A Canadian faces a U.S. prison sentence after admitting to hacking more than 11,000 Yahoo, Google and other webmail accounts for alleged members of Russia’s federal police and other customers for four years.
The U.S. Justice department said late Tuesdsay that Karim Baratov, also called Karim Taloverov and Karim Akehmet Tokbergenov, pleaded guilty earlier in the day in San Francisco to eight counts related to computer hacking and other criminal offenses in connection with a conspiracy to access Yahoo’s network and the contents of webmail accounts that began in January 2014.
Baratov’s co-defendants, all of whom remain at large in Russia, are Dmitry Aleksandrovich Dokuchaev, 33, a Russian national and resident; Igor Anatolyevich Sushchin, 43, a Russian national and resident; and Alexsey Alexseyevich Belan, aka Magg, 29, a Russian national and resident.
As part of the plea agreement, in addition to any prison sentence, Baratov agreed to pay restitution to his victims and to pay a fine up to US$2,250,000 (at US$250,000 per count) with any assets he has remaining after satisfying a restitution award.
He will be sentenced Feb. 18. 2018. He faces a maximum 10 years for pleading guilty to one count of conspiring to violate the federal Computer Fraud and Abuse Act, and two years for each count of aggravated identity theft.
Baratov, arrested in Hamilton, Ont. in March, agreed to be transferred to the U.S. in August. Initially he pleaded not guilty to the charges.
According to the Toronto Star, Baratov’s lawyers told reporters outside court that their client hacked only eight accounts and did not know that he was working for Russian agents connected to the Yahoo breach.
The government said Baratov advertised his services through a network of primarily Russian-language hacker-for-hire web pages hosted on servers around the world. He admitted that he generally spearphished his victims, sending them emails from accounts he established to appear to belong to the webmail provider at which the victim’s account was hosted (such as Google or Yandex, a Russian site). Baratov’s spearphishing emails tricked victims into visiting web pages he constructed to appear legitimate an appeared to belong to the victims’ webmail providers. After they logged in Baratov collected the victims’ account credentials, then sent his customers screen shots of the victims’ account contents to prove that he had obtained access. On receipt of payment he gave his customers the victims’ log-in credentials.
“Where a foreign law enforcement or intelligence agency recruits, tasks, or protects criminals targeting the United States and its companies or citizens, instead of taking steps to disrupt them and hold them accountable, the United States will leverage all of its available tools to expose that agency’s conduct and arrest those responsible,” acting assistant attorney general Dana Boente of the Justice department’s national security division, said in a statement. “Today’s plea exemplifies the department’s commitment to pursuing, arresting and bringing to justice even those hackers who work for a foreign law enforcement or intelligence organization. We wish to thank the Canadian authorities for their skillful assistance in the investigation and arrest of Baratov and to acknowledge the contributions of the other nations and law enforcement services that provided invaluable assistance.”
“The illegal hacking of private communications is a global problem that transcends political boundaries. Cybercrime is not only a grave threat to personal privacy and security, but causes great financial harm to individuals who are hacked and costs the world economy hundreds of billions of dollars every year. These threats are even more insidious when cyber criminals such as Baratov are employed by foreign government agencies acting outside the rule of law,” said Brian Stretch, Attorney for the Justice department’s Northern California division. “With the assistance of our law enforcement partners in Canada, we were able to track down and apprehend a prolific criminal hacker who had sold his services to Russian government agents. This prosecution again illustrates that we will identify and pursue charges against hackers who compromise our country’s computer infrastructure.”
“This case is a prime example of the hybrid cyber threat we’re facing, in which nation states work with criminal hackers to carry out malicious activities,” said FBI executive assistant director Paul Abbate. “Today’s guilty plea illustrates how the FBI continues to work relentlessly with our private sector, law enforcement and international partners to identify and hold accountable those who conduct cyber attacks against our nation, no matter who they’re working with or where they attempt to hide.”
The statement said Baratov’s role in the charged conspiracy was to hack webmail accounts of individuals of interest to the FSB and send those accounts’ passwords to Dokuchaev in exchange for money.
As part of his plea agreement, Baratov not only admitted to his hacking activities on behalf of his co-conspirators in the FSB, but also to hacking more than 11,000 webmail accounts in total on behalf of the FSB conspirators and other customers from in or around 2010 until his March 2017 arrest by Canadian authorities.