At least 14 victims of the Vastaamo data breach have shelled out ransom money to an extortionist, according to Mikko Hyppönen, chief research officer of IT security firm F-Secure.
On Wednesday, Hyppönen posted on Twitter, asking victims who paid 'Ransom Man' to get in touch.
"There have been almost 50 messages since yesterday, most of them wanted to pay or have tried to pay bitcoins to the blackmailer's account, but I can see that 14 have successfully paid and the money has left the account," Hyppönen said.
All of them have paid 200 euros — the first ransom sum demanded by the extortionist. Hyppönen estimated that the total amount paid could be around a few thousand euros.
According to Hyppönen, the blackmailer had been silent since last week but sprung into action in the early hours of Thursday. He cleared the accounts to which victims had transferred the ransom money in bitcoins.
"From there, the bitcoins have been moved, transferred by the 'ransom_man'," Hyppönen said in an interview on radio show Radio Suomen Päivä.
Last week, the extortionist sent out individual emails to the psychotherapy centre's patients asking them to transfer hundreds of euros in Bitcoin to avoid having their patient records published online.
Police have instructed victims not to pay the ransom and urged people to report the matter to the authorities if contacted by the extortionist.
"The act is exceptionally cold-blooded"
Hyppönen guessed that the hacker is trying to erase traces of where the ransom money is headed.
He pointed out that bitcoins are not completely anonymous — they are difficult, but not impossible to trace. The location of the bitcoins is currently known.
"The ideal situation would be if he converts the bitcoin into euros, dollars or rubles, so we could trace the money like in the real world. However, this has not happened yet," Hyppönen said.
Based on the information received so far, Hyppönen thinks that the perpetrator is Finnish.
Story continues after audio.
According to Hyppönen, this is an exceptional hacking case, even by international standards.
"We do not know of any similar case where a psychotherapy clinic was hacked into and patients blackmailed. The act is exceptionally cold-blooded," Hyppönen said.
Hyppönen said victims who have paid the extortionist can still contact him confidentially via email.