Finnish forest in winter illuminated by the northern lights. Image by Alan & Flora Botting, License: Creative Commons

The Central Criminal Investigation Department of Finland (Keskusrikospoliisi, KRP) has identified the blackmailer of a Finnish mental health clinic. The money trail also led through Monero. Have Finnish forensic experts cracked the supposedly anonymous cryptocurrency?

MTV Oy, Finland’s leading private broadcaster, calls it a “big revelation”: the Central Criminal Police KRP caught the Vastaamo hacker by following the trail of his money, which ended in the private bank account of Finn Aleksanteri Kivimäki.

Vastaamo is a private psychiatric hospital that was infected by ransomware in the fall of 2020. The highly sensitive data of 40,000 patients ended up in the hands of the hacker. He initially demanded 40 Bitcoin, which was around 400,000 euros at the time. After the clinic refused payment, he contacted individual patients and demanded 200 euros in Bitcoin to prevent the data from being published.

The KRP only reveals parts of how it specifically followed the money’s trail. She sent 0.1 Bitcoin to an address that the blackmailer had mentioned in a letter. The police continued to follow the trail of this money, which first led to other addresses, then to a KYC-free exchange where the Bitcoins were exchanged for Monero. The KRP apparently received this information from the stock exchange itself.

Then it gets exciting: Somehow the KRP managed not to let the trail break off at this point, but to follow it to the Binance exchange, where the hacker used two accounts to exchange Monero for Bitcoin and this for Euro, which ultimately took place over several “Money mules” ended up in Julius Aleksanteri Kivimäki’s bank account.

However, the police do not say exactly how this was possible. According to MTV Oy, she doesn’t want to reveal to criminals or anyone else how the anonymous cryptocurrency was tracked.” It was, we learn, “not easy”; the method was “heuristic” so that it did not provide concrete evidence, but rather clues that could be used for further research.

Classic investigations also seem to have played a role, for example when the police questioned an Estonian who was somehow involved in the transaction flows, or when they investigated the “money mules”, whose transfers ultimately ended up in Kivimäki’s bank account. But she is convinced that she can provide proof.

Kivimäki’s lawyer disagrees: He disputes the validity of the evidence because it is not possible to shed light on the transaction flows as the police claim. Therefore, the accused denies the entire charge.

The Monero community is skeptical about this news. A former member of the MAGIC Monero Fund, Csilla Brimer, says that Monero itself is not broken, but unwanted information can escape when repeatedly exchanged for Bitcoin. If you exchange Bitcoins for Monero without in-depth knowledge and a good system setup – presumably as a kind of atomic swap – “information is likely to arise.”

Brimer may be referring to an “Eve-Alice-Eve” attack, through which Chainalysis identified the perpetrators of the WannaCry ransomware wave. Here too, switching to Bitcoin via the (then) KYC-free exchange Shapeshift was the key.


Leave a Reply