Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Jul 16, 2026 · 6 min read

Vastaamo Hacker Vanishes, Finland Issues Wanted Notice

Finland's Supreme Court closed off his last appeal. He never reported to prison, and his own lawyer says he does not know where he is.

Aleksanteri Kivimäki was due to report to Finland's Criminal Sanctions Agency this week and begin serving a prison sentence of six years and eleven months. He did not show up. On July 13, 2026, Finland's Supreme Court refused to hear his final appeal, closing off the last legal route that had kept him free, and within days Eastern Uusimaa Police issued a nationwide wanted notice. His own lawyer says he does not know where his client is. Six years after Kivimäki broke into a psychotherapy provider's patient database and became the first hacker documented to extort therapy patients directly by email, one of Europe's most closely watched cybercrime cases still has no ending.

Key Takeaways

  • Finland's Supreme Court denied Aleksanteri Kivimäki's final appeal on July 13, 2026, making his six year and eleven month prison sentence for the Vastaamo breach legally final.
  • Eastern Uusimaa Police issued a nationwide wanted notice for Kivimäki after he failed to report to Rise, Finland's Criminal Sanctions Agency, to begin serving that sentence.
  • Kivimäki's 2018 intrusion into Vastaamo exposed therapy records for roughly 33,000 patients, and his 2020 extortion campaign emailed Bitcoin ransom demands directly to about 30,000 of them.
  • Vastaamo collapsed into bankruptcy in February 2021, months after the breach became public, making it one of the starkest examples of a company that did not survive a data breach.
  • Kivimäki's lawyer, Peter Jaari, says he does not know his client's whereabouts and believes Kivimäki is currently outside Finland.
An empty therapist's office with two armchairs facing each other and a notebook resting on a small side table, cold Nordic window light, somber and quiet mood

What Happened in the Original Vastaamo Breach?

Kivimäki broke into Vastaamo's patient record system in November 2018 and copied confidential therapy notes for roughly 33,000 patients, then sat on the data for nearly two years. Vastaamo, a private Helsinki psychotherapy provider, disclosed the intrusion on October 21, 2020, after the attacker tried to extort the company and it refused to pay.

What happened next set the case apart from almost every breach before it. Rather than dumping the stolen data anonymously, the attacker, using the handle "ransom_man," began emailing patients directly. Per reporting from HIPAA Journal, the emails demanded 200 euros in Bitcoin, rising to 500 euros if the patient did not pay within 24 hours, and threatened to publish that person's private counseling notes. Roughly 30,000 patients received one of these emails, more than 24,000 reported it to police, and prosecutors convicted Kivimäki on more than 20,000 separate counts of aggravated attempted extortion. Some notes were leaked on the dark web after victims did not pay, and Vastaamo could not survive the fallout, declaring bankruptcy in February 2021.

Why Is Finland Hunting Him Now?

Finland's Supreme Court denied Kivimäki leave to appeal on July 13, 2026, making the Court of Appeal's sentence final and requiring him to report to prison immediately, as The Record first reported. He did not. Kivimäki was convicted in April 2024 and sentenced to six years and three months; on appeal, the Helsinki Court of Appeal lengthened that to six years and eleven months in February 2026, citing the seriousness, scale, and deliberate planning of the crimes, according to Helsinki Times.

Under Finnish law, defendants are presumed innocent while an appeal is pending. Combined with credit for lengthy pretrial detention dating to his February 2023 arrest in France, that presumption got Kivimäki released in September 2025 while the case worked through the courts. That changed once the Supreme Court declined to hear his case this week. Eastern Uusimaa Police, acting on a request from Rise, issued a nationwide wanted notice instructing officers to arrest Kivimäki on sight and transfer him to Vantaa Prison. Police superintendent Mikko Minkkinen said he could not confirm whether an international notice involving Interpol had also been filed. Kivimäki's lawyer, Peter Jaari, says his client would be "in contact with Rise" by phone or message, leaving open whether this is a deliberate disappearance or a delayed check in. As of publication, he has not reported to prison.

Who Is Aleksanteri Kivimäki?

Kivimäki, now 26, was already known to security researchers a decade before Vastaamo, convicted as a minor in 2015 on more than 50,000 counts of computer crimes under the alias "Julius Zeekill" while affiliated with the Lizard Squad griefing collective. French authorities arrested him in February 2023 under a European arrest warrant, this time under his legal first name Aleksanteri, and extradited him to Finland, where The Record reported that prosecutors built their case on forensic links between server logs, Bitcoin transactions, and material tying him to the intrusion. That record is why his current disappearance is treated as a story worth tracking, not a routine parole violation.

Why Email Users Should Care

Most coverage of this story leads with the manhunt. The more durable lesson sits in how Kivimäki chose to extort his victims. He did not just dump a database online and walk away, the way most breach actors do. He put a deadline and a price in an email and sent it to the inbox of everyone whose therapy notes he had stolen, turning a corporate security failure into 30,000 individual, personalized threats. A generic breach notification tells you your data was exposed. A targeted extortion email uses that data against you specifically, and it lands in the same inbox as everything else you trust.

The pattern did not stay unique to Vastaamo. When ShinyHunters accessed customer records through a Zendesk instance used by Hims and Hers, the resulting customer service data exposure followed a similar script: health adjacent data taken through a vendor, then usable to make a follow up message look credible. The same math applies to AssuranceAmerica's breach of 6.9 million driver's license records, where identity documents give scammers the specific detail needed to make a follow up email believable instead of generic. If a breach at your insurer, your doctor's office, or your therapist's booking software ever surfaces your data, assume the next contact could arrive by email, not by mail.

What Should You Do If Breach Data Is Used to Extort You?

If an email arrives demanding payment and citing details from a breach, whether it is a therapy note, a password, or a scanned ID, the response is the same regardless of which company got hacked.

  • Do not pay. There is no evidence paying Kivimäki's ransom stopped a leak, and extortionists who get paid once often come back for more.
  • Preserve everything. Save the full email including headers, do not delete it, and do not reply. That copy is the evidence law enforcement needs to trace the sender.
  • Report it. File a report with your local police and, if you are in the United States, with the FBI's Internet Crime Complaint Center. The Finnish patients who reported the Vastaamo emails to police became part of the evidence that convicted Kivimäki.
  • Check what else is exposed. Search your email address on Have I Been Pwned and treat any reused password as compromised. Our coverage of the 24 billion credential dump uncovered earlier this year covers what to do once your details are circulating.

Kivimäki's case shows how long the tail on a data breach can run: six years from intrusion to a final sentence, and the man convicted of it still has not walked through a prison door.

Stop Email Tracking in Gmail

Spy pixels track when you open emails, where you are, and what device you use. Gblock blocks them automatically.

Try Gblock Free for 30 Days

No credit card required. Works with Chrome, Edge, Brave, and Arc.