A U.S. judge has given a five-year prison sentence to Canadian Karim Baratov for his role in helping Russians hack Yahoo and other Internet email providers.
The sentence, which also includes a fine of US$2.25 million intended to strip him of his assets, was handed down Tuesday by U.S. District Judge Vince Chhabria in San Francisco.
Baratov’s role in the conspiracy was to hack webmail accounts of individuals of interest to his co-conspirator, who was working for the Russian FSB — the domestic law enforcement and intelligence service — and send their accounts’ passwords in exchange for money. His lawyers told the court Baratov didn’t know he was working for the FSB.
According to the Toronto Star, U.S. prosecutors said in court papers that Baratov’s Russian-language website named “webhacker” advertised services for “hacking of email accounts without prepayment.”
Baratov told the judge Tuesday that his time behind bars has been “a very humbling and eye-opening experience.” He apologized to those he hacked and promised “to be a better man” and obey the law upon his release.
According to a statement from the U.S. Justice Department, as part of his plea agreement, Baratov, who lived in Ancaster, Ont., not only admitted to agreeing and attempting to hack at least 80 webmail accounts on behalf of one of the FSB but also to hacking more than 11,000 webmail accounts in total from in or around 2010 until his March 2017 arrest by Canadian police.
Three others were named in the conspiracy, but they remain outside the U.S. and haven’t been charged.
“Criminal hackers and the countries that sponsor them make a grave mistake when they target American companies and citizens. We will identify them wherever they are and bring them to justice,” said Assistant Attorney General Demers. “I would like to thank Canadian law enforcement authorities for their tremendous assistance in bringing Baratov to justice. We will continue to work with our foreign partners to find and prosecute those who would violate our laws.”
“The sentence imposed reflects the seriousness of hacking for hire,” said Acting U.S. Attorney Tse. “Hackers such as Baratov ply their trade without regard for the criminal objectives of the people who hire and pay them. These hackers are not minor players; they are a critical tool used by criminals to obtain and exploit personal information illegally. In sentencing Baratov to five years in prison, the court sent a clear message to hackers that participating in cyber attacks sponsored by nation states will result in significant consequences.”
Three other defendants, including two officers of the FSB, were also charged with being part of the hacking conspiracy, which authorities said involved the FSB officers hiring criminal hackers to collect information through the attacks. That led to the spear phishing of webmail accounts at service providers between January 2014 and December 2016.
Among the targets were Russian journalists, U.S. and Russian government officials and private-sector employees of financial, transportation and other companies.
Baratov has been detained since his arrest in Canada in March, 2017. He waived extradition to the United States and was transferred to the Northern District of California in August 2017. In November 2017, Baratov pleaded guilty to nine counts, including conspiracy and aggravated identity theft.
In addition to any prison sentence, Baratov agreed to pay restitution to his victims, and to pay a fine up to $2,250,000, at $250,000 per count, with any assets he has remaining after satisfying a restitution award.