Industry News

LizardSquad’s teenage “Untouchable hacker God” convicted, but avoids imprisonment

Julius Kivimäki goes by a variety of names. Sometimes he calls himself “Ryan”, sometimes “Zeekill”. But most recently he has updated his Twitter profile to describe himself as the “untouchable hacker god”.

untouchable-julius

Source: Twitter

Because although the Finnish teenager has just been found guilty of a staggering 50,700 “instances of aggravated computer break-ins” (hacks to you and me), he has managed to escape a prison sentence.

Instead, Judge Wilhelm Norrmann of the District Court of Espoo has sentenced 17-year-old Kivimäki to a two-year suspended sentence, and ordered him to hand over €6,588 worth of property obtained through his criminal activities and ordered that his internet use be monitored.

Julius Kivimäki first came to prominence when the Lizard Squad hacking gang knocked the PlayStation Network and Xbox Live offline over Christmas 2014. Kivimäki was unafraid of showing his face when interviewed by Sky News about the attacks under the pseudonym of “Ryan”.

[youtube http://www.youtube.com/watch?v=fPX8yCBdIZ8]

Source: Youtube

BBC News reports that the hacker exploited vulnerabilities in Adobe’s ColdFusion software to compromise web servers.

Once breached, Kivimäki would scour account databases to steal billing and payment card data, and plant malware to create a botnet that allowed him to launch distributed denial-of-service attacks.

In addition, prosecutors told the court that Kivimäki bought luxury goods with stolen credit cards, and even participated in a money-laundering scheme that saw him fund a vacation to Mexico.

ryan

Source: Sky News

Is Julius Kivimäki really an untouchable hacker god?

Of course not. The FBI and Finnish authorities combined their forces to identify and bring him to justice. The untouchable hacker had his collar felt, and he spent approximately a month incarcerated while the case was investigated. He may have escaped a prison sentence, but chances are that the authorities would have been less sympathetic if he had been over 18 years of age at the time of his offences.

Indeed, a court statement noted that Kivimäki had been 15 and 16 years old at the time he committed computer crimes in 2012 and 2013:

“[The verdict] took into account the young age of the defendant at the time, his capacity to understand the harmfulness of the crimes, and the fact that he had been imprisoned for about a month during the pre-trial investigation.”

Finland clearly considers imprisonment, especially for youngsters, as a last resort – and believes that rehabilitation is always a better route when dealing with criminals. I’m not opposed to that, and I do see that a prison sentence is something that could seriously mess up a young person’s life.

But there is a danger that other young hackers might see the headlines of Kivimäki escaping jail, and his cocky online behaviour as a green light for their own criminal activity.

Lizard Squad itself commented on Kivimäki’s freedom by posting a video of MC Hammer’s hit song, “U Can’t Touch This”.

hammer-time

Source: Twitter

For all his bravado online, Julius Kivimäki needs to be careful that he doesn’t blot his copy book again as the court is likely to be less than sympathetic if he offends again. It’s hard to imagine that a court would look kindly on being made fools of by an unrepentant hacker.

I hope, for his sake and that of his family, that Julius Kivimäki grows up quickly and stops acting like an idiot. But I don’t hold much hope.

How do you think teenage hackers should be punished? Leave a comment below with your thoughts.

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

7 Comments

Click here to post a comment

Leave a Reply to Rory Guidry Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  • I think this has set a dangerous precedent. Whilst I do agree that jail is a last resort, I do believe that there should be a stronger sentence. For example why not put his talent to a community service and a much higher fine.

  • The danger goes both ways. One, ” that other young hackers might see the headlines of Kivimäki escaping jail, and his cocky online behavior as a green light for their own criminal activity”. The other, that severe punishment on a young hacker exceeds the harm being done and serves only higher commercial-slash-state (political) interests.
    A just, fair and neutral court doesn’t need to consider either of them excessively. Their first concern is for the legal case at hand, and the person involved. It is best that they decided as they did, since it leaves maximum of chances for the hacker to return to normality, with the permanent backup of new legal measures if he doesn’t.
    His activity showed a high level of teenage showoff, and somewhat lack of understanding of what he was actually doing, in terms of consequences and relevance to the world. There is a chance that he will become a computer expert for some company, or at least that he doesn’t steal someone else’s money anymore.

    • “A just, fair and neutral court”

      No such thing exists, I’m afraid.

      “to return to normality, with the permanent backup of new legal measures if he doesn’t.”

      Correct although this can go both ways, too; it might be good in this case but it might not (it is anyone’s guess).

      “and somewhat lack of understanding of what he was actually doing, in terms of consequences and relevance to the world.”

      It has been proven that kids don’t understand the consequences of some things, including risk taking. Specifically they feel they are invulnerable and/or immortal. Well the fact he called himself untouchable and now he was caught, shows this exactly. Then consider that many risks kids take is potentially fatal and they don’t actually understand just how dangerous things are e.g. stealing copper for profit can and has led to accidental death by electrocution. All of this is aka ‘it can’t happen to me’ mentality.

      “chance that he will become a computer expert”
      Perhaps but I think it depends on many things, including his intent and what actually interests him. Even in the 90s script kiddies were rampant; it is arguably worse now (as in more canned exploits for the masses to use). Whether he steals again, who knows. But in any case there will always be some doubt in his intentions – that is just how it works in this world.

      In the end he made some very serious mistakes and he should consider himself very lucky how light he got off on this. One hopes he is eternally grateful for the leniency but that is hard to know (many do tend to take things for granted).

      • “Let’s hope he is eternally grateful for the leniency”
        Plus referring to him as a kid who doesn’t know the consequences of what he’s done? Nah, man, I’m the same age as this guy. He knows what he’s doing. I’m pretty tired of people believing that teenagers should get off on shit just because they don’t think things through- who cares. He doesn’t, that’s for sure. I consider the court kind of pushovers for giving him such a prissy sentence after years of knowingly ruining people, stealing information, and obviously not giving a shit about some stranger who’s getting screwed in the process. Getting off easy probably isn’t going to “enlighten” him.

  • Compare this to the UK courts sentence of 4 years in prison for the chap who put a joke about starting a riot on his facebook page. He posted it when drunk in the early hours, then took it down and apologised when he woke up later with a hangover… (Of course, no riots actually broke out, but hey, you’ve got to make an example of these people, haven’t you…?)

  • I’m a bit confused by some of this talk about not understanding the consequences of his actions and risk taking… He knew what he was doing was wrong. Period. His “bravado online” makes that case. Where is the personal responsibility?

    I’m also confused by part of his sentence. His internet usage will be monitored. Didn’t he just hack various communication and database systems? A system monitor is going to stop him?

    While, I’m not sure that “throwing the book at him” is all that worthwhile, shouldn’t there be some accountability for his actions? What about paying back the funds he stole? Paying back the costs of repairing the identity theft problems he caused his victums? What about “community service?” All those things would be appropriate.