Julius Kivimaki was 15 years old when he began a cybercrime spree that accessed 50,700 devices, according to a Finnish court.
And earlier this month, Kivimaki, now 17, was found guilty of many instances of "aggravated computer break-ins." But the teenager won't go to prison, or even face a hefty fine.
He was sentenced to two years of suspended jail time, ordered to return the 6,588 euros, or $7,000, he made via the hacks and had his personal computer confiscated.
Which, in some circles, sounds like sending a toddler to timeout rather than punishing a cybercriminal who hacked into Harvard University and Massachusetts Institute of Technology's e-mail servers and a European news Web site.
In the Finnish court, though, that's not an unusual punishment, said Andrea Matwyshyn, a professor at the Center for Information Technology Policy at Princeton University.
"Within the national context within the criminal justice system of Finland, this is not surprising," she said.
There's a bent in Finnish law toward rehabilitation in sentencing and extraordinary leniency for minors. Children younger than 15 are not criminally liable, according to Finnish law. Offenders between 15 and 17 years of age may serve at most 3/4 of the length of an adult sentence. Convicts younger than 18 can't actually be incarcerated, only placed under government supervision and mandated to attend correctional programs.
"Maybe the biggest critical difference between the Finnish system and ours is that the Finnish system puts rehabilitation at the core of the criminal justice system," Matwyshyn said. "The United States system does not do that. We have competing roles of deterrence, retribution and incapacitation."
U.S. courts have not always been so forgiving with youthful cybercriminals.
In 2000, for example, a Miami 16-year-old was sentenced to six months of juvenile detention for breaking into NASA's computer systems. ''I've been in computers for 20 years, and I can't do what he was doing,'' his father told the Miami Herald at the time. ''He didn't do anything destructive.''
"There’s a lot of technically proficient teenagers with an ax to grind," said Jen Weedon, threat manager at cybersecurity firm FireEye and co-author of a study on Nordic hacking.
And they can reach a lot of people through the Web, she said. In Kivimaki's case, he reached 50,700 of them. And that's only in this case. Kivimaki is also reportedly a member of hacking group Lizard Squad, which is responsible for a separate series of hacks against Sony and Microsoft, according to online security analyst Brian Krebs. Kivimaki once called in a fake bomb threat on a commercial airplane in the name of the group, Krebs has reported.
Last week, former Sony president John Smedley threatened to sue Kivimaki's parents in civil court for some of those infractions. He could not be reached for comment.
Kivimaki and his lawyer could not be reached for comment.
So where is that line? U.S. lawmakers aren't approaching addressing it, Matwyshyn and Weedon agree.
"There needs to be a nuance that is contextual and unique to computer intrusion offenses," said Matwyshyn.
But that achieving that nuance is perhaps easier said than done.