Finnish Hacker Sentenced to Nearly 7 Years

Every week, ISMG rounds up cybersecurity incidents and breaches around the world. This week, Finland’s most notorious hacker gets a sentence of nearly seven years for his psychotherapy center hacking and extortion. ShinyHunters claimed breaches at Dutch telecom Odido and car marketplace CarGurus. A Ukrainian national got a five year U.S. federal prison sentence for running North Korean laptop farms. A Romanian national pleaded guilty to selling access to an Oregon state network. An Interpol coordinated operation swept up scam networks in Africa. MuddyWater launched an AI-assisted espionage campaign in MENA, Advantest reported a ransomware incident, SolarWinds and Microsoft patched critical vulnerabilities, and Soliton’s FileZen flaw exploited. QualDerm disclosed a healthcare data breach.

See Also: Why Cyberattackers Love ‘Living Off the Land’

The Helsinki Court of Appeal sentenced Aleksanteri Kivimäki, 28, on Thursday to six years and eleven months in prison. Finland’s most notorious hacker sought to overturn a 2024 conviction for hacking into now-defunct psychotherapy chain Vastaamo, assuming the moniker “ransom_man” to blackmail patients and publish patient records online.

At least one suicide reportedly resulted from the incident. Prosecutors said Kivimäki carried out the breach between November 2018 and March 2019 (see: Finnish Vastaamo Hacker Freed While Appealing Conviction).

Finnish daily newspaper Helsingin Sanomat reported that judges gave Kivimäki a sentence one month shy of the seven year maximum on the condition that he fulfill separate agreements to compensate injured parties. The paper reported that Kivimäki’s attorney said that Kivimäki is currently not in Finland, and that the attorney does not know where he is.

The psychotherapy center, Vastaamo, went bankrupt after ransom_man published therapy session notes of more than 2,000 patients. Kivimäki emailed victims an extortion demand of 200 euros in cryptocurrency, which he said would increase to 500 euros after 24 hours. Vastaamo received an extortion demand of 450,000 euros. More than 20,000 patients received extortion demands.

Kivimäki, under the alias of “zeekill” and “Ryan,” was earlier part of a distributed denial-of-service gang know as Lizard Squad that, among other attacks, overwhelmed the servers for Xbox Live and the PlayStation Network on Christmas Day 2014.

Finnish prosecutors charged in late 2025 Daniel Lee Newhard, 28, an American citizen living in Estonia, with aiding and abetting Kivimäki’s extortion efforts.

Digital extortionists ShinyHunters claimed two new victims this week: a major Dutch telecommunications company and a globally recognized vehicle marketplace.

On Feb. 12, Odido – one of the Netherlands largest telecoms – disclosed a breach, reporting that threat actors exfiltrated user data through the telecoms’ Salesforce-based customer contact system on or around Feb. 7. The company said that no account passwords, call details, location or billing data were exposed during the breach.

Exposed data varies by customer and in some instances includes full name, address, city of residence, phone and Odido customer ID numbers, email address, birthdate, bank account number and passport or driver’s license details.

In a “final warning” to the company, ShinyHunters demanded a ransom and signaled an incoming string of threats, which should Odido fail to pay, would result in “several annoying (digital) problems.”

ShinyHunters recently added Odido’s data to its darkweb leak site, purporting to have stolen 21 million records across 6.2 million customers.

The cybercrime group also said it hacked online vehicle marketplace CarGurus, reportedly stealing roughly 1.7 million corporate records.

According to the extortionist group, CarGurus on Feb. 13 became the latest victim of the gang’s code stealing spree, using voice phishing, or vishing, tactics to obtain single sign-on access.

The group published Saturday 6.1 gigabytes of archived data containing about 12.4 million records. Compromised data includes email and IP addresses, full names, phone numbers, physical addresses, user account IDs, finance pre-qualification application data, finance application outcomes, dealer account details and subscription information.

The following day, breach monitoring platform HaveIBeenPwned confirmed the validity of the stolen dataset, reporting that about 70% of the identifying data stolen was already present on the site due to prior breach incidents.

Since the beginning of the year, ShinyHunters has claimed breaches against Ivy League giants Harvard and University of Pennsylvania, investment advisory firms Mercer Advisors and Beacon Pointe Advisors, and dating app conglomerate Match Group, which owns and operates dating platforms Tinder, Hinge, Meetic, Match.com and OkCupid.

A Ukrainian national received a U.S. federal prison sentence of five years for operating a laptop farm that helped North Korean IT workers fraudulently perform remote jobs at dozens of companies, federal prosecutors announced.

Oleksandr Didenko, 29, pleaded guilty to wire fraud conspiracy and aggravated identity theft. Prosecutors said he stole or purchased U.S. identities and ran a U.S.-based domain, Upworksell.com, which enabled North Korean remote IT workers to pose as domestic workers. He managed at least three U.S.-based laptop farms in Virginia, Tennessee and California to make it appear the workers were operating inside the country (see: US FBI Busts North Korean IT Worker Employment Scams).

Authorities said the laptop farms facilitated the presence of North Korean workers at roughly 40 U.S. companies. The court ordered forfeiture of more than $1.4 million and restitution of about $46,500.

The sentencing follows a broader FBI and Justice Department crackdown on North Korea’s remote IT worker operations (see: DOJ Continues Crackdown on North Korea’s Cyber Schemes).

U.S. officials and security researchers describe the activity as part of a state-directed North Korean revenue-generation strategy designed to evade sanctions. The operations rely on identity fraud, U.S.-based intermediaries and financial obfuscation techniques, including cryptocurrency transfers, to move earnings overseas (see: How to Spot a North Korean Job Candidate).

A Romanian national pleaded guilty to selling unauthorized access to the computer network of an Oregon state government office and other U.S. victims, federal prosecutors said Friday.

Catalin Dragomir, 45, admitted in federal court that he breached a computer connected to an Oregon state agency’s network in June 2021 and sold that access online. To prove he controlled the system, Dragomir provided prospective buyers with samples of stolen personal identifying information.

Prosecutors said Dragomir brokered access to multiple other U.S.-based networks, causing at least $250,000 in losses. He pleaded guilty to one count of obtaining information from a protected computer and one count of aggravated identity theft.

Dragomir was arrested in Romania in November 2024 and extradited to the United States in January 2025.

Law enforcement agencies from 16 African nations working with Interpol dismantled online scam networks in a coordinated operation that resulted in 651 arrests and the recovery of more than $4.3 million in illicit funds.

The eight-week campaign, called Operation Red Card 2.0, ran from Dec. 8, 2025 to Jan. 30, targeted the infrastructure and actors behind high-yield investment fraud, mobile money scams and fraudulent mobile loan applications.

Investigators said scams led to more than $45 million in financial losses. They identified 1,247 victims, most in Africa but with some cases extending beyond the continent. Authorities seized 2,341 devices and took down 1,442 malicious IP addresses, domains and servers used to facilitate the scams.

In Côte d’Ivoire, police seized hundreds of mobile phones and other equipment in a drive against predatory mobile loan fraud that targeted vulnerable users with deceptive apps and messaging services.

Kenyan authorities made 27 arrests connected to fake investment schemes that used social media, messaging apps and fabricated dashboards to lure victims.

In Nigeria, police dismantled a major fraud ring and shut down more than 1,000 fraudulent social media accounts tied to phishing, identity theft and fake digital asset schemes. Nigerian investigators also arrested six suspects accused of breaching a telecommunications company’s internal systems to siphon airtime and data for illegal resale.

The Iran-linked advanced persistent threat group tracked as MuddyWater launched a coordinated cyberespionage campaign dubbed “Operation Olalampo,” targeting organizations and individuals across the Middle East and North Africa region with a suite of custom malware, found digital forensics company Group-IB.

The campaign, first spotted on Jan. 26, begins with spear-phishing emails carrying malicious Microsoft Office documents. Once users enable macros, embedded code drops one of several payloads, giving attackers remote access and persistence on victim systems.

Group-IB analysts identified four key malware families deployed in the operation: GhostFetch, a stealthy first-stage downloader; HTTP_VIP, a native downloader and command and control communicator; GhostBackDoor, a secondary implant with interactive shell capabilities; and Char, a Rust-based backdoor controlled via a Telegram bot.

Char source code contains debug strings with emojis, a strong indicator of artificial intelligence-assisted malware development. MuddyWater used tailored phishing lures, such as fake corporate reports and flight-ticket themed documents.

A ransomware-related cybersecurity incident may have impacted parts of its internal IT network, Japanese semiconductor test-equipment leader Advantest Corp. said Thursday.

The company detected unusual activity in its systems on Feb. 15. Preliminary forensic findings indicate an unauthorized third party may have gained access to parts of the network and deployed ransomware, Advantest said.

The company has not confirmed whether any data was exfiltrated or whether it has received extortion demands. It did not respond to a request for comment.

American network monitoring firm SolarWinds patched four critical vulnerabilities in its Serv-U managed file transfer software that could allow attackers to execute code with elevated privileges.

The vulnerabilities, fixed in Serv-U version 15.5.4, each carry a CVSS score of 9.1. The most serious issue, CVE-2025-40538, stems from broken access control and could allow an attacker to execute arbitrary code and create system administrator accounts.

Three additional bugs – CVE-2025-40539, CVE-2025-40540 and CVE-2025-40541– include type confusion and insecure direct object reference vulnerabilities that could also lead to remote code execution.

Serv-U is widely used in enterprise environments for secure file transfer. Russian nation-state hackers famously carried out a supply chain attack against SolarWinds in 2020, injecting a backdoor into an update for the firm’s Orion suite of network management and monitoring software.

Microsoft disclosed a now-patched high-severity privilege escalation vulnerability in its Windows Admin Center management platform that could let attackers gain elevated access.

The flaw, tracked as CVE-2026-26119 with a CVSS score of 8.8, stems from improper authentication and could let a low-privileged attacker escalate to the rights of the user running the application.

Microsoft said it found no evidence of active exploitation but assesses attacks as “more likely,” meaning that exploit code “could be created in such a way that an attacker could consistently exploit this vulnerability.”

A critical operating system command injection flaw in Soliton Systems’ FileZen file transfer appliance is being actively exploited, potentially allowing attackers to execute arbitrary OS commands on vulnerable systems, the company said in a security advisory.

The issue, tracked as CVE-2026-25108 with a CVSS score of 8.8, affects FileZen versions V4.2.1-V4.2.8 and V5.0.0-V5.0.10 when the Antivirus Check Option is enabled.

The flaw can be triggered by an attacker with valid login access who sends specially crafted HTTP requests to the FileZen web interface, risking full system compromise, data theft or persistence on the appliance. The U.S. Cybersecurity and Infrastructure Security Agency added the flaw to its Known Exploited Vulnerabilities Catalog.

Tennessee-based QualDerm Partners, also known as Pinnacle Dermatology, is notifying patients and regulators about a December hacking incident involving data theft.

The firm told Texas regulators Tuesday the hack affected nearly 175,000 current and former patients in the Lone Star state alone. The firm provides administrative, IT and other support services to 158 dermatology practices in 17 states. QualDerm says its affiliated practices see more than 120,000 patients monthly.

In a breach notice, QualDerm said that on Dec. 24, 2025, the company detected unauthorized activity in its IT network.

An investigation determined a threat actor gained access to a limited number of IT systems within QualDerm’s network between Dec. 23, and Dec. 24, removing certain information stored in those systems.

The affected information varies by individual but may include patient name, date of birth, doctor name, medical record number, date of death, email address, treatment information, diagnosis information, health insurance information and government-issued identification information, including driver’s license number.

Other Stories From This Week

With reporting from Information Security Media Group’s Gregory Sirico in New Jersey, Marianne Kolbasuk McGee in the Boston exurbs, Poulami Kundu in Bengaluru and David Perera in Northern Virginia.