Vastaamo Hacker Traced Via Untraceable Monero Transactions Police Says
Julius Aleksanteri Kivimäki, the suspect believed to be behind an attack against one of Finland’s largest psychotherapy clinics, Vastaamo, was allegedly identified by tracing what has been believed to be untraceable Monero transactions.
In October 2020, psychotherapy Center Vastaamo announced it had been breached in 2018 by someone who stole thousands of patient records and demanded a payment of 40 Bitcoins ($450,000 at the time) to not publicly release the stolen data.
Failing to extort the clinic, the hacker turned to individual patients, asking them to pay roughly $240 in Bitcoin to delete their records.
Finnish investigators from the National Bureau of Investigation (KRP), with the help of Binance, followed the trail of payments to Kivimäki, who exchanged the funds for Monero and then exchanged them back to Bitcoin.
District Prosecutor Pasi Vainio revealed this as part of the trial concerning the Vastaamo data breach and blackmail.
Monero is a privacy-oriented decentralized cryptocurrency that many believe to be untraceable. In August 2022, an upgrade on its “ring signature” transaction obfuscation mechanism hardened it even further, making tracing transactions practically impossible.
Due to the privacy nature of the coin, some of the larger exchanges no longer support Monero to comply with money laundering regulations.
According to the reports, in October 2020, during the very dawn of the investigations, KRP sent 0.1 Bitcoin to the blackmailer’s address to use that small amount for analysis and tracing.
This led to Binance, requests for information, and reception of some data about the attackers, including an email address. But as soon as the funds were moved to a Monero private wallet, which is designed to be confidential and untraceable, things became challenging.
Still, KRP claims that by employing heuristic analysis involving educated guesses based on patterns and probabilities, they could infer the most likely path of the funds.
The small amount, together with other funds, possibly from victim payments, was sent to a second Bitcoin address linked to the same email address, which was later found to be linked to an email server managed by Kivimäki.
Also, bank transfers from individuals suspected to be “money mules” were found on Kivimäki’s account, aligning with the timing of the traced payments.
KRP did not disclose the exact mechanism for tracing the Monero transactions, citing the need to protect sensitive investigative techniques that can prove invaluable in future cases. Thus, the exact methods involved are unclear.
Whether Finnish investigators possess a sophisticated blockchain forensic analysis capability that can crack Monero’s RingCT and stealth addresses remains doubtful, but the resulting identification of the suspect and a second person from Estonia who is reportedly also involved in the attacks nonetheless raises questions.
Kivimaki is accused of aggravated data breach, attempted aggravated blackmail, aggravated dissemination of information that violates private life, attempted aggravated blackmail, and aggravated extortion, impacting over 21,000 people.
For these crimes, the prosecutor has demanded an unconditional 7-year imprisonment sentence.
Kivimäki has not pleaded guilty yet, vehemently denying the allegations and disputing the contents of KRP’s report.