Finnish hacker Aleksanteri Kevimäki has been convicted of hacking and attempting to extort a company called "Vastaamo" and its clients, marking the breach of "Vastaamo" as the largest crime in Finland's history in terms of victim count. Kevimäki's trial garnered significant attention in the country. The hack led to the release of personal data of tens of thousands of individuals online, including government officials and celebrities. More importantly, the nature of the information made this incident a national shock, as the stolen patient database from "Vastaamo" contained written notes from therapists and detailed records of secrets discussed by patients during their sessions. A prominent Finnish politician compared the national impact of the breach to that of a terrorist attack.
A Finnish court recently sentenced the 26-year-old man to six years and three months in prison for hacking thousands of patient records at the "Vastaamo" mental health center and demanding ransom from some patients after obtaining sensitive data. The case sparked widespread outrage in the Scandinavian nation, with a record number of approximately 24,000 people filing criminal complaints with the police. In February 2023, French police arrested Kevimäki, who was living under a false identity near Paris, and he was subsequently deported to Finland. His trial concluded last month.
The court found Kevimäki guilty, among other charges, of data violations, approximately 21,000 attempts of extortion, and over 9,200 instances of publishing information that violates personal privacy. The court described the crimes as "brutal" and "extremely harmful." According to the charges, Kevimäki hacked into the information system of "Vastaamo" in 2018 and downloaded its database, which included around 33,000 clients. It is noted that "Vastaamo," which filed for bankruptcy in 2021, had branches throughout the country, home to 5.6 million people.
Prosecutors stated that Kevimäki initially requested that Vastaamo pay him approximately $396,000 in Bitcoin to refrain from publishing patient records. When the center refused, Kevimäki began publishing patient information on the dark web in 2020 and sent messages to patients demanding ransoms of €200 or €500. Prosecutors indicated that around 20 patients had already paid him.
For his part, Kevimäki denied all charges. His lawyer suggested that he is likely to appeal the ruling. The prosecution had called for a seven-year sentence, the maximum for such crimes under Finnish law. Finnish newspaper "Ilta-Sanomat" reported in 2022 that Kevimäki had been convicted for the first time at the age of fifteen after hacking over 50,000 servers using a program he developed. He has also been convicted in the United States for hacking related to the U.S. Air Force and "Sony Online Entertainment."
