Finland, October 2020, in the midst of the pandemic. Ellen is not coping well with confinement due to a key factor: she can no longer visit her psychiatrist, who has supported her through the difficult process of healing old wounds. These began in her youth after intrafamilial abuse that Ellen locked away in her memory, but which resurface daily in different ways.
Carl, her psychiatrist, has been the key to her being able, finally after many years, to confront and process those memories. Neither her parents, husband, nor children know about these painful scars. It is her secret.
Her pleasant weekly session with Carl, in his charming office in the Töölö district, is no longer in person and has become virtual, which makes her uncomfortable. Having Carl, a well-known psychiatrist from Helsinki, is a luxury she can afford thanks to Vastaamo, the most renowned (and expensive) private mental health service in Finland.
That October afternoon, during the unbearable confinement, she receives a WhatsApp message that stops her world: “Good afternoon Mrs. Ellen Helmi, pleased to contact you. I inform you that I have in my possession all the transcripts of the sessions you have had with Dr. Carl MIRKO. Unfortunately, Vaastamo (from where I obtained this information) has refused to pay for the recovery of the data, and therefore I am contacting you to make you the following offer: for 30,000 crowns we will delete your information from our servers; otherwise, we will be forced to make it public. You have 24 hours from this moment. Given the content of these sessions, please accept my sympathy for what you have suffered.”
She immediately receives a second message, which she later understands to be the instructions to purchase and deposit Monero cryptocurrency into the attacker’s digital wallet.
Vastaamo, known in Finland as the “McDonald’s of psychotherapy,” is the most recognized mental health institution in the country. Around 50,000 people use this premium service.
The clinic has been the victim of a massive cyberattack. The information from all patient sessions has been leaked. A ransom demand for a huge sum was made to the clinic, but it refused to pay. Following this refusal, attackers redirected their demand to the patients, requesting an average of 200 euros each to prevent the information from being made public.
The attacker remained anonymous. Authorities suspected a pro-Russian cybercriminal group, given the historical tension between the two countries, although some characteristics of the attack seemed familiar to investigators.
Despite efforts, no responsible party could be located until three years later.
February 2023, Courbevoie, France. Police responded to a domestic violence complaint. At the residence, they find an intoxicated man asleep on the sofa. When asked for identification, he presents a Romanian ID card, but something does not match.
His physical appearance does not resemble someone of that nationality he is a tall blond man, and his accent does not fit. When his details are entered into Interpol, an alert is triggered: the man is Julius Kivimäki, 26 years old. Julius, known by the alias “Zeekill,” had been an active cybercriminal since the age of 13 and had been arrested numerous times. In the years following the Vastaamo attack, investigators had found evidence linking him directly to the case. Certain cryptocurrency wallet movements from ransom payments also strongly implicated him.
Kivimäki was finally sentenced in 2024 to six years and three months in prison. In a historic precedent, Vastaamo’s director, Ville Tapio, was also convicted for failing to adequately protect patients’ confidential data. Their data lacked even the minimum necessary security measures. At least 30,000 patients were extorted, and one confirmed suicide resulted from the attack.
Vastaamo, the prestigious mental health service and a model in Europe, ceased operations as a consequence of the incident and is considered the largest criminal case in Finnish history.