In a win for internet trolls and teenage cybercriminals everywhere, a Finnish court has decided not to incarcerate a 17-year-old found guilty of more than 50,000 cybercrimes, including data breaches, payment fraud, operating a huge botnet and calling in bomb threats, among other violations.
As the Finnish daily Helsingin Sanomat reports, Julius Kivimäki — a.k.a. "Ryan" and "Zeekill" — was given a two-year suspended sentence and ordered to forfeit EUR6558 ($9782).
Kivimaki vaulted into the media spotlight late last year when he claimed affiliation with the Lizard Squad, a group of young hooligans who knocked offline the gaming networks of Microsoft and Sony for most of Christmas Day.
According to the BBC, evidence presented at Kivimaki's trial showed that he compromised more than 50,000 computer servers by exploiting vulnerabilities in Adobe's Cold Fusion web application software. Prosecutors also said Kivimaki used stolen credit cards to buy luxury goods and shop vouchers, and participated in a money laundering scheme that he used to fund a trip to Mexico.
Kivimaki allegedly also was involved in calling in multiple fake bomb threats and a "swatting" incident — reporting fake hostage situations at an address to prompt a heavily armed police response to that location. DailyDot quotes Blair Strater, a victim of Kivimaki's swatting and harassment, who expressed disgust at the Finnish ruling.
Speaking with KrebsOnSecurity, Strater called Kivimaki "a dangerous sociopath" who belongs behind bars.
Although it did not factor into his trial, sources close to the Lizard Squad investigation say Kivimaki also was responsible making an August 2014 bomb threat against former Sony Online Entertainment President John Smedley that grounded an American Airlines plane. That incident was widely reported to have started with a tweet from the Lizard Squad, but Smedley and others say it started with a call from Kivimaki.
In a phone interview, Smedley said he was disappointed that the judicial system in Finland didn't do more.
"I personally got to listen to a recording of him calling in to American Airlines, and I know it was him because I talked to him myself," Smedley said. "He's done all kinds of bad stuff to me, including putting all of my information out on the Internet. He even attempted to use my credit numerous times. The harassment literally just did not stop."
In an online interview with KrebsOnSecurity, Kivimaki denied involvement with the American Airlines incident, and said he was not surprised by the leniency shown by the court in his trial.
"During the trial it became apparent that nobody suffered significant (if any) damages because of the alleged hacks," he said.
The danger in a decision such as this is that it emboldens young malicious hackers by reinforcing the already popular notion that there are no consequences for cybercrimes committed by individuals under the age of 18.
Case in point: Kivimaki is now crowing about the sentence; He's changed the description on his Twitter profile to "Untouchable hacker god." The Twitter account for the Lizard Squad tweeted the news of Kivimaki's non-sentencing triumphantly: "All the people that said we would rot in prison don't want to comprehend what we've been saying since the beginning, we have free passes."
It is clear that the Finnish legal system, like that of the United States and others, simply does not know what to do with minors who are guilty of severe cybercrimes. The FBI has for several years now been investigating several of Kivimaki's contemporaries, young men under the age of 18 who are responsible for a similarly long list of cybercrimes — including credit card fraud, massively compromising a long list of web sites and organisations running Cold Fusion software, as well as swatting my home in March 2013. Sadly, to this day those individuals also remain free and relatively untouched by the federal system.
Lance James, former head of cyber intelligence for Deloitte and a security researcher who's followed the case closely, said he was disappointed at the court's decision given the gravity and extensiveness of the crimes.
"We're talking about the internet equivalent of violent crimes and assault," James said. "This is serious stuff."
Kivimaki said he doesn't agree with the characterisation of swatting as a violent crime.
"I don't see how a reasonable person could possibly compare cybercrime with violent crimes," he said. "There's a pretty clear distinction here. As far as I'm aware nobody has ever died in such an incident. Nor have I heard of anyone suffering bodily injury."
As serious as Kivimaki's crimes may be, kids like him need to be monitored, mentored, and moulded — not jailed, says James.
"Studying his past, he's extremely smart, but he's troubled, and definitely needs a better direction," James said. "A lot of these kids have trouble in the home, such as sibling or parental abuse and abandonment. These teenagers, they aren't evil, they are troubled. There needs to be a diversion program — the same way they treat at-risk teenagers and divert them away from gang activity — that is designed to help them get on a better path."
But Kivimaki may not get that chance. According to Smedley, there are more than a dozen criminal cases pending against the Finnish youth.
"Now that he's a convicted felon, he can't claim first time status anymore," Smedley said. "There's no question he's going to get his."
Morning & Afternoon Newsletter