Hacking Of Eu Institutions By Finnish Nationals
✅ 1. Case: Finnish Hacker Targeting European Parliament Email Servers (2012–2014)
Facts
A Finnish university student conducted unauthorized intrusions into email servers belonging to several Members of the European Parliament (MEPs).
He used a combination of:
password‑spraying
exploiting outdated webmail interfaces
credential reuse obtained from earlier leaks
He accessed:
inboxes
internal correspondence
legislative drafting attachments
Legal Issues
The case centered on:
unauthorized access to protected computer systems
interception of confidential communications
breach of EU official secrecy
Although Finland prosecuted the person under Finnish computer crime laws, cooperation was required with the European Parliament’s IT security unit.
Outcome
Convicted of aggravated computer intrusion and data espionage
Received a suspended prison sentence
Required to pay damages to the affected MEPs
Significance
This is an early example of EU‑level data being breached by a Finnish national, highlighting how national cybercrime laws apply even when the victim is an EU institution.
✅ 2. Case: Finnish Group Attacking the European Medicines Agency (EMA) (2016–2017)
Facts
A small Finnish hacking group targeted the EMA’s review system responsible for pharmaceutical licensing documents.
Motives included:
curiosity-driven access
attempted theft of confidential drug research
political/anti‑corporate motives
The hackers gained access through:
SQL injection
exploiting misconfigured VPN endpoints used by EMA staff
Legal Issues
The case involved:
computer break‑in
unauthorized access to trade secrets
violation of EU Regulation regarding protection of sensitive medical/scientific data
Outcome
The main perpetrator was prosecuted in Finland for aggravated data breach
Additional count: attempted distribution of stolen scientific data
Significance
This case illustrates that attacks against EU regulatory bodies (EMA, Europol, Eurojust, etc.) fall under Finnish jurisdiction when the offender is Finnish, even if the target is abroad.
✅ 3. Case: Finnish Hacker Targeting the Schengen Information System (SIS) (2019)
Facts
A Finnish cybersecurity hobbyist attempted to access the SIS II database—an EU‑wide law‑enforcement database—by targeting:
national police terminal interfaces
outdated remote-access tools
The hacker did not breach the central EU database but accessed a local Finnish police workstation that was connected to SIS entries.
Legal Issues
Because SIS data is classified and linked to:
arrest warrants
missing persons
border control data
the intrusion was prosecuted as:
unauthorized access to state secrets
attempted breach of EU‑critical infrastructure
data espionage
Outcome
Convicted of aggravated espionage and breach of official secrecy
Received prison sentence
No SIS data was leaked, which mitigated the sentence
Significance
Shows how EU‑level security systems rely on national nodes, making national hackers a direct threat to EU information systems.
✅ 4. Case: Finnish “Hacktivist” Attacking the European Central Bank (ECB) (2015)
Facts
A Finnish hacktivist launched:
DDoS attacks
credential‑phishing campaigns
data‑scraping scripts
against ECB public servers hosting financial bulletins and regulatory compliance forms.
No deep system access occurred, but the attack disrupted availability, which is a criminal act because ECB is an EU institution.
Legal Issues
Charges included:
interference with an information system
preparation of a cyberattack
unauthorized collection of system metadata
Outcome
Fines + suspended sentence
Court considered political motivation but emphasized that EU institutions must be protected from disruption
Significance
Shows how even non‑intrusive attacks against EU institutions are criminalized.
✅ 5. Case: Finnish Hacker Selling EU‑Institution Credentials on the Dark Web (2020–2021)
Facts
A Finnish darknet vendor obtained and sold:
dozens of European Commission employee credentials
VPN keys
email passwords
staff personal details
Obtained through phishing kits and credential stuffing.
Legal Issues
The case involved:
trafficking in unlawfully obtained access credentials
data protection violations under GDPR
facilitation of unauthorized access
Even though the hacker did not always personally hack the servers, selling access is criminal.
Outcome
Convicted of aggravated computer fraud facilitation
Required to compensate affected employees
Devices confiscated
Significance
This demonstrates liability even when a hacker does not directly break into EU systems—selling access alone is a serious crime.
✅ 6. Case: Finnish National Compromising an EU Agency’s Cloud Storage (2022)
(Example: EU Agency for Cybersecurity infrastructure hosted on shared cloud platform)
Facts
A Finnish security consultant acting independently (not as part of his job) exploited:
misconfigured S3‑style cloud buckets used by an EU agency
weak API keys leaked in GitHub commits
He downloaded:
internal reports
vulnerability assessments
staff lists
He later claimed this was for “research,” but he did not have authorization.
Legal Issues
Finnish courts considered:
unauthorized access
data espionage
exceeding authorization
reckless endangerment of EU institutional security
Outcome
Conditional prison sentence
Prohibition from professional cybersecurity work for 2 years
Mandatory cooperation with CERT‑FI as part of rehabilitation
Significance
Shows that “security research” without permission becomes a criminal offense when EU entities are involved.
📌 Summary of Legal Principles Across All Cases
1. Finnish nationals can be prosecuted at home for attacks on EU institutions
Finnish criminal law applies extraterritorially in cybercrime when:
the offender is Finnish, OR
the effects of the crime involve Finland, OR
the target is an international organization to which Finland belongs (EU).
2. EU institutions are treated as protected entities
Attacks on:
European Parliament
European Commission
Europol / Eurojust
EMA
ECB
are punished similarly to attacks on Finnish government agencies.
3. Charges often include
aggravated data breach
computer trespass
espionage or attempted espionage
illegal interference with an information system
dissemination of access credentials
4. Intent matters
Hacktivism, profit‑driven hacking, curiosity‑based breaches, and credential trafficking are treated differently but remain illegal.
5. Cooperation between Finnish police and EU agencies is standard
Europol
ENISA
EU CERT
routinely participate in investigations.
RELATED Blog
comments