Canadian hacker-for-hire Karim Baratov was sentenced Tuesday to five years in prison for his role in the massive 2014 Yahoo breach that saw over 500 million accounts compromised. The 23-year-old worked under the guidance of two agents from the Russian Federal Security Service (FSB), Russia’s law enforcement and intelligence service, to compromise Yahoo and Gmail accounts belonging to individuals of interest to the FSB.
Baratov pleaded guilty in November to nine charges including aggravated identity theft and conspiring to commit computer fraud and abuse.
Residing in Canada, the international hacker-for-hire used spear-phishing techniques and carefully crafted emails designed to look like official messages from webmail providers like Google and Yandex to trick users into divulging their login credentials through phone websites created by him. He then gathered victims' account details and sent them over to clients for a bounty.
Among his clients were FSB agents Igor Anatolyevich Sushchin, 43, and Dmitry Aleksandrovich Dokuchaev, 33. These agents were also allegedly responsible for the massive 2014 hack of Yahoo that compromised 500 million user accounts.
The FSB agents paid hackers to collect information and gain access to accounts belonging to "Russian journalists, Russian and US government officials, employees of a prominent Russian cybersecurity company and numerous employees of US, Russian and other foreign webmail and internet-related service providers whose networks they sought to further exploit."
When they learned that a target had non-Yahoo accounts, they hired Baratov to break into at least 80 email accounts, including at least 50 Gmail accounts, using information obtained from the Yahoo hack. Once he successfully gained unauthorized access to these accounts, he notified and handed them over to Dokuchaev in exchange for a payment.
“The sentence imposed reflects the seriousness of hacking for hire,” Acting US Attorney Alex Tse said in a statement. “Hackers such as Baratov ply their trade without regard for the criminal objectives of the people who hire and pay them. These hackers are not minor players; they are a critical tool used by criminals to obtain and exploit personal information illegally. In sentencing Baratov to five years in prison, the Court sent a clear message to hackers that participating in cyber attacks sponsored by nation states will result in significant consequences.”
Until his arrest in March 2017 by Canadian authorities, Baratov managed to break over 11,000 email accounts in total for his clients. Although Baratov was not directly involved in the Yahoo breach, he was in charged in March 2017 along with three other perpetrators who reside in Russia.
In addition to his prison sentence, Baratov has been ordered to pay a fine of $2,250,000 to his victims at $250,000 per count.
“It's difficult to overstate the unprecedented nature of this conspiracy, in which members of a foreign intelligence service directed and empowered criminal hackers to conduct a massive cyber-attack against 500 million victim user accounts,” Special Agent in Charge John Bennett of the FBI said.