Christmas Day. I can't really say I feel bad. I might

00:03:32.160 --> 00:03:37.480
have forced a couple of kids to play ó spend their time with their families instead of playing games.

00:03:37.480 --> 00:03:43.600
JACK: I can't believe that clip; this kid calling himself Ryan appearing on Sky News

00:03:43.600 --> 00:03:50.080
not hiding his face or voice at all, admitting to taking down Xbox Live and PlayStation,

00:03:50.080 --> 00:03:55.360
and I just can't believe Joe got that interview. It takes a certain amount of finesse and diligence

00:03:55.360 --> 00:04:00.800
to get hackers to talk. I should know. But heís got just what it takes to make it happen.

00:04:00.800 --> 00:04:06.320
JOE: He just didnít give a damn. He didnít care. All the chaos that he was causing,

00:04:06.320 --> 00:04:11.600
all the headlines around the world, people going, what is going on with Xbox and Sony

00:04:11.600 --> 00:04:17.600
PlayStation? This is absolutely a monumental cybersecurity issue here,

00:04:17.600 --> 00:04:21.840
and this kid was laughing at the whole thing. It just made me think, wow,

00:04:21.840 --> 00:04:28.080
the power that they can wield from keyboard and mouse, and it just really struck me,

00:04:28.080 --> 00:04:39.817
and from then on out, I was just, yeah, hooked on hacking and cyber, and have been ever since.

00:04:39.817 --> 00:04:42.240
(INTRO): [INTRO MUSIC] These are true stories from the dark side of

00:04:42.240 --> 00:05:02.980
the internet. Iím Jack Rhysider. This is Darknet Diaries. [INTRO MUSIC ENDS]

00:05:02.980 --> 00:05:05.840
JACK:

00:05:05.840 --> 00:05:10.000
The reason why I wanted to talk with Joe Tidy today is because he just published

00:05:10.000 --> 00:05:13.680
a book called Ctrl+Alt+Chaos, and I just finished

00:05:13.680 --> 00:05:20.480
reading it. Itís great. It starts out in 2020 with a cyber attack in Finland.

00:05:20.480 --> 00:05:27.840
JOE: [Music] There was this incredibly sinister and cruel cyber attack in Finland,

00:05:27.840 --> 00:05:34.720
and it shocked the world. It was up for my money the worst and most nasty,

00:05:34.720 --> 00:05:37.320
cruelest, darkest cyber attack in history.

00:05:37.320 --> 00:05:45.600
JACK: The worst, most nasty, cruelest, and darkest cyber attack in history? Oh,

00:05:45.600 --> 00:05:51.840
Iím in. I want to drive straight into that story. But before we hit the gas, letís try to guess at

00:05:51.840 --> 00:05:56.560
what it could be. What comes to mind when you hear that? Like, maybe a hospital system brought to

00:05:56.560 --> 00:06:02.640
its knees where lives are on the line? Or maybe a pipeline gets shut down, or fuel shortages, chaos

00:06:02.640 --> 00:06:07.920
everywhere? Or maybe an entire government agency gets compromised and state secrets are exposed?

00:06:07.920 --> 00:06:14.240
Well, those are all serious and probably scary, but they donít sound like the nastiest to me.

00:06:14.240 --> 00:06:20.960
Letís think smaller, closer to home, more personal. Is there something,

00:06:20.960 --> 00:06:30.960
some piece of data on you that if exposed would make you feel fear, like a deeply disturbing

00:06:30.960 --> 00:06:38.560
fear? Maybe itís your photos getting out. You probably just publish your photos online anyway,

00:06:38.560 --> 00:06:43.040
so thatís probably not it. Okay, well, what about your text messages? Are those private

00:06:43.040 --> 00:06:50.160
enough that would cause a lot of fear if they got out? Maybe. Or your location data? Or maybe

00:06:50.160 --> 00:06:56.200
your password getting leaked? Alright, fine, the guessing game is over. Letís hear what it was.

00:06:56.200 --> 00:07:01.360
JOE: So, the Vastaamo cyber attack was in October 2020,

00:07:01.360 --> 00:07:09.840
and the first we heard of it was that there was someone on a forum in Finland on the darknet

00:07:09.840 --> 00:07:14.880
who was saying ó they were calling themselves Ransom Man and they were saying, I have hacked

00:07:14.880 --> 00:07:21.440
the Vastaamo psychotherapy center. I have got the ó all the personal details of all the clients of

00:07:21.440 --> 00:07:28.560
this ginormous chain of psychotherapy centers. So, this is a really well-known company in Finland,

00:07:28.560 --> 00:07:35.920
a kind of social-good company that was very, very popular. They were offering people psychiatrists,

00:07:35.920 --> 00:07:41.680
psychotherapists, that kind of thing, and they had dozens of centers popping up all

00:07:41.680 --> 00:07:48.560
over Finland. They had a very famous and recognizable logo of a green speech mark.

00:07:48.560 --> 00:07:54.320
I think Vastaamo translates as ëthe answer machineí or ëthe place to go for answersí. So,

00:07:54.320 --> 00:07:58.640
in a small country like Finland, everyone knew Vastaamo because if you didnít go to it,

00:07:58.640 --> 00:08:04.080
you knew someone that probably went to it. So, when this Ransom Man popped up on the

00:08:04.080 --> 00:08:08.480
darknet on a website which is now gone, but it was called Torilauta, and he said,

00:08:08.480 --> 00:08:13.440
I have hacked Vastaamo. Iíve got all of this information. Not only have I got the information

00:08:13.440 --> 00:08:19.227
from the patients about ó like, name, address, e-mail, phone number, social security number,

00:08:19.227 --> 00:08:24.880
Iíve also crucially and cruelly got all their therapy notes as well. So, thatís

00:08:24.880 --> 00:08:32.560
33,000 people who were potentially gonna have their deepest, darkest secrets exposed online.

00:08:32.560 --> 00:08:39.680
JACK: There it is; the notes your therapist took when you spilled your most personal and

00:08:39.680 --> 00:08:47.840
private thoughts to them. That, in my opinion, is in fact the cruelest piece of personal data

00:08:47.840 --> 00:08:53.600
that someone could hold for ransom, especially because you didnít do anything wrong. You were

00:08:53.600 --> 00:08:59.440
just talking to your therapist. But this Ransom Man guy was talking with Vastaamo,

00:08:59.440 --> 00:09:04.160
telling them, hey, I hacked your company, I stole your patient records, and all I

00:09:04.160 --> 00:09:09.440
want is Bitcoin or else Iím gonna release it to the world. Vastaamo contacted the police,

00:09:09.440 --> 00:09:13.600
who took over communication directly with this hacker, and they were trying to get as

00:09:13.600 --> 00:09:20.800
much information as they could from this guy. But that went on for six weeks, and Ransom Man

00:09:20.800 --> 00:09:26.480
felt like it wasnít going anywhere, and needed to up the pressure to show that heís serious.

00:09:26.480 --> 00:09:33.280
JOE: Ransom Man said, I have been trying to get 400,000 euros, which ó I forget how many

00:09:33.280 --> 00:09:37.760
Bitcoins it was at the time, but thatís how much it equated to. Iíve been trying to get that off

00:09:37.760 --> 00:09:41.840
the CEO of Vastaamo, and they're refuse ó the companyís refusing to pay. [Music] So,

00:09:41.840 --> 00:09:47.400
now Iím going to release one hundred records every day until they pay me.

00:09:47.400 --> 00:09:50.480
JACK: Of course, the Finnish police were already very aware

00:09:50.480 --> 00:09:56.080
of this situation because they were working with Vastaamo to try to catch this guy. So,

00:09:56.080 --> 00:10:01.680
they noticed this post right away and start archiving anything, looking for clues. Yes,

00:10:01.680 --> 00:10:08.960
the first day, he did release one hundred records. Everyoneís worst fears were a reality.

00:10:08.960 --> 00:10:14.800
JOE: Itís the kind of stuff that is a nightmare for people who are vulnerable,

00:10:14.800 --> 00:10:17.120
they're struggling already with their mental health,

00:10:17.120 --> 00:10:21.760
and then to have this kind of information out there, itís anything you can imagine. So,

00:10:21.760 --> 00:10:26.800
we know now that Ransom Man took a lot of time choosing which hundred to release. He

00:10:26.800 --> 00:10:31.920
wanted the most salacious ones he could find. He wanted the most harmful ones he could find. So,

00:10:31.920 --> 00:10:38.800
he did searches for things like rape fantasies, child abuse, police as well; at one stage he

00:10:38.800 --> 00:10:45.280
was searching for that kind of key words in the database. He posted these, these first hundred.

00:10:45.280 --> 00:10:48.640
JACK: Typically when you see someone post a snippet of breached data to

00:10:48.640 --> 00:10:52.640
a darknet forum saying you hacked into something, people think itís

00:10:52.640 --> 00:10:57.000
funny and maybe even cheer for you. But he didnít see any of those kind of reactions.

00:10:57.000 --> 00:11:06.560
JOE: He chose sites that you'd think that would be acceptable to this kind of crime and this kind of

00:11:06.560 --> 00:11:12.240
maverick approach to morals; I suppose you could put it that way. As well as posting on Torilauta,

00:11:12.240 --> 00:11:20.000
he posted it to a clearweb forum called Ylilauta, which was known as ó like Torilauta,

00:11:20.000 --> 00:11:25.120
known for being a place a bit like 4chan. You know that horrible website 4chan where anything

00:11:25.120 --> 00:11:32.240
goes and edgelords rule and the more offensive you can be, the better? The two pace ó those

00:11:32.240 --> 00:11:37.200
two places that he posted ó what I was really surprised at looking back through the logs and

00:11:37.200 --> 00:11:44.160
research for the book was just how much hatred he got straight away. There was no respect for him.

00:11:44.160 --> 00:11:50.400
There was no ëwow, well done, you've done a crazy thing. Awesomeí. Everyone was very, very angry.

00:11:50.400 --> 00:11:55.520
There wasnít much love at all for Ransom Man. What I found really interesting is if you look through

00:11:55.520 --> 00:12:03.600
the back and forth that he has over the hours that heís on both those websites, people are saying,

00:12:03.600 --> 00:12:11.520
you're a script kitty, go and kill yourself, thereís a special place in hell for you, all these

00:12:11.520 --> 00:12:19.200
things being thrown at him. Quite quickly it got ó his post got marked as being a sign of criminality

00:12:19.200 --> 00:12:26.480
on the Ylilauta website, so they took it down. But on the darknet one, it stayed there, and he

00:12:26.480 --> 00:12:36.626
carried on ó he carried through with his threats every day. He posted a hundred more records.

00:12:36.626 --> 00:12:39.760
JACK: [Music] I mean, I think this might even be an instance where Iíd call him a

00:12:39.760 --> 00:12:45.120
script kitty myself. Normally I would never call anybody that except maybe myself,

00:12:45.120 --> 00:12:50.320
because the term is usually derogatory. A script kitty is just a beginner hacker who doesn't know

00:12:50.320 --> 00:12:54.640
what heís doing. But I like beginners. We all have to start somewhere. Beginners aren't a

00:12:54.640 --> 00:13:00.640
problem. But the reason why I might call this guy a script kitty is more because of the ëyou

00:13:00.640 --> 00:13:06.400
donít know what you're doingí part. Holding this kind of sensitive data hostage ó dude,

00:13:06.400 --> 00:13:12.000
thatís messed up. You can't mess around with that kind of data like that. This whole thing

00:13:12.000 --> 00:13:16.560
just strikes me as being so reckless and careless for other peopleís most inner,

00:13:16.560 --> 00:13:22.000
private details getting out. Heís got an unbelievable amount of highly-personal data,

00:13:22.000 --> 00:13:27.520
and heís weaponizing it in order to profit from it. Itís like he doesn't care how much people he

00:13:27.520 --> 00:13:32.480
hurts from this just so he can try to extort this company. It does seem like heís really

00:13:32.480 --> 00:13:39.280
grasping for something here; what, fame, money, respect? But heís just not getting it from anyone.

00:13:39.280 --> 00:13:44.160
JOE: Ransom Man even joked about that. He said that getting into this database that was holding

00:13:44.160 --> 00:13:49.600
all this really private data was really easy. He said there was no password. It was ëroot rootí,

00:13:49.600 --> 00:13:54.720
and he put that on the forum, and people kind of laughed along with it,

00:13:54.720 --> 00:14:00.720
in a sense. But then there was also the idea that he was out of his depth. People were accusing him,

00:14:00.720 --> 00:14:06.320
Ransom Man, of being an amateur, of not knowing the difference between profit ó gross profit,

00:14:06.320 --> 00:14:12.640
net, accusing him of asking the company for too much money. Whatís funny about the exchanges on

00:14:12.640 --> 00:14:17.200
the forum is that heís constantly having to defend his actions as a hacker. Heís saying,

00:14:17.200 --> 00:14:21.680
no, no, no, Iíve done loads of hacks and this is just one of them, and I know what Iím doing,

00:14:21.680 --> 00:14:27.680
and trust me, Iím a serious cyber criminal. But people weren't really buying it. But what

00:14:27.680 --> 00:14:34.240
was also quite troubling and scary is that there were a couple of people ó whilst most people on

00:14:34.240 --> 00:14:40.080
the forum were having a laugh with it and trying to make him feel bad for what heís done, some

00:14:40.080 --> 00:14:46.120
of them were posting saying, hang on a minute, this is my data. Please, please donít post it.

00:14:46.120 --> 00:14:51.120
JACK: So, that was the first day. Already it stirred up some people pretty bad,

00:14:51.120 --> 00:14:55.440
but Ransom Man promised another one hundred more every day.

00:14:55.440 --> 00:14:59.680
JOE: [Music] Then, like clockwork, the next day, another hundred, and then like clockwork,

00:14:59.680 --> 00:15:04.400
the next day, another hundred. Obviously, as you can imagine, it was getting picked up now

00:15:04.400 --> 00:15:10.000
by news organizations around the world. People in Finland were getting extremely worried and

00:15:10.000 --> 00:15:16.160
concerned about it, and there was nowhere to turn to 'cause Vastaamo was in absolute chaos.

00:15:16.160 --> 00:15:20.560
JACK: Vastaamo stayed quiet through all this,

00:15:20.560 --> 00:15:23.840
partially because they were working with the police to try to catch him,

00:15:23.840 --> 00:15:28.400
partially because they were speaking directly with Ransom Man over e-mail. Their customers

00:15:28.400 --> 00:15:31.760
were freaking out, and they were trying to focus on this catastrophe at hand.

00:15:31.760 --> 00:15:36.320
JOE: So, 300 different patient records now on the internet for anyone to download, and all

00:15:36.320 --> 00:15:42.400
you had to do was click on one of the links, and then you've got access to the ó all of the data.

00:15:42.400 --> 00:15:48.720
In some cases, some of these people would be regular clients and patients of Vastaamo. So,

00:15:48.720 --> 00:15:55.600
they would maybe have a yearís worth of therapy notes, and these are kind of like typed out by the

00:15:55.600 --> 00:16:01.280
therapist. Itíll be things like, today we talked about this. They wanted to say this. I think it

00:16:01.280 --> 00:16:06.800
could be to do with this. So, you can imagine what types of information and details there are put in

00:16:06.800 --> 00:16:12.960
there by the therapist. If you look at the whole thousands of people that were affected by this,

00:16:12.960 --> 00:16:17.840
some of them were regular Vastaamo patients, so they would have had a huge amount of detail.

00:16:17.840 --> 00:16:23.200
Some of them were infrequent and some of them were only one or two visits. But the first 300 people

00:16:23.200 --> 00:16:28.960
that had their notes exposed, they were chosen specifically because they were the most deep

00:16:28.960 --> 00:16:34.040
and upsetting. I think we know now that he knew exactly what he was doing when he chose those.

00:16:34.040 --> 00:16:39.120
JACK: Gosh, how awful to be one of those people who trusted this company with their innermost

00:16:39.120 --> 00:16:45.280
secrets only to have it all posted publicly for anyone to see. That would absolutely rattle me

00:16:45.280 --> 00:16:52.960
to my core. I would simply be frozen for a solid week, unable to move, not knowing how

00:16:52.960 --> 00:17:00.240
my friends or family or coworkers will react if they read it. I guess this is another lesson in

00:17:00.240 --> 00:17:06.000
protecting your own data. Just because something is supposed to be safe and secure doesn't mean

00:17:06.000 --> 00:17:12.240
it is. Companies might say they treat your data with the utmost privacy, but actually,

00:17:12.240 --> 00:17:18.320
they donít do as good of a job as they should. Itís just one of those reminders that you are the

00:17:18.320 --> 00:17:25.587
only one who will treat your data with the privacy it deserves. So, make sure you're doing it.

00:17:25.587 --> 00:17:30.320
JOE: [Music] But what he did next was he made probably the biggest mistake in the history

00:17:30.320 --> 00:17:36.480
of cyber crime, because he thought, Iím gonna be helpful here. So, he told the forum users,

00:17:36.480 --> 00:17:42.240
hereís a large folder. You can download the whole thing. Instead of having to go to one,

00:17:42.240 --> 00:17:49.040
two, three download links, here it all is. But what he accidentally did was posted his

00:17:49.040 --> 00:17:56.080
entire home directory and the entire list and all the data from the 33,000 patients. So,

00:17:56.080 --> 00:18:01.080
in that one upload, he gave away all his bargaining chips.

00:18:01.080 --> 00:18:06.800
JACK: He posted it late at night and went to sleep before realizing his mistake. Of course,

00:18:06.800 --> 00:18:10.720
by this point, a lot of cybersecurity researchers were keeping a close eye on him,

00:18:10.720 --> 00:18:14.160
including the police. When they saw this post, they all immediately tried grabbing

00:18:14.160 --> 00:18:21.040
this .tar folder with all the data, but since he posted it on the darknet on Tor,

00:18:21.040 --> 00:18:27.040
it was an extremely slow connection, so nobody could really grab it. There just

00:18:27.040 --> 00:18:32.160
wasnít enough bandwidth, and everyone was getting extremely slow download speeds.

00:18:32.160 --> 00:18:36.480
JOE: There was a couple of people on the forum in the morning who were talking about ó oh,

00:18:36.480 --> 00:18:42.160
I got five megabytes here, one megabyte here, but this file was ten gigs big,

00:18:42.160 --> 00:18:48.240
so ó and the slow internet speeds that you get on the darknet meant that people weren't able

00:18:48.240 --> 00:18:52.800
to download the full thing. Plus, there was a little bit of luck that Ransom Man had as well;

00:18:52.800 --> 00:18:58.400
he ran out of storage space or something, and it kind of ó it locked out and went down overnight,

00:18:58.400 --> 00:19:03.360
so it didnít allow many people to have full access to it. But there were some who did,

00:19:03.360 --> 00:19:06.200
and there were some that managed to get a decent chunk of that file.

00:19:06.200 --> 00:19:11.040
JACK: So, nobody got the full file, but even just getting the first five

00:19:11.040 --> 00:19:16.080
megabytes had a lot of very interesting data in it. People were extracting what

00:19:16.080 --> 00:19:21.520
they could out of it and looking through it, and it had loads of patient details,

00:19:21.520 --> 00:19:29.347
but there was some other stuff in there; details about Ransom Man himself.

00:19:29.347 --> 00:19:34.960
JOE: [Music] Well, thereís this moment where he wakes up and he realizes his mistake,

00:19:34.960 --> 00:19:46.000
and he posts on Torilauta, ëwhoopsie, enjoy big tarí, and he puts a smiley face emoticon.

00:19:46.000 --> 00:19:50.400
Whatís interesting about that, of course, is that heís playing down what is a serious

00:19:50.400 --> 00:19:56.800
situation for him. He hasnít just given away his entire bargaining chip; heís given away really,

00:19:56.800 --> 00:20:03.120
really important information that he wanted to keep secret about himself. So, very quickly it

00:20:03.120 --> 00:20:08.480
becomes clear to the police that if he knows whatís happened, they need to be quick. They

00:20:08.480 --> 00:20:12.320
very quickly ó in the early hours of that morning, they started tearing through this two-gigabyte

00:20:12.320 --> 00:20:18.400
file they had managed to download from the big tar, and they found an IP address, a crucial IP

00:20:18.400 --> 00:20:25.280
address. It was a massive stroke of luck from the police. Not only that; bizarrely, the IP address

00:20:25.280 --> 00:20:32.960
was for a cloud-hosting provider in Helsinki, where the investigation was taking place.

00:20:32.960 --> 00:20:39.360
So, there was this ó I spoke to the head detective, Marko Leponen, and he said there

00:20:39.360 --> 00:20:46.560
was this mad race to try and get to the cloud service provider, get that computer off the

00:20:46.560 --> 00:20:51.280
internet as quickly as possible to stop Ransom Man having any control over it. He says there was a

00:20:51.280 --> 00:20:56.320
race against time between Ransom Man himself. He could see the files being deleted somehow,

00:20:56.320 --> 00:21:02.080
and he said that he had to get two police officers in a car, sirens going, right away

00:21:02.080 --> 00:21:05.920
across town to try and get to this place. He had another officer on the phone trying to get through

00:21:05.920 --> 00:21:10.560
to them in the early hours. They eventually got through on the phone. They had a guy from the

00:21:10.560 --> 00:21:16.320
company running through the warehouse, finding the server, unplugging it so that Ransom Man

00:21:16.320 --> 00:21:22.480
had his connection severed ó Ransom Man trying to delete the evidence from his massive server

00:21:22.480 --> 00:21:26.720
which had way more than the big tar, of course, that had everything on there, and he was only

00:21:26.720 --> 00:21:30.240
able to delete a certain amount because they got there just in time and pulled the plug.

00:21:30.240 --> 00:21:35.840
JACK: Wow, the police were really on the ball here. I mean, holy cow. See, when you're on Tor,

00:21:35.840 --> 00:21:40.560
the darknet, IP addresses are hidden. These files could be hosted anywhere in the world,

00:21:40.560 --> 00:21:44.720
and the police would have absolutely no idea where to look to find Ransom Man or

00:21:44.720 --> 00:21:50.080
where the files are hosted. But this file he posted pointed exactly to where those files

00:21:50.080 --> 00:21:55.040
were hosted. It was a big mistake, and it gave the police their first huge piece of evidence.

00:21:55.040 --> 00:21:58.640
With this server seized, they took it back to the police station to analyze it.

00:21:58.640 --> 00:22:03.200
JOE: Yeah, they took the server back to their lab in the cyber ó the HQ in Helsinki,

00:22:03.200 --> 00:22:08.080
and they started going into it, and it gave them a wealth of information [music] not just about that

00:22:08.080 --> 00:22:13.040
particular hack that took place, but also about the kind of ó the network and the infrastructure

00:22:13.040 --> 00:22:18.960
that was being used, what other cloud service storage providers that Ransom Man was using,

00:22:18.960 --> 00:22:23.440
receipts from certain things, other little nuggets and little bread crumbs that took

00:22:23.440 --> 00:22:29.760
them to online accounts which they could subpoena Google for or whoever it was to get information

00:22:29.760 --> 00:22:44.160
about individuals. It was a treasure trove. It was an absolute ó a boon for the police.

00:22:44.160 --> 00:22:55.600
JACK: So, Ransom Man was toast. All the data he was holding for ransom is now out there,

00:22:55.600 --> 00:23:00.320
so heís got nothing left to threaten Vastaamo with. If it was me, Iíd be like,

00:23:00.320 --> 00:23:05.280
oh crap, and Iíd delete everything on my machine and just close it and set it

00:23:05.280 --> 00:23:07.880
on fire and try to disappear as fast as I could.

00:23:07.880 --> 00:23:11.040
JOE: I donít know what goes through his mind, but he sort of thinks, okay,

00:23:11.040 --> 00:23:16.480
how can I make some money? Iíve come this far. I need to make some money out of this. So, the

00:23:16.480 --> 00:23:23.040
next step is really, really nasty. He finds the e-mail addresses, obviously in the stolen data,

00:23:23.040 --> 00:23:28.400
of as many people of those 33,000 patients as he can find ó I think it was something like

00:23:28.400 --> 00:23:36.080
27,500 e-mail addresses ó and then he e-mails them, every single person, all in one batch,

00:23:36.080 --> 00:23:41.520
with their name in the e-mail, personalized to them with their social security numbers,

00:23:41.520 --> 00:23:46.240
and he says, Iíve been trying to get Vastaamo to pay me so I don't release

00:23:46.240 --> 00:23:50.680
your data. They are not paying me, so you're gonna have to pay me now.

00:23:50.680 --> 00:23:58.000
JACK: Oh, wow. He contacts every person he can to try to extort the users individually?

00:23:58.000 --> 00:24:02.880
That is cruel. Like, already they're reeling from their deepest secrets being out there,

00:24:02.880 --> 00:24:08.000
and now heís hitting them when they're down, saying, give me money and Iíll delete your data.

00:24:08.000 --> 00:24:12.960
JOE: Öwhich is 200 euros worth of Bitcoin, and if they donít pay within twenty-four hours,

00:24:12.960 --> 00:24:20.720
it goes up to 500 euros in Bitcoin. Otherwise their data will be published online.

00:24:20.720 --> 00:24:26.400
JACK: Of course, he CCíd the CEO of Vastaamo and their executives. Vastaamo goes into full

00:24:26.400 --> 00:24:31.360
panic mode at that point. Tons of people started calling in who were just now hearing about this,

00:24:31.360 --> 00:24:35.280
really worried. Not only were they calling Vastaamo, but floods of people were calling

00:24:35.280 --> 00:24:41.680
the police, too. Honestly, I can't recall a data breach where the hacker tried to extort all the

00:24:41.680 --> 00:24:46.480
victims whose data was in the breach. Yes, I know that people comb through data breaches

00:24:46.480 --> 00:24:50.720
looking for targets to hit, and so, the people in the data breach are often victims themselves,

00:24:50.720 --> 00:24:56.080
but to extort them all like this, that is ó thatís just something new to me.

00:24:56.080 --> 00:24:59.920
JOE: Yeah, itís certainly at this scale never-before seen,

00:24:59.920 --> 00:25:03.520
and if you speak to some of the security experts who were looking at it at the time,

00:25:03.520 --> 00:25:08.160
this is a real nadir in cyber crime. This is the lowest of the low. [Music] This is a cyber

00:25:08.160 --> 00:25:14.720
criminal who did something despicable in the first place, failed in trying to extort the company,

00:25:14.720 --> 00:25:22.240
and now is going directly into the inboxes of these vulnerable people. The impact that this

00:25:22.240 --> 00:25:30.080
had is just awful. Iíve spoken to probably ó I think about fifteen of the victims, and you hear

00:25:30.080 --> 00:25:36.400
some of the stories of the impact it had on them. One of the women that I spoke to said it was ó it

00:25:36.400 --> 00:25:42.880
felt like digital rape, she said, which really has always struck me as just such a horrible

00:25:42.880 --> 00:25:50.560
proposition and such a horrible description. But it does bring to life for me what it feels like.

00:25:50.560 --> 00:25:58.800
Having your data stolen, your private data, can feel like a burglary, is what some of the

00:25:58.800 --> 00:26:07.800
victims said, but having this particular type of information stolen is just such an invasion.

00:26:07.800 --> 00:26:15.120
JACK: Joe spoke to the lawyer of some of these victims, who told him that some people couldn't

00:26:15.120 --> 00:26:20.480
handle this news, and they chose to end their own life rather than to face the shame of their

00:26:20.480 --> 00:26:28.840
data getting out there. It was truly an awful, dark, cruel time for these victims.

00:26:28.840 --> 00:26:34.960
JOE: Yeah, so, at this point, the story went completely stratospheric, as you can imagine,

00:26:34.960 --> 00:26:40.800
because people started going online saying, Iíve been ó Iíve got this e-mail; Iím being ransomed

00:26:40.800 --> 00:26:46.560
directly. If the country hadn't been doing much to help people up to this point, suddenly it

00:26:46.560 --> 00:26:51.040
kind of burst into gear. You had statements from the president and the prime minister,

00:26:51.040 --> 00:26:55.040
there were meetings held at the highest level of government trying to work out what you can

00:26:55.040 --> 00:27:01.600
do for these people, because of course, the dataís already out there. Although Ransom Man

00:27:01.600 --> 00:27:07.200
was asking for payment, not many people paid. I think about ó we know for a fact about twenty

00:27:07.200 --> 00:27:13.600
people sent Ransom Man money, but a lot of people were advised, and they got the advice, donít pay.

00:27:13.600 --> 00:27:18.640
Itís too late. The dataís out there. If you pay, you're wasting your money.

00:27:18.640 --> 00:27:25.120
That was the advice that was given. But the police were getting calls from ó we're talking, yeah,

00:27:25.120 --> 00:27:31.520
33,000 people, potentially thousands of people all on that same night hit with this same e-mail,

00:27:31.520 --> 00:27:38.560
the same threats. So, thatís an instant spike in criminal complaints. Criminal records and reports

00:27:38.560 --> 00:27:43.600
needed to be filed. They couldn't cope. There was phone lines set up by Vastaamo to try and

00:27:43.600 --> 00:27:48.640
help people, but they were overwhelmed. The police were overwhelmed. They said, please donít call 999

00:27:48.640 --> 00:27:54.560
or whatever the equivalent is in Finland with an emergency. You need to go to this specific number.

00:27:54.560 --> 00:27:58.640
This was all happening during Covid, as well. This was October 2020. So,

00:27:58.640 --> 00:28:04.960
the country was already in a state of panic. Thereís this picture that Iíd dug up for the book

00:28:04.960 --> 00:28:11.440
from Twitter which showed the prime minister and her cabinet sat around a circular table,

00:28:11.440 --> 00:28:17.040
all socially distanced, all with surgical masks on, looking at this big screen with the Vastaamo

00:28:17.040 --> 00:28:26.160
details on it. That just really hit home to me. This is such a time of already peril for society,

00:28:26.160 --> 00:28:30.720
and then suddenly you've got this ginormous hack, which in a small country like Finland,

00:28:30.720 --> 00:28:39.120
5.5 million people ó as Mika Hypponen said, everyone knows someone who was affected by this.

00:28:39.120 --> 00:28:43.920
JACK: Twenty people paid the ransom. Thatís, what, like $6,000 worth of ransom payments

00:28:43.920 --> 00:28:47.200
that he made from all this, and in total thatís about all he made from this whole

00:28:47.200 --> 00:28:54.560
thing. Not a very big payday for him compared to how much damage he caused these victims.

00:28:54.560 --> 00:28:58.000
At this point, the police had been working on this case for almost six

00:28:58.000 --> 00:29:01.160
weeks and have started to collect some pretty interesting evidence.

00:29:01.160 --> 00:29:07.200
JOE: Well, the main detective, Marko Leponen, he ó obviously heís very, very happy that they

00:29:07.200 --> 00:29:14.373
managed to secure this server that Ransom Man was using and running, and he thinks, great,

00:29:14.373 --> 00:29:18.160
Iíve managed to get something here thatís gonna really help us. [Music] But then, of course,

00:29:18.160 --> 00:29:22.960
it all comes crashing down for him when his phone just doesn't stop ringing because of

00:29:22.960 --> 00:29:27.600
victims whoíve managed to get hold of his number who were calling for help. Thereís a sort of

00:29:27.600 --> 00:29:34.400
scene in the book where Marko feels relieved, but then the phone is going and people are calling,

00:29:34.400 --> 00:29:40.000
saying, what am I gonna tell my husband about my affair? What am I gonna ó how am I gonna

00:29:40.000 --> 00:29:47.040
go into the office on Monday if my colleagues find out what Iíve said about them? It really,

00:29:47.040 --> 00:29:52.800
really hits him hard, and he breaks down and heís crying, and he decides to change his phone

00:29:52.800 --> 00:29:56.560
number and concentrate on the criminal investigation, which is what he does,

00:29:56.560 --> 00:30:02.480
and he spends the next ó the best part of ó over a year trying to figure out who Ransom Man is.

00:30:02.480 --> 00:30:04.280
JACK: Over a year; wow.

00:30:04.280 --> 00:30:10.560
JOE: Yeah, and slowly it dawns on him that this

00:30:10.560 --> 00:30:15.680
kid or this cyber criminal who was famous when he was a kid,

00:30:15.680 --> 00:30:23.040
infamous, rather, is probably the prime suspect. The name Julius Kivimaki just keeps coming up.

00:30:23.040 --> 00:30:29.120
JACK: Julius Kivimaki? Of course his name would come up as a person of interest. It was in the

00:30:29.120 --> 00:30:34.400
back of a lot of peopleís minds from the beginning that it might be him. You know what? You already

00:30:34.400 --> 00:30:40.320
know who that is. Julius Kivimaki is the guy who took down the Xbox and PlayStation network on

00:30:40.320 --> 00:30:46.400
Christmas 2014, the guy that Joe interviewed live on Sky News. You heard his voice at the

00:30:46.400 --> 00:30:51.920
beginning of this episode, the notorious hacker from Lizard Squad. Heís from Finland. Heís been

00:30:51.920 --> 00:30:55.920
involved with some pretty high-profile hacks in the past, and he just doesn't seem to care how

00:30:55.920 --> 00:31:03.360
much trouble he gets in or chaos he causes. Could Ransom Man be him? Speculators were thinking it,

00:31:03.360 --> 00:31:08.227
but the investigator, Marko, was finding actual evidence that was pointing to him.

00:31:08.227 --> 00:31:12.960
JOE: [Music] But he can't find him. He can't find where Julius Kivimaki is to bring him in for an

00:31:12.960 --> 00:31:17.920
interview. He could be anywhere in the world. Nobody knows where he is. So, Marko does the

00:31:17.920 --> 00:31:23.360
quite extreme move of putting out an Interpol Red Notice to try and find out where he is,

00:31:23.360 --> 00:31:30.960
and I think it was November 2022 that he put out the Red Notice, which means that if there is a

00:31:30.960 --> 00:31:38.320
police force in Europe that comes across anyone that bears the liking of Julius Kivimaki or has

00:31:38.320 --> 00:31:42.960
any likeness to him in terms of the kind of aliases that heís using, that kind of thing,

00:31:42.960 --> 00:31:48.320
need to arrest him on sight in order to get ó to send him back to Finland. Marko

00:31:48.320 --> 00:31:53.120
puts out this Red Notice and obviously carries on with other cases and things,

00:31:53.120 --> 00:31:59.200
and just hopes that somebody somewhere recognizes Kivimaki and brings him in.

00:31:59.200 --> 00:32:04.560
JACK: Julius was smart about evading capture. He was in hiding, using fake IDs,

00:32:04.560 --> 00:32:08.800
and in some other country. There was just no trace of him anywhere. But

00:32:08.800 --> 00:32:12.280
this is when Joe realized heís talked to this hacker before.

00:32:12.280 --> 00:32:17.280
JOE: As soon as the name came out, as soon as he was wanted with the Interpol Red Notice, the

00:32:17.280 --> 00:32:22.960
cybersecurity world were like, hang on a minute, this is the same kid ó or not kid anymore, but

00:32:22.960 --> 00:32:28.960
this is the same person that was this notorious cyber criminal when he was a teenager. I was like,

00:32:28.960 --> 00:32:36.320
wow. I couldn't believe it because I would ó I was trying to keep tabs on this kid. I had a

00:32:36.320 --> 00:32:42.000
feeling that he would be back after the Lizard Squad attacks, and then he comes up and does

00:32:42.000 --> 00:32:48.560
this. You just think, wow, this goes to show that if you donít catch and deal with some of these

00:32:48.560 --> 00:32:54.160
cyber criminals, they will just keep coming back for more. Itís sort of like an addiction. If you

00:32:54.160 --> 00:33:00.640
look at the history of people like Kivimaki ó and in the book we go into great detail about what he

00:33:00.640 --> 00:33:05.200
did as a teenager, what kind of gangs he was in, the people around him, the culture around him,

00:33:05.200 --> 00:33:11.360
there is a kind of element of just addiction and power and greed when it comes to these

00:33:11.360 --> 00:33:16.440
individuals. Once you get a taste for that hacking life, I think itís hard to let go.

00:33:16.440 --> 00:33:19.920
JACK: Meanwhile, Vastaamo is still reeling from this attack.

00:33:19.920 --> 00:33:24.640
JOE: So, if you ask the CEO of Vastaamo and the founder of Vastaamo, Ville Tapio,

00:33:24.640 --> 00:33:27.840
he would say that the company could have survived if heíd had

00:33:27.840 --> 00:33:31.760
been allowed to keep operating it and kind of steered the ship through this crisis,

00:33:31.760 --> 00:33:36.920
but he was dropped very, very quickly as soon as the investigators began poking around.

00:33:36.920 --> 00:33:41.920
JACK: When Vastaamo got the ransom note from Ransom Man, they called the police, and the police

00:33:41.920 --> 00:33:46.880
took over the situation. They took over the CEOís e-mail and they were responding to Ransom Man,

00:33:46.880 --> 00:33:52.320
posing as the CEO. They were advising Vastaamo how to react to everything, and the police weren't

00:33:52.320 --> 00:33:57.120
trying to save the reputation of the company. They were trying to solve the case of who did it,

00:33:57.120 --> 00:34:01.040
so they had a totally different priority than maybe the Vastaamo leadership. So,

00:34:01.040 --> 00:34:07.160
the CEO of Vastaamo didnít have control of the ship in the middle of this crisis. The police did.

00:34:07.160 --> 00:34:12.720
JOE: Not only had Ransom Man managed to get hold of this data in 2018; someone else somewhere ó we

00:34:12.720 --> 00:34:17.680
donít know who, we donít know what happened; they got hold of it in 2019 or they had access to it,

00:34:17.680 --> 00:34:24.320
and there was still a lot of confusion here about whether or not there was a cover-up. [Music] Tapio

00:34:24.320 --> 00:34:29.440
denies that vociferously. The IT team that he hired have gone dark. They donít ó they haven't

00:34:29.440 --> 00:34:35.760
spoken to anybody. So, we donít know exactly the nature of that, but the Vastaamo hack, Ransom Man,

00:34:35.760 --> 00:34:43.760
plus this incident in 2019, it just meant the company was in absolute chaos and crisis,

00:34:43.760 --> 00:34:47.280
and legal problems as well. You can imagine data protection authorities

00:34:47.280 --> 00:34:51.600
breathing down their necks. They had fines to pay. Then you've just got the fact that

00:34:51.600 --> 00:34:56.640
there was tens of thousands of people who just could no longer trust the company,

00:34:56.640 --> 00:35:03.040
and the way they handled it was atrocious. People were turning up at the therapy centers

00:35:03.040 --> 00:35:07.920
demanding their notes to be handed over, and some of the staff were in tears. It was just

00:35:07.920 --> 00:35:12.400
utter, utter devastation, and the company collapsed into administration.

00:35:12.400 --> 00:35:18.880
JACK: The company collapsed. Wow. Itís pretty rare for a company to be damaged

00:35:18.880 --> 00:35:24.240
so badly from a cyber attack that it can't recover and has to shut down like this.

00:35:24.240 --> 00:35:30.800
Itís wild to think that your whole business could come to a catastrophic end all because

00:35:30.800 --> 00:35:36.880
of a hacker. But all this does make you wonder, whose fault is it for

00:35:36.880 --> 00:35:40.800
not securing the customersí data better, and shouldn't they be held responsible?

00:35:40.800 --> 00:35:45.120
JOE: Well, Ville Tapio, the CEO, he has been prosecuted forÖ

00:35:45.120 --> 00:35:45.640
JACK: Really?

00:35:45.640 --> 00:35:50.240
JOE: Öfor failing to protect the data,

00:35:50.240 --> 00:35:53.840
but heís appealing that and we donít know whatís gonna happen with that.

00:35:53.840 --> 00:35:59.520
JACK: The CEO blames his IT team for failing to protect the data, and he blames the police

00:35:59.520 --> 00:36:04.400
for how badly the fallout was handled. He says when he called the NBI, the National Bureau of

00:36:04.400 --> 00:36:09.360
Investigation, they locked him out of all decision-making, and he didnít even know

00:36:09.360 --> 00:36:16.000
what was being said in e-mails using his name. Pretty early in the investigation, the NBI filed a

00:36:16.000 --> 00:36:22.880
criminal complaint against the CEO accusing him of a data protection violation, which led the board

00:36:22.880 --> 00:36:29.200
to remove him as CEO in the middle of this crisis while people were trying to call 24/7 looking for

00:36:29.200 --> 00:36:35.040
help. So, the company was leaderless during all this, and not only was he dismissed as the CEO,

00:36:35.040 --> 00:36:42.400
but the parent company of Vastaamo also sued him, accusing him of failing to protect user data.

00:36:42.400 --> 00:36:48.560
Ville Tapio, the CEO, was convicted in the District Court of Helsinki for data

00:36:48.560 --> 00:36:52.800
protection violations under the EUís General Data Protection Regulations.

00:36:52.800 --> 00:36:58.000
He was sentenced to a three-month suspended prison sentence in April 2023 after being

00:36:58.000 --> 00:37:04.800
found guilty of not anonymizing or encrypting the personal data processed at Vastaamo. But he

00:37:04.800 --> 00:37:08.480
doesn't agree with that, and heís actively trying to fight that to clear his name,

00:37:08.480 --> 00:37:17.840
so itís still yet to be seen where he lands. [Music] Around that time, someone phones up the

00:37:17.840 --> 00:37:23.600
Paris police and reports that thereís a domestic abuse situation happening. They said thereís

00:37:23.600 --> 00:37:28.080
scary noises; it sounds like a scared woman, an angry man. Somethingís going on. Check it out.

00:37:28.080 --> 00:37:37.600
JOE: They get called out to a domestic abuse situation in Paris in early 2023, and

00:37:37.600 --> 00:37:41.520
they ó the police arrive in the early hours; I think itís something like half past 6:00,

00:37:41.520 --> 00:37:48.960
7:00 in the morning, to a very quiet part of Paris in the north ó I think itís the northwest,

00:37:48.960 --> 00:37:55.040
and they approach the door expecting potentially for there to be a serious situation of potentially

00:37:55.040 --> 00:38:02.640
a man abusing a girl, a woman. They knock on the door and eventually a very bleary,

00:38:02.640 --> 00:38:10.400
tired-looking girl answers the door, and sheís fine. The police go in and they find a 6í3,

00:38:10.400 --> 00:38:20.320
blonde hair, green-eyed man, whoís traveling under the name Asan Amet. They think,

00:38:20.320 --> 00:38:27.600
hang on a minute, this person doesn't look like they should be from Romania. So,

00:38:27.600 --> 00:38:32.560
they run some checks and it turns out this isn't a Romanian living in Paris

00:38:32.560 --> 00:38:37.400
with his girlfriend or wife at the time. This is the wanted cyber criminal Julius Kivimaki.

00:38:37.400 --> 00:38:43.520
JACK: So, the Vastaamo hack happened in 2018, but the ransom attempt and public posting of

00:38:43.520 --> 00:38:49.240
this data didnít happen ëtil two years later in 2020, and now Julius is arrested in 2023.

00:38:49.240 --> 00:38:55.120
JOE: So, they very quickly arrest him and drive him to the police station. Then, of course, the

00:38:55.120 --> 00:39:01.520
call goes in to Marko and the team in Finland, and they are high-fiving around the office. They're

00:39:01.520 --> 00:39:07.520
screaming for joy 'cause they didnít think that this Red Notice would be so successful. This was

00:39:07.520 --> 00:39:13.760
only a few months after they put the call out to other police for help, and they had no idea where

00:39:13.760 --> 00:39:20.760
he was. So, suddenly, to have this arrest take place in Paris meant that they got their guy.

00:39:20.760 --> 00:39:25.520
JACK: So, heís sent to jail in Helsinki, Finland, and has to face a judge there.

00:39:25.520 --> 00:39:30.720
JOE: So, it takes them a good few months to get together the evidence that they need to

00:39:30.720 --> 00:39:36.560
start the trial, and the trial takes place in Finland just outside Helsinki, and itís

00:39:36.560 --> 00:39:42.080
the biggest criminal case in Finlandís history because of the number of victims. I went along to

00:39:42.080 --> 00:39:51.040
the first day when Kivimaki was in the dock as ó doing his cross examination. It was an absolutely

00:39:51.040 --> 00:39:56.320
ram-packed courthouse, as you can imagine. So many people there wanted to know what he would

00:39:56.320 --> 00:40:00.880
say and how he would sort of get around it. What was interesting as well was there was lots of

00:40:00.880 --> 00:40:07.120
people watching who were victims in a cinema in a secret location as well, watching the live feed.

00:40:07.120 --> 00:40:13.360
But during the trial, about halfway through the trial, somehow Kivimakiís legal team managed to

00:40:13.360 --> 00:40:19.760
convince the judges to let him out on bail because they thought that he wasnít a flight risk. So,

00:40:19.760 --> 00:40:23.680
he was released from prison and he was allowed to do what he wanted as long as he was under certain

00:40:23.680 --> 00:40:28.320
conditions. Like, he had to keep his phone on him and go to a police station every couple of

00:40:28.320 --> 00:40:32.720
days. But just as soon as he was released, the police were like, whoa, whoa, whoa,

00:40:32.720 --> 00:40:37.840
you cannot let this guy go because heís gonna ó he is a flight risk. Heís gonna disappear again.

00:40:37.840 --> 00:40:42.400
ëCause donít forget, heís been ó he was wanted and there was a manhunt for him previously. Plus,

00:40:42.400 --> 00:40:47.200
you've got this massive history as well where he just doesn't seem to give a damn about the police.

00:40:47.200 --> 00:40:51.200
So, lo and behold, they say ó the judges change their mind and they say, right,

00:40:51.200 --> 00:40:55.680
come back to prison, please, Kivimaki. We donít know where you are, but come in because you've got

00:40:55.680 --> 00:41:01.360
to come back to prison, and he just refuses. He just says ó he answers the phone saying,

00:41:01.360 --> 00:41:07.120
nah, Iím staying where I am. Iíll see you in court, but Iím still ó Iím chilling. Iím not

00:41:07.120 --> 00:41:11.680
gonna come into the ó Iím not gonna come to prison again until the court case starts. So,

00:41:11.680 --> 00:41:18.480
you had this absolutely absurd situation where a wanted cyber criminal who was found

00:41:18.480 --> 00:41:23.760
by accident in Paris, brought to Helsinki, the largest criminal case in Finlandís history,

00:41:23.760 --> 00:41:28.400
released on bail; now they want him back, and heís saying ënoí, mid trial.

00:41:28.400 --> 00:41:32.880
I just think itís incredible, because all the cases that Iíve covered,

00:41:32.880 --> 00:41:38.720
the defendants are always trying to be as good as possible and trying to convince the jury and

00:41:38.720 --> 00:41:45.280
the judges that they are upstanding members of society, and Kivimaki just doesn't care. So,

00:41:45.280 --> 00:41:52.000
the police had to start another manhunt to find out where he is. Marko is so angry about this,

00:41:52.000 --> 00:41:56.000
and heís got ó all the police resources are out there trying to find him, and eventually

00:41:56.000 --> 00:42:01.120
they managed to track Kivimaki down because he posts a picture of him or posts a picture of a

00:42:01.120 --> 00:42:06.080
hand holding a really expensive champagne bottle, and they recognize the room might

00:42:06.080 --> 00:42:11.280
be something from an Airbnb, and they managed to locate the Airbnb heís in and re-arrest him.

00:42:11.280 --> 00:42:16.384
JACK: 9,600 counts of aggravated invasion of privacyÖ

00:42:16.384 --> 00:42:16.394
JOE: Yeah.

00:42:16.394 --> 00:42:20.560
JACK: Ö21,000 attempted aggravated extortion attemptsÖ

00:42:20.560 --> 00:42:23.960
JOE: So, those are the e-mails that they know about.

00:42:23.960 --> 00:42:28.400
JACK: Yeah, and twenty counts of aggravated blackmail. This is crazy,

00:42:28.400 --> 00:42:36.080
21,000 aggravated extortion attempts. Of all the ó Iíve heard people get arrested for like,

00:42:36.080 --> 00:42:40.520
seven counts of this, thirteen counts of that, but 21,000 counts; holy mackerel.

00:42:40.520 --> 00:42:45.840
JOE: Yeah. Well, thatís the kind of preposterous thing about the Finnish justice system,

00:42:45.840 --> 00:42:49.040
because when you look at it, itís outrageous, isn't it? But actually,

00:42:49.040 --> 00:42:56.000
if you look at the numbers in detail ó so, the 9,231 aggravated dissemination of

00:42:56.000 --> 00:43:01.480
information infringing private life, those are the people that actually filed complaints. SoÖ

00:43:01.480 --> 00:43:03.200
JACK: Really, 9,000 people?

00:43:03.200 --> 00:43:03.840
JOE: Yeah.

00:43:03.840 --> 00:43:07.184
JACK: Almost like a class-action lawsuit with 9,000 complainers.

00:43:07.184 --> 00:43:07.600
JOE: Yeah. JACK: Wow.

00:43:07.600 --> 00:43:13.520
JOE: Then the 20,000 are the e-mails that they know of. So, there were 27,000. I

00:43:13.520 --> 00:43:18.560
think there were some duplicates, and 20,000 were the ones that they kind of confirmed as

00:43:18.560 --> 00:43:22.840
being aggravated. Then you've got the twenty aggravated, which is the people that paid.

00:43:22.840 --> 00:43:26.880
JACK: Yeah, in the US we have civil cases which is like,

00:43:26.880 --> 00:43:33.440
a user of the site is claiming damage that the site caused them reputational damage or whatever,

00:43:33.440 --> 00:43:38.800
but this is a criminal case where people complained that this particular person,

00:43:38.800 --> 00:43:44.640
Kivimaki, has harmed their life and in ways ó I think thatís also unusual.

00:43:44.640 --> 00:43:49.120
JOE: Yeah, and they're actually thinking of changing the Finnish justice system to cope with

00:43:49.120 --> 00:43:56.000
this kind of thing. They've never had a court case on this scale where so many individuals go after

00:43:56.000 --> 00:44:01.680
and accuse one individual of issues, of criminality. So, thereís discussions in

00:44:01.680 --> 00:44:06.880
the country about how they're gonna cope with something if this happens again, because they

00:44:06.880 --> 00:44:10.960
had to ó they're still working through it, to be honest. They are still working through

00:44:10.960 --> 00:44:17.520
the backlog of potential compensation to be paid. The company, Vastaamo, is bankrupt, so they can't

00:44:17.520 --> 00:44:23.200
really pay very much, but Kivimaki has agreed to pay some people, but itís not gonna be much.

00:44:23.200 --> 00:44:28.240
Of course, the kind of ó the scale of harm is very different depending on who you are,

00:44:28.240 --> 00:44:32.320
as well. So, there will be some people ó I spoke to one guy who went there twice with

00:44:32.320 --> 00:44:38.400
his wife to help them with their divorce, and he doesn't feel particularly aggrieved,

00:44:38.400 --> 00:44:44.320
or heís not feeling too invaded by that. But then you've got people who have been

00:44:44.320 --> 00:44:48.240
there ó going there for years, and they poured their hearts out to the therapist,

00:44:48.240 --> 00:44:52.480
and now they're absolutely terrified. Theyíre looking ó if someone looks at them funny in

00:44:52.480 --> 00:44:56.960
the street, they're worried that that personís read their notes and they know their deepest,

00:44:56.960 --> 00:45:01.640
darkest secrets. They're kind of ó there is a real difference in how itís affected people.

00:45:01.640 --> 00:45:12.240
JACK: Yeah, so itís ó in the court there, they mention how many other crimes this guy

00:45:12.240 --> 00:45:18.320
has committed and how it just goes back for almost a decade that this guy was

00:45:18.320 --> 00:45:25.440
a cyber thug. Thatís where I think thereís just so much more to your book, right?

00:45:25.440 --> 00:45:32.880
JOE: Yeah, and you mentioned the 30,000 crimes that the court accused him of or

00:45:32.880 --> 00:45:38.640
convicted him of. But if you go back not that long, Kivimaki has a history of cyber crime.

00:45:38.640 --> 00:45:46.000
He got convicted of 50,000 cyber crimes when he was a teenager because of various things he did,

00:45:46.000 --> 00:45:53.040
because this guy was really brought up in a time when teenage cyber-crime gangs were

00:45:53.040 --> 00:45:57.680
absolutely coming to the fore. They were prolific. Thereís this period of time in

00:45:57.680 --> 00:46:03.760
the 2010s where you had this conveyor belt of cyber-criminal teenage gangs that were,

00:46:03.760 --> 00:46:08.080
one after the other, passing their baton, upping the ante. They were worse than each

00:46:08.080 --> 00:46:12.160
other each time they tried to outdo each other in terms of the kind of things they could do,

00:46:12.160 --> 00:46:16.640
get away with, the kind of criminality and cruelty they could be responsible for.

00:46:16.640 --> 00:46:20.320
I don't know if you remember any of these gangs, but Iíll go through some of them. So,

00:46:20.320 --> 00:46:24.880
LulzSec probably started this whole thing. I don't know if you remember them; 2011.

00:46:24.880 --> 00:46:32.800
Then after that you had HTP, which Kivimaki was part of and convicted for. He was actually

00:46:32.800 --> 00:46:40.640
ó he was collared when he went to Defcon in ó I think it was 2012, 2013 when he was a teenager,

00:46:40.640 --> 00:46:46.560
and the police ó the FBI managed to get him in a room, in a hotel room, and interrogate

00:46:46.560 --> 00:46:52.480
him for some of the stuff he was doing. Then he was arrested by the Finnish police and

00:46:52.480 --> 00:46:59.680
spent time in prison, and then eventually the long, slow way that the justice system works,

00:46:59.680 --> 00:47:03.360
he was convicted. But of course, in that time, he didnít stop and he carried on.

00:47:03.360 --> 00:47:09.760
Then there were other gangs he was part of like Lizard Squad and UGNazi, Isis gang. All

00:47:09.760 --> 00:47:15.760
these types of gangs just came and went in this period, causing damage as they did so.

00:47:15.760 --> 00:47:21.280
JACK: He was convicted of 50,000 cyber crimes in the past? Look,

00:47:21.280 --> 00:47:25.600
what weíve covered in this episode is only the first few chapters of Joe Tidyís book,

00:47:25.600 --> 00:47:31.120
Ctrl+Alt+Chaos. You've gotta hear what else this guy did, so I encourage you to go get his book

00:47:31.120 --> 00:47:36.480
and hear the rest of the story. We only covered one of his hacks here, but there are so many more

00:47:36.480 --> 00:47:41.920
this guy did, and I have a strong feeling that Julius Kivimaki will go down as one of the most

00:47:41.920 --> 00:47:48.320
notorious hackers in history. Itís really amazing how close Joe was following this whole story,

00:47:48.320 --> 00:47:52.760
especially in this Vastaamo case. Joe was in the court room watching all this unfold.

00:47:52.760 --> 00:47:58.400
JOE: Yeah, I was there on the first day that he gave evidence, and it was packed full of

00:47:58.400 --> 00:48:02.160
journalists from all over Finland and also international journalists as well,

00:48:02.160 --> 00:48:06.560
because of course by this time, this was known as the biggest case in Finlandís history, and the

00:48:06.560 --> 00:48:14.960
Vastaamo court case and the Vastaamo case itself was just such a big, nasty story. I went in and

00:48:14.960 --> 00:48:20.720
it was really interesting 'cause Kivimaki sat there and he had a laptop in front of him and

00:48:20.720 --> 00:48:26.240
he was answering all his prepared questions from his lawyer, and he was just not even thinking

00:48:26.240 --> 00:48:31.520
about it, just kinda stroking the mouse keypad on the laptop back and forth, back and forth,

00:48:31.520 --> 00:48:37.680
and smiling while he was talking and cracking little jokes. He seemed really relaxed. Of course,

00:48:37.680 --> 00:48:42.240
when you look at his history, when you look at the amount of cyber crime that heís carried out,

00:48:42.240 --> 00:48:47.840
the amount of run-ins with the police, convictions, that makes sense to me. This

00:48:47.840 --> 00:48:54.200
is the kind of world that he operates in. He doesn't seem to have much care for anything.

00:48:54.200 --> 00:48:57.520
JACK: Yeah. Yeah, it does seem like that,

00:48:57.520 --> 00:49:00.560
just what can I do to set the world on fire, kind of thing.

00:49:00.560 --> 00:49:04.400
JOE: Yeah, I think it is a bit of that. Itís one of the really weird things about

00:49:04.400 --> 00:49:10.720
this whole case. Iíve followed this guy for ten years, since he was a teenager,

00:49:10.720 --> 00:49:18.240
and the people that speak to him and know him ó heís not a popular hacker. He falls out with

00:49:18.240 --> 00:49:24.480
people all the time. He did some nasty stuff even before the Vastaamo hack. I would argue that heís

00:49:24.480 --> 00:49:30.720
probably the most hated hacker in history because he didnít give a damn and doesn't give a damn,

00:49:30.720 --> 00:49:36.800
and people are confused by him, what his morals are, because heís got the money.

00:49:36.800 --> 00:49:43.840
Some people said that he just likes to cause damage and likes to cause chaos and enjoys it.

00:49:43.840 --> 00:49:49.840
JACK: In April 30th, 2024, Julius Kivimaki was sentenced to six years and three months

00:49:49.840 --> 00:50:04.457
in prison. Heís currently sitting in prison right now, serving his time.

00:50:04.457 --> 00:50:08.000
(Outro): [Outro music] Thank you so much to Joe Tidy for sharing this incredible story with us.

00:50:08.000 --> 00:50:12.560
You have to hear the rest of the story, though, so go get his book. Itís called Ctrl+Alt+Chaos, and

00:50:12.560 --> 00:50:17.360
it releases this month. I have to take a moment to just thank my premium subscribers. They are

00:50:17.360 --> 00:50:22.480
the real heroes to me for supporting this show. It really helps keep it going. I love you so much.

00:50:22.480 --> 00:50:27.600
Thank you. [Blows kiss] If you're not already a premium subscriber and you want kisses from me,

00:50:27.600 --> 00:50:32.400
visit plus.darknetdiaries.com, and if you sign up, you'll get an ad-free version of the show,

00:50:32.400 --> 00:50:38.000
plus eleven bonus episodes. This episode was created by me, the root canal, Jack Rhysider. Our

00:50:38.000 --> 00:50:42.640
editor is the drop table, Tristan Ledger, mixing done by Proximity Sound, and the intro music is by

00:50:42.640 --> 00:50:47.760
the mysterious Breakmaster Cylinder. Of course I use a password manager. Itís called the dark web.

00:50:47.760 --> 00:50:51.520
Have you heard of it? Itís got everyoneís password on there. You can look up mine or anyone elseís.

00:50:51.520 --> 00:51:06.290
Itís real easy. This is Darknet Diaries. [END OF RECORDING]