Finland's National Bureau of Investigation (NBI) has released over 2,000 pages of evidence related to the suspected hacking of therapy centre Vastaamo's patient database, as well as attempts to blackmail the company and its clients.
During a pre-trial hearing on Friday, prosecutors said that the sole suspect in the case, Aleksanteri Kivimäki, travelled around the world but left few traces as he did.
He was eventually traced to France, where he was detainted by authorities there in February this year before being extradited to Finland.
Prosecutors filed charges against Kivimäki last month, who was born in 1997 and is a hacker well-known to Finnish authorities.
He is suspected of breaching the patient record database belonging to the psychotherapy centre Vastaamo, and then using that information to blackmail tens of thousands of victims.
He is also suspected of stealing the sensitive personal data of more than 33,000 of the centre's clients and then posting them on the dark web. Around two-thirds of the victims filed criminal reports with authorities.
Kivimäki faces charges of aggravated and attempted extortion, aggravated data trespass, as well as aggravated dissemination of information violating personal privacy.
Prosecutors have demanded that Kivimäki serve a seven year sentence for the crimes.
Links and credit cards
Investigators said their first big break in the case was due to the suspect's carelessness. Kivimäki allegedly set up a virtual server to automatically retrieve data from the stolen patient files.
That automation took the data of 100 randomly selected therapy centre clients, duplicating them into a folder. Then, they were sent off for posting on the web.
However, the way the scheduled file sharing scheme was set up also revealed information about the server from which it was being sent. Those clues helped investigators get closer to the suspect.
The trail led authorities to a server in a data centre in the southern Finnish municipality of Tuusula, before investigators found two more servers that could be linked to the first.
Police managed to crack the encryption on two of the servers — the first of which contained the suspected stolen data. Examining the servers' traffic, authorities were able to track down an additional 16 servers.
After mapping the server network, investigators started looking for who had accessed them, which was done by examining online payments.
A shared hand
The investigation materials released on Friday are filled with technical details, but also revealed how authorities managed to track down the suspect.
A key clue came from a photo uploaded to the image sharing platform Ylilauta. The picture shows just a hand holding a bottle, but an examination of its fingerprints led investigators to realise it was Kivimäki's hand. The photo was found to have been uploaded from a server linked to the network police were investigating.
Officers also collected evidence that linked Kivimäki to IP addresses common to others that were involved in the therapy centre's data breach.
Some of the servers were being used by a firm called Scanfi. Kivimäki told investigators he was CEO of the company. That firm's business was scanning for cybersecurity vulnerabilities on the internet and informing companies about them.
Kivimäki paid for use of the servers with his personal credit card, according to police. Additionally, authorities said they were able to link Kivimäki to IP addresses linked to the data breach itself.
Among other clues, authorities noted a particular IP address as Kivimäki's debit card was used to pay to access OnlyFans content and to make a reservation at Helsinki's Hotel Kämp. The same IP address also accessed a server linked to the suspected crimes.
Country to country
Friday's district court session also revealed that Kivimäki often moved from country to country without leaving any significant signs of his presence behind him.
Kivimäki told investigators that he has lived in countries including Spain, the UK, the United Arab Emirates and France, returning to some of them a number of times.
The suspect also told investigators that he didn't register with the countries in which he lived because he did not need access to public health care services, and not because he was trying to hide from authorities. He also said that registering residence in countries was a hassle.
The main hearings of the trial are set to commence on 13 November. A total of 28 hearings have been reserved for the case, which is scheduled to continue until the end of February 2024.
Users with an Yle ID can leave comments on our news stories. You can create your Yle ID via this link. Our guidelines on commenting and moderation are explained in this article. You can comment on this article until 23:00 on 4 November.