Finland’s National Bureau of Investigation (KRP) has traced transactions involving the anonymous cryptocurrency Monero (XMR) linked to hacker Julius Kivimäki, according to local media.
On January 22, the prosecution presented new evidence indicating illegal transfers leading to Kivimäki’s bank account.
Investigators allege that in 2020, the suspect demanded 40 BTC to avoid publishing personal data of over 33,000 patients from the Vastaamo psychotherapy center. The hacker operated under the pseudonym ransom_man.
“We are not asking for much, about €450,000, which is less than €10 per patient and only a small part of the company’s €20 million annual revenue,” stated ransom_man.
On October 23, 2020, the hacker uploaded a large file containing all the stolen Vastaamo records to the darknet. However, investigators found that the data also included a complete copy of ransom_man’s personal folder—a critical mistake that linked the evidence to Kivimäki.
Eventually, the leaked files were removed, accompanied by the note “oops.” However, other users, and consequently law enforcement, managed to download them. Unknown individuals created a separate website with the entire patient database of the clinic.
Some victims paid the ransom, but once the leaked data was found online, the blackmail lost its power.
KRP discovered that the hacker sent assets to an exchange that did not comply with KYC requirements. He then exchanged bitcoins for Monero and transferred them to a personal wallet.
After several manipulations, XMR was sent to a Binance account, where it was exchanged back into the primary cryptocurrency. The coins were then moved to various wallets.
Authorities have not disclosed the methodology used to analyze the transactions. Ultimately, the investigation traced Kivimäki through his X account. In October 2022, the hacker was charged with criminal offenses.
Uskon että KRP toi tämän nyt julkisuuteen vaikuttaakseen juuri hovioikeudessa käsitellyn vanhan teinivuosien juttuni päätöksentekoon, molemmissa jutuissa on samat henkilöt tutkimassa.https://t.co/mlqGfJoda9
— Aleksanteri Kivimaki (@AlexKivimaeki) October 28, 2022
“I believe that KRP brought this to public attention to influence the decision-making on my old teenage case, which was just heard in the appeals court—both are being investigated by the same people,” wrote Kivimäki.
It was revealed that at the age of 17, the suspect was convicted of stealing classified data from the U.S. Air Force and hacking the American Airlines website. He was sentenced to one year of probation for fraud and theft of confidential data.
The prosecution is now seeking a real prison term for Kivimäki.
Interesting day in Finland. #vastaamo pic.twitter.com/FupGQ9fWWE
— Joe Tidy (@joetidy) January 19, 2024
“The young man committed cybercrimes from [the Finnish city of] Espoo from the age of 15, and these actions had to be thoroughly investigated with international legal support,” stated the prosecution.
Authorities also raised concerns against Vastaamo’s head, Ville Tapio, for violations of personal data security requirements. He resigned immediately after the attack.
The leak could have occurred as early as 2018, and Tapio allegedly concealed the incident for nearly a year and a half.
Former MAGIC Monero Fund committee member Chilla Brimer commented to Decrypt that investigators likely managed to trace some transactions due to the hacker’s poor security practices, rather than a breach of the Monero network itself.
“If you are not careful with your operational security and continue switching between Bitcoin and XMR, there is a risk of leaking some information. Regulators may use this mistake to claim Monero tracking,” she explained.
According to Brimer, Monero “securely protects transaction details,” but cannot save users from their own mistakes.
In January 2024, Binance classified Monero and Zcash as high-risk crypto assets, assigning them “monitoring tags.”