Untouchable Hacker God and Finland’s Biggest Data Breach

Published: 17 January 2026. The English Chronicle Desk. The English Chronicle Online

When Tiina Parikka opened an email on a quiet Saturday morning in October 2020, she had no idea that her life—and the lives of tens of thousands of others—had already been irrevocably altered. Fresh from a sauna in her Vantaa apartment, just outside Helsinki, the 62-year-old headteacher glanced at her phone absent-mindedly. What she read made her heart race. The message addressed her by name and included her Finnish social security number, a uniquely sensitive identifier used across healthcare, banking and education. In that instant, she knew this was not a hoax.

The email was chilling in its politeness. Written in Finnish, it informed her that she had used psychotherapy services provided by Vastaamo, a digital mental health platform. The sender demanded €200 in bitcoin within 24 hours, rising to €500 if she delayed. Failure to pay, the message warned, would result in the publication of her most intimate personal data, including detailed transcripts of her therapy sessions. Parikka recalls struggling to breathe, convinced she was on the verge of a heart attack. The sense of exposure was overwhelming. She later described it as feeling like a “public rape”.

Parikka was not alone. Across Finland, some 33,000 former patients of Vastaamo were receiving similar messages. Therapy notes containing confessions of trauma, abuse, addiction and suicidal thoughts had been stolen and weaponised. In a country of just 5.6 million people, the scale of the breach was unprecedented. Almost everyone knew someone affected.

The extortion emails were only the final act. Days earlier, a figure using the online alias “ransom_man” had posted on the dark web and Finnish online forums, announcing that Vastaamo’s systems had been hacked. When the company refused to pay a ransom of 40 bitcoins, the hacker began releasing patient records publicly, 100 at a time. Names of politicians, police officers and public figures appeared alongside explicit therapy notes. Some records belonged to children. Then, in the early hours of 23 October 2020, the hacker made a catastrophic mistake, uploading the entire database—every patient record—making the ransom meaningless. The damage was already done.

For many victims, the psychological toll was devastating. Lawyers later confirmed that at least two people took their own lives after discovering their therapy notes had been exposed. Others withdrew from society, gripped by fear and shame. Meri-Tuuli Auer, then in her late twenties, had relied on Vastaamo during a critical period of recovery from depression. When she learned of the hack, the fragile sense of security she had rebuilt collapsed. She found herself unable to leave her home, haunted by the thought that strangers might be laughing at her pain online.

Finland is often celebrated as the world’s happiest nation, a leader in digital innovation and social trust. Vastaamo itself had been hailed as a success story. Founded in 2008, it promised to democratise access to psychotherapy through a sleek digital platform that required no doctor referral. By 2019, it employed more than 220 therapists and served tens of thousands of patients. That same year, a private equity firm bought a majority stake, valuing the company at millions of euros.

Behind the scenes, however, security was dangerously lax. When cybersecurity specialist Antti Kurittu was brought in after the initial ransom demand to the company’s CEO, Ville Tapio, he was stunned. The patient database was accessible from the open internet, protected by no firewall and, astonishingly, no password at all. Anyone scanning for vulnerable systems could have walked straight in. It was, Kurittu later said, like finding a bank vault left wide open.

As the investigation unfolded, suspicion fell on a familiar name in cybercrime circles: Aleksanteri Kivimäki, previously known as Julius Kivimäki. A notorious Finnish hacker from his teenage years, Kivimäki had built a reputation not for technical brilliance but for audacity and cruelty. As a teenager, he had been involved in hacking groups that targeted corporations “for the LOLs”, seeking notoriety rather than profit. His online feuds included years-long campaigns of harassment against individuals, involving swatting attacks, bomb threats and identity abuse.

In 2015, Kivimäki was convicted in Finland for tens of thousands of data breaches involving US universities and received a suspended sentence. Shortly afterwards, he infamously described himself online as an “untouchable hacker god”. For years, he appeared to live an itinerant, glamorous life across Europe and beyond, posting images from London, Paris and Dubai.

Critical clues emerged when investigators analysed files accidentally uploaded by ransom_man. The hacker had mistakenly shared his entire home folder, revealing chaotic file names, personal searches and server payment records. A small bitcoin payment made by police eventually led to a bank account linked to Kivimäki. Further evidence showed the crimes were committed while he was living in London, close to the heart of British intelligence headquarters.

In October 2022, Finnish authorities issued an arrest warrant. Months later, in February 2023, French police responding to a domestic violence call in a Paris suburb arrested a man using a Romanian passport under a false name. He was, in fact, Aleksanteri Kivimäki.

The trial, which began in November 2023, was unlike anything Finland had seen. With more than 21,000 registered victims, proceedings were broadcast to cinemas and public spaces. Victims sat silently, watching the man accused of destroying their sense of safety. In April 2024, Kivimäki was found guilty of thousands of counts of aggravated invasion of privacy and attempted extortion. He was sentenced to six years and three months in prison, a severe punishment by Finnish standards, though still less than the maximum possible.

Throughout the process, Kivimäki denied responsibility, portraying himself as a scapegoat. When confronted with the suffering of victims, his responses were chillingly detached. To Parikka, the most haunting question remains unanswered: whether he ever felt empathy.

Vastaamo itself collapsed under the weight of the scandal, declaring bankruptcy in early 2021. Its former CEO was initially convicted of criminal negligence over data security failures, though that conviction was overturned on appeal in late 2025. Many victims remain angrier with the company than with the hacker, believing their trust was betrayed by systemic greed and complacency.

Today, copies of the stolen therapy notes still circulate online, a permanent reminder that digital wounds do not heal easily. The Finnish government has offered limited compensation, but no sum can truly repair the damage of such exposure. For Parikka and thousands like her, trust in therapy—and in digital privacy—has been fundamentally shaken.

The Vastaamo case stands as a stark warning. In an era when our most private thoughts are stored online, the promise of absolute security may be an illusion. The question Finland, and the world, must now confront is whether society can protect vulnerability in a digital age—or whether the cost of convenience is simply too high.