The key clarification: Mullvad VPN disclosed zero customer data about Alexander Kivimäki. However, network traffic analysis by Finnish authorities detected that the Vastaamo attack originated from Mullvad's IP address space, and Kivimäki himself admitted during police interrogation that he used Mullvad's VPN service.
Finnish police investigation revealed that on November 26, 2018, at 06:41:56, contact was made with Vastaamo's server from the IP address space of the Mullvad VPN service. The Finnish Data Protection Ombudsman's report indicates that nearly a gigabyte of data may have been transferred from Vastaamo's patient information system MySQL service to an IP address managed by Swedish Mullvad VPN service provider.
During police interrogations, Kivimäki said he used Mullvad's VPN service. This became part of the evidence pattern that led to his conviction, but it came from network monitoring and Kivimäki's own admissions - not from any data disclosure by Mullvad.
The prosecution built their case against Kivimäki through:
Network traffic analysis: Finnish authorities used netflow data to track the attack back to Mullvad's IP space during the exact timeframe when Vastaamo's database was compromised.
Kivimäki's operational security failures: He accidentally included his home directory in leaked patient data, exposing command histories and other digital evidence that linked him to the attacks.
Financial evidence: Cryptocurrency transactions traced to his bank account and credit card records showing payments for virtual servers hosting stolen patient data.
His own admissions: During interrogation, Kivimäki confirmed he used Mullvad VPN, though he denied involvement in the attacks.
The 2023 search warrant at Mullvad's offices was completely unrelated to the Kivimäki case. On April 18, 2023, Swedish police conducted a search warrant at Mullvad VPN's Gothenburg offices in relation to a German investigation into blackmail attacks against municipal institutions. Police left empty-handed after Mullvad demonstrated that the requested customer data simply did not exist on their systems.
This search actually validated Mullvad's no-logs policy - when law enforcement came with proper legal authority seeking customer data, there was nothing to provide.
The crucial distinction is:
Kivimäki's use of Mullvad VPN was detected because:
While Alexander Kivimäki did use Mullvad VPN to conduct his attack on Vastaamo, this became known through network traffic analysis and his own admissions rather than any data disclosure by Mullvad. The VPN service maintained its no-logs policy throughout, as demonstrated by the separate 2023 search warrant that yielded no customer data. This case illustrates that even privacy-focused VPN services cannot protect users from detection if they make operational security mistakes or if their traffic patterns are monitored at the network level.