Tiina Parikka was half-naked when she read the email. It was a Saturday in late October 2020, and Parikka had spent the morning sorting out plans for distance learning after a Covid outbreak at the school where she was headteacher. She had taken a sauna at her flat in Vantaa, just outside Finland’s capital, Helsinki, and when she came into her bedroom to get dressed, she idly checked her phone. There was a message that began with Parikka’s name and her social security number – the unique code used to identify Finnish people when they access healthcare, education and banking. “I knew then that this is not a game,” she says.

The email was in Finnish. It was jarringly polite. “We are contacting you because you have used Vastaamo’s therapy and/or psychiatric services,” it read. “Unfortunately, we have to ask you to pay to keep your personal information safe.” The sender demanded €200 in bitcoin within 24 hours, otherwise the price would go up to €500 within 48 hours. “If we still do not receive our money after this, your information will be published for everyone to see, including your name, address, phone number, social security number and detailed records containing transcripts of your conversations with Vastaamo’s therapists or psychiatrists.”

Parikka swallows hard as she relives this memory. “My heart was pounding. It was really difficult to breathe. I remember lying down on the bed and telling my spouse, ‘I think I’m going to have a heart attack.’”

Someone had hacked into Vastaamo, the company through which Parikka had accessed psychotherapy. They’d got hold of therapy notes containing her most private, intimate feelings and darkest thoughts – and they were holding them to ransom. Parikka’s mind raced as she tried to recall everything she’d confided during three years of weekly therapy sessions. How would her family react if they knew what she’d been saying? What would her students say? The sense of exposure and violation was unfathomable: “It felt like a public rape.”

Therapy had been Parikka’s lifeline. Now 62, she’d had three children by the time she was 25, including twins who had been born extremely prematurely in the 1980s, weighing only a few hundred grams each. One grew up with cerebral palsy; the other is blind. Parikka spent years juggling medical emergencies, surgeries and hospital stays with a demanding job and a crumbling marriage. “During those years, nobody ever asked me, the mother, ‘How are you?’”

She divorced in 2014 and met her current partner a year later. By then, her children were adults with independent lives. After decades of putting everyone’s else’s needs before her own, she should have been finally able to exhale. Instead, she had a breakdown. “I had full-scale anxiety running through my body all the time. I couldn’t sleep. I had panic attacks. I couldn’t eat.” Driving at high speed on the highway one day, dark thoughts descended. “I was thinking, I wouldn’t mind if this car crashed.”

In search of urgent help, she went to Google, which led her to Vastaamo, Finland’s one-stop digital shop for people in search of psychotherapy. No doctor referral was necessary. She managed to book a session for the very next day. “It was that easy.”

Being able to confide in a total stranger felt liberating. She told her therapist things she had never told another soul. “Trauma in relationships. The disappointment and tragedy of having disabled children, and the influence it had on my life,” she says. “Silly things, childish things. It’s very human to feel hate, anger, rage.”

After Parikka read the email that left her struggling to breathe, she had no idea where to turn for help. She rang the emergency services, but the police told her to get off the line; they needed to keep it free for real emergencies. In her bathrobe, her phone still in her hand, she felt utterly alone.

But Parikka was far from alone. Across Finland, 33,000 people who had used Vastaamo were discovering that a hacker had got hold of their therapy notes and was holding them to ransom. These were people who, by definition, were likely to be vulnerable, in need of help. Each was experiencing a very personal, individual terror. In a country of only 5.6 million people, everyone knows someone who was hacked.

Some victims’ notes had already been cherrypicked for the world to see. Three days before the extortion emails were sent, someone using the handle ransom_man had left posts on the dark web, on r/Suomi, the Finnish-language subreddit, and on Ylilauta, Finland’s equivalent to 4chan. This time, the post was in English. “Hello Finnish Colleagues,” it began. “We have hacked the psychotherapy clinic vastaamo.fi and taken tens of thousands of patient records including extremely sensitive session notes and social security numbers. We requested a small payment of 40 bitcoins (nothing for a company with yearly revenues close to 20 million euros) but the CEO has stopped responding to our emails. We are now starting to gradually release their patient records, 100 entries every day.”

There was a link to the dark web, where 100 records were already on display. Directly below it, ransom_man had signed off the post with a single word: “Enjoy!”

The 100 records included those of politicians, police officers and prominent public figures. Their names appeared alongside therapy notes that contained details of adultery, suicide attempts, paedophilia and sexual violence. Some of the records belonged to children. And whoever was behind the hack was true to their word: the next day, 100 more patient records were uploaded.

Some victims went searching on the dark web in a desperate attempt to see if their records were out there. Some paid the ransom, scrabbling to get hold of bitcoin while the clock ticked down. Lawyers representing the victims have told me they know of at least two cases where people took their own lives after they discovered their therapy notes had been hacked.

But for all of them, it was already too late. At 2am on 23 October 2020 – the day before the emails began to arrive in tens of thousands of inboxes – ransom_man had uploaded a much larger file. It contained every record of every single patient on Vastaamo’s database. Everyone’s therapy notes had already been published, for free, for everyone in the world to see.

Who was behind the biggest crime Finland had ever known? And might they have been motivated by something other than money? I have spent 18 months trying to answer these questions, following threads across Europe and the US. They culminated in a visit to a prison, and one of the most chilling conversations I have ever had.

* * *

Finland has been ranked the happiest country on Earth by the UN for the last eight years in a row. A world leader in childcare and education, Finland is also famously hi-tech: it’s the most digitalised country in Europe, renowned for its communications sector (as the home of Nokia) and leading the way when it comes to cybersecurity and AI innovation. But Finland is also a place of extremes. It has more heavy metal bands per capita than any other nation. In the far north, for the few days around the winter solstice, the sun does not rise.

Vastaamo had long been considered an example of how Finland was getting it right when it came to digital tech. Founded in 2008 by entrepreneur Ville Tapio and his mother, Nina, a psychotherapist, the aim was to open up therapy to the masses, removing the stigma of asking for help. The platform made it easy for people to see who was free, where, and what therapeutic approach they specialised in. The logo had the colour palette of a first-aid kit, with white lettering in a green speech bubble. Vastaamo means “a place for answers”.

It was an attractive platform for therapists, too: they didn’t have to worry about marketing or billing – Vastaamo would take care of all of that. The company even provided a behind-the-scenes digital interface where therapists could make and store their notes. This formula, combined with the increasing demand for therapy services, meant Vastaamo grew fast. It opened its own network of around 20 clinics across Finland, employing more than 220 psychotherapists by 2018, leading some in Finland to refer to it as “the McDonald’s of therapy”. In the years before Zoom and Teams were part of our daily lives, the remote therapy also offered by Vastaamo was groundbreaking. In 2019, a private equity firm bought a majority stake in the company, earning the Tapio family a payout of more than €5m.

Meri-Tuuli Auer, 30, describes using Vastaamo as “like Uber for therapy – convenient, accessible, relatively cheap”. She picked her therapist because he offered cognitive psychotherapy – and she liked his photo. “He looked nice. He looked approachable.”

Auer’s home, on the outskirts of Helsinki, is a riot of pink. There are Barbie dolls, Barbie books and Barbie-themed handbags on her shelves, as well as a glittery open-top Barbie sports car. A pole-dancing pole takes pride of place in the centre of her living room.

“I’m a mixed personality,” she tells me over tea in Moomin mugs. “I love being around people, but I get that inkling, that doubt: maybe they all think I’m full of shit and stupid and ugly and I have no idea what I’m doing.” Auer has struggled with depression for much of her life. When she was 18, she was in a secretive, difficult relationship with a man 29 years her senior, which made her self-esteem plummet further. She was drinking heavily. “If I hadn’t gone to therapy, I don’t know what would have become of me. Maybe there is another universe where I didn’t make it to 30.”

Most of the cost of Auer’s treatment was covered by the Finnish healthcare system; she paid only about €25 for each weekly session. She was making great strides. “After going to therapy in 2018 and 2019, I had gained a basic sense of security. That was lost in 2020.”

Vastaamo’s CEO knew the company’s patient registry was being held to ransom weeks before his customers found out. On 28 September 2020, Ville Tapio received an email demanding the bitcoin equivalent of €450,000 to keep it safe. Sample patient records attached to the email proved the extortionist wasn’t bluffing. Tapio called in a cybersecurity firm to investigate.

Medical information is an obvious target for would-­be extortionists, says Antti Kurittu, the security specialist Tapio hired. But this was something else: “Whatever I tell a therapist is, by its very nature, a lot more private than what my blood pressure is,” he says, drily.

Kurittu used to be a detective, investigating cybercrimes for the Finnish police; he says he insisted they be told about the ransom attempt so they could begin a parallel investigation. Meanwhile, he began inspecting Vastaamo’s server, looking for clues as to who might be behind the hack – and one of the first things he noticed was how lax security had been. “It was definitely unfit for purpose for storing this kind of information,” he says. He tells me that the patient records database was accessible via the internet; there was no firewall and, perhaps most egregiously, it was secured with a blank password, so anyone could just press enter and open it. Kurittu determined that whoever had hacked Vastaamo had probably just been scanning the internet in search of any badly secured databases that could be monetised. “They tried a bunch of bank vaults to see which ones were open, and just happened to stumble on this one.”

For a few weeks, the hacker and Vastaamo exchanged emails, but there was no question that Vastaamo would pay the ransom. If they did, they’d have to trust a criminal’s word that the records had been destroyed – plus, Kurittu says, it goes against the national character. “Finns are a bit of a belligerent bunch. We’re not known for paying ransom quietly or easily, which I take great national pride in.”

After ransom_man started leaking patient records to put pressure on the company, Kurittu kept a close eye on the server being used to publish them. He had a hunch whoever was behind this was either Finnish, or had lived in Finland for a long time: they knew which famous names to flaunt from the patient records.

* * *

When Auer learned about the hack, she downloaded a browser that would enable her to access the dark web, for the first time in her life. “I was thinking to myself, I just have to see if my records are there.” She found her name wasn’t among the first batch posted, and closed the file without reading anyone’s records. But she saw other people discussing what they’d seen. “People had already picked – in their opinion – the funniest parts from the patient records. They were laughing at these people’s misery. A 10-year-old child had gone to therapy, and people found it funny.”

Auer began to spiral. “I closed myself in at home, I didn’t want to leave, I didn’t want anyone to see me,” she tells me. She had no hope that the hacker would ever be found. “It’s not that I don’t trust the police in Finland – it’s just that it seemed like an impossible task.”

But the much larger file ransom_man had uploaded to the dark web – the one that contained every single one of Vastaamo’s patient records – also included vital clues to his identity. The first three batches of therapy notes had been posted manually, but when the hacker had tried to automate the process, he had not only accidentally uploaded all of the therapy notes, but also his entire home folder. It had appeared only briefly before it was taken down, along with a post that read “whoopsie :D”, but ransom_man had screwed up.

“After spending several evenings with the file, I had the feeling I’d seen this kind of thing before,” Kurittu says. The data on the hacker’s home drive wasn’t systematically organised and arranged in folders, as you would expect from someone for whom extortion was a business. “It had that sort of chaotic, passionate hobby feeling to it.” And there was something about the childish way ransom_man had named some of the files that was eerily familiar (the one containing all the patient data was entitled “therapissed”).

Kurittu’s mind went back to 2013 when he was a senior detective constable for the Helsinki police, and the file names he’d seen on a computer he’d seized from a 16-year-old boy. “It made me think of Julius Kivimäki.”

* * *

Aleksanteri Kivimäki – who used to go by his middle name, Julius, or the online handle zeekill – had long been notorious among cybersecurity investigators. Not because of any particular talent as a hacker, but because he seemed prepared to go further than most who spend their time in the darkest parts of the internet.

Aged 14, Kivimäki was involved with a group called Hack the Planet (named after the tagline of the 1995 movie Hackers). They would break into big companies and show off what they had managed to steal online. “It was for the LOLs,” says Blair Strater, a former hacker from Illinois who hung out with Kivimäki in internet relay chat forums at that time. “You notice that something is open and you just take it. It’s not targeted.”

This kind of hacking was about impressing others – winning online clout, not extorting money. But some of those involved may have felt they were also serving a noble purpose: exposing security vulnerabilities in major corporations, or the hypocrisy of cybersecurity firms who claimed to be qualified to advise businesses while being unable to secure their own network.

Strater found Kivimäki amusing, at first. “A lot of the things he did early on were objectively funny,” he tells me over Zoom from his home in Illinois. When I ask Strater whether I would find them funny, he clarifies that his humour was an acquired taste best suited to 4chan. But in 2010, when Strater was 17 and Kivimäki was 14, they fell out over which one of them was going to publish a report of a recent hack.

Orders of pizzas and Chinese takeaway began arriving at the home Strater shared with his parents and younger sister on the outskirts of Chicago; when they opened the door, the delivery driver would ask for Julius Kivimäki. “Taxis were ordered. Hookers were ordered,” Strater says. “My father had to send away a big dump truck filled with gravel.” Strater received a blizzard of letters from credit card and insurance companies, and government agencies, including one from the department of social security confirming that an appointment with the welfare office had been created for him and his spouse – Julius Kivimäki.

Then, at 2am one morning, police in body armour carrying guns with laser sights turned up outside the Straters’ home, responding to reports that Blair had beaten his mother to death in a drug-fuelled rage. When she answered the door, they took her blood pressure to verify that she was, in fact, alive. It was the first of dozens of so-called swatting attacks the family would endure. After a lull of a couple of months, Strater learned that someone using his name had emailed a bomb threat to a local police officer; it led to Strater spending three weeks over Christmas in a juvenile detention centre.

Several years into their feud, in 2015, someone hacked Elon Musk and Tesla’s Twitter accounts, and tweeted that anyone who rang the Straters’ landline or showed up at their home would get a free car; their phone rang off the hook for days, and Blair’s father had to turn several disappointed people away from their porch. Someone using Blair’s mother’s name posted a threat to shoot up the elementary school where his 10-year-old sister was a pupil. His mother’s LinkedIn and Twitter accounts were hacked and filled with juvenile, racist posts, as well as antisemitic insults directed at the company where she worked as a healthcare statistician. Within months, she had lost her job.

The campaign of terror lasted for many more years. Strater says it’s never going to be fully over. “It’s like having cancer: it’s never really cured, it goes into remission,” he says. “Every so often, someone would hit me up and say, ‘Hey, I was one of the people that helped Julius do these things.’ Sometimes they would say, ‘He made me do them. He was blackmailing me,’ which is something he does to an awful lot of people. I want to make this very clear: I am not the person zeekill fucked with the most.”

Indeed, Kivimäki set his sights far beyond the Strater family. In August 2014 – days after his 17th birthday – he rang in a fake bomb threat that grounded a flight carrying John Smedley, president of Sony Online Entertainment, who oversaw PlayStation’s multiplayer network. A group calling themselves Lizard Squad claimed responsibility, posting almost nonsensically on Twitter that the attack was in sympathy with Islamic State. Lizard Squad struck again, on 25 December 2014, with a cyber-attack that shut down Xbox and PlayStation, and ruined Christmas morning for millions. Brazenly, Kivimäki gave interviews to BBC 5 Live and Sky News as a Lizard Squad spokesperson, claiming they did the hack both to amuse themselves and to expose Microsoft and Sony’s poor cybersecurity. He seemed to revel in the chaos and drama. He appeared on camera on Sky News; he used a fake name, but his boyish face – blond hair, blue eyes, plump cheeks – was visible for all to see.

In July 2015, following Kurittu’s investigation with the Finnish police, Kivimäki was convicted of hacking into servers at MIT and Harvard universities, as well as money laundering and fraud. He was found guilty of more than 50,000 data breaches, and received a two-year suspended sentence; he had his computer confiscated and was forced to pay back more than €6,000 obtained through his crimes. He never faced justice for any of the offences he perpetrated against Blair Strater and his family.

Shortly after he received his suspended sentence, Kivimäki updated his Twitter bio to read “untouchable hacker god”.

* * *

Kivimäki spent the next few years travelling the world. During lockdown, he lived in an air-conditioned apartment in Westminster, 20 metres away from the central London headquarters of MI5. There were trips to Dubai, Hong Kong, Barcelona and Paris. According to the images of himself he liked to post online, he was living the life of an international jetsetter. But he was not, in the end, untouchable.

Police made a micropayment of 0.1 bitcoins to ransom_man. They were able to determine that, when it was laundered into real-world currency, it was transferred into Kivimäki’s bank account. The home folder ransom_man had accidentally uploaded had led the police to some servers, one of which had been paid for using a credit card linked to him – the same one he’d been using to pay for Apple services and an OnlyFans subscription.

As investigators traced the history on ransom_man’s home folder, they were able to determine that, as well as looking for keywords such as rape, abuse and child molestation in the database of patient records, the hacker had also searched for Kivimäki’s home address, and the names of his family members. “Before publication, he ensured there was no harmful information about him, or people close to him,” Pasi Vainio, the lead prosecutor on the case, tells me. Those searches took place using an IP address linked to Kivimäki’s Westminster apartment. “He was in London when the crimes were committed.”

But it was a drawn-out, arduous investigation. There were terabytes of data to comb through. The crime had so many victims that the police had to create an online portal for everyone to register and give their statements. That generated more than 21,000 criminal reports, all of which needed to be looked at individually. So it was October 2022 – two years after Parikka, Auer and the other victims had received their ransom demands – before Vainio signed an arrest warrant for Kivimäki. His face – chubby-cheeked and floppy-haired – was added to Europol’s list of most-wanted fugitives, alongside murderers and drug traffickers.

On 3 February 2023, French police were alerted to a report of domestic violence taking place in a flat in a Paris suburb. Officers used a battering ram to enter the property and found a man and a woman inside. The man was pale and white-blond, but when asked to identify himself he handed over a Romanian passport that gave his name as Asan Amet. “We have a Scandinavian-looking guy, 195cm tall,” Vainio tells me with a smile. “I think the French police just thought something’s off.” They searched their databases and discovered Amet was one of Kivimäki’s known aliases. He was handed over to the Finnish authorities a few weeks later.

“I don’t know what I had expected, but I was surprised to see that he looked so normal,” Auer says. “He looks like a regular Finnish young man. It did make me feel like it could have been anyone.”

“I had heard that he was in a court hearing,” Parikka says. “We have a habit – every night at 8.30pm, I’ll lie here on the couch with my spouse and watch the main news. Without warning, Kivimäki was there on the screen. Kivimäki came to my living room.” She glances over to her couch, metres away from where we sit, and is overcome with tears. “I didn’t sleep the next night.”

But when the trial began, in November 2023, Parikka was determined to watch Kivimäki face justice. The logistics of inviting more than 21,000 registered victims to court were impossible; instead, proceedings were relayed to public spaces such as cinemas so that the plaintiffs could watch in real time. In a case that was all about the right to privacy and anonymity, it sounds a profoundly awkward setup. “We were all sitting far away from each other,” Auer says. “It was dead silent.” Parikka had a similar experience. “We pretty much kept to ourselves.”

On 30 April 2024, Kivimäki was found guilty of all charges – including 9,600 counts of aggravated invasion of privacy and more than 21,300 counts of attempted aggravated extortion – and sentenced to six years and three months in prison: a long stretch by Finnish standards, but shy of the seven-year maximum he could have received. His appeal against his sentence is currently under way.

Even if his conviction is upheld, he will be a free man by the end of this year.

“The sentencing scale is too low, in my opinion. But that’s the framework we have in Finland,” Vainio says. He tells me a colleague has tried to quantify the harm caused, using the conservative estimate that each person had endured a week of agony as a result of the hack. “When you multiply it with the number of victims of this case, you would have 635 years of suffering.”

* * *

Now 28, Kivimäki has served much of his sentence in a spotless, bright but suitably austere facility in Turku, south-west Finland, a two-hour train ride from Helsinki. For months, he had refused to grant me an interview, but while I am in Finland reporting this story, he changes his mind. As I sit in silence in the prison’s visitor room for what feels like hours, watching the clock tick down behind a panel of reinforced glass, I wonder if Kivimäki is trolling me; if he has dragged me over here simply to derail the other interviews I already had scheduled, with no intention of ever leaving his cell. But after 40 minutes he appears. With his white-blond hair, ice-blue eyes and razor burn, and dressed in a black T-shirt and shorts, he looks like an overgrown teenage boy.

He didn’t do it, he says; he’s simply a victim of his own notoriety. “They had to find somebody. They just chose somebody who was convenient for the story.” When I point out that there’s an enormous amount of circumstantial evidence linking him to the hack, Kivimäki is defiant. “The obvious answer is that it’s just somebody close to me.” He has an idea who it is, he continues, but he isn’t prepared to name names.

It seems very selfless to do time for someone else’s crime, I say. I tell him Parikka says having her therapy notes held to ransom felt like a public rape. “I’m sure that’s how she felt,” he replies, blankly. “It’s quite remote to me. I’m involved, in that I was in court over this stuff, but I didn’t do it. It’s another story in the news.”

As a fellow human being rather than the person convicted of the crime, I ask, what’s your response to people taking their lives after having their therapy notes stolen? “There’s a lot of terrible things going on in the world. I don’t really feel any differently about this. I turn on the news and there’s people dying in Gaza or wherever. It’s like, how do you feel about that? I think the honest answer for most people is that they just … don’t.” You don’t have anything to say to the victims? “Not really,” he replies. “These are nameless, faceless people.”

“There’s been just one question that I would ask Kivimäki,” Parikka says. “That would be: ‘Was there ever such a moment that you felt empathy?’ I don’t think he’s able to put himself into anybody else’s situation.” She pauses. “I think that he really needs therapy.”

* * *

Vastaamo was declared bankrupt in February 2021. Days after patients received the ransom emails, the board announced that it had let the CEO, Ville Tapio, go. In April 2023, Tapio was found guilty of criminal negligence in his handling of patient data. His conviction was overturned on appeal in December 2025. (He declined my requests to interview him.)

“I have actually been more angry towards Ville Tapio than I have been towards Kivimäki,” Auer says. “As CEO of the company, he had the responsibility to make sure that it was prepared for all kinds of risks, and that they had sufficient information security. It seems like it was never a priority to him.” What was his priority? “Making money. He ran a very successful business.”

“I believe that originally the Tapios were wanting to help people and make therapy available,” Parikka says. “There are now maybe thousands of people who will never use therapy again, because they can never trust. And that’s really bad.”

Alongside more than 6,000 other plaintiffs, Auer and Parikka are part of a civil case suing Kivimäki for damages. Despite the lifestyle he projects online, he claims not to have the funds to pay damages; so far, no one has been able to find his assets. The government has agreed to pay compensation to victims – anything from a few hundred euros to a few thousand, depending on how many pages of their therapy notes Vastaamo had in its database, and how sensitive the information contained in those pages was – but the sum is likely to be symbolic. How can you ever repay the damage of being exposed in this way?

Copies of the patient files have been circulating ever since they were first released in October 2020. At one point, someone created a special search engine for browsing the database. This doesn’t surprise Parikka. “Kivimäki isn’t just one of a kind,” she says. “I know human curiosity. People want to know.”

Other people are as prepared as Kivimäki was to break moral and legal boundaries – for money, for online clout, out of ghoulish curiosity or simply for the LOLs. In May, Finnish police announced that there was a second suspect in the Vastaamo case, a US citizen living in Estonia – suspected of aiding and abetting Kivimäki, helping prepare the files. He has been charged with assisting in the attempted extortion.

In an era when AI models are trained on our Zoom conversations, emails and status updates, it is naive to believe that anything can ever be fully secure. The human need to confide in others can be met in an extraordinary range of ways in the digital age. In a world of unparalleled connectivity, can our innermost secrets ever be truly safe?

Kivimäki thinks we are all clinging on to analogue expectations about privacy in a digital world. “So many of our worst secrets – I mean worst of worst, things we might really, really not want to share with the entire world – they exist online. They’ll exist in the database of some company you used,” he tells me. “Everybody’s photos, everybody’s text-messaging histories.” He fixes me with his eyes. “You fundamentally want to believe in this privacy. But, on the other hand, I don’t know how you’re going to get there.”

Intrigue: Ransom Man, Jenny Kleeman’s six-part series for BBC Radio 4, is available now on BBC Sounds.