A 22-year-old Canadian man pleaded guilty Tuesday for attacking Yahoo.
Karim Baratov, aka Kay, aka Karim Taloverov, aka Karim Akehmet Tokbergenov, an immigrant from Kazakhstan, ended up arrested in Canada in March 2017, on a U.S. warrant.
He was denied bail in April and waived his right to an extradition hearing in August, while waiting to be handed over to US marshals.
Baratov was charged with “computer hacking and other criminal offenses in connection with a conspiracy to access Yahoo’s network and the contents of webmail accounts that began in January 2014,” said officials at the U.S. Department of Justice (DoJ).
Three other individuals were charged along Baratov, including two officers of the Russian Federal Security Service (FSB), Russia’s domestic law enforcement and intelligence service. All three are Russian nationals and residents and all remain at large: Dmitry Aleksandrovich Dokuchaev, 33; Igor Anatolyevich Sushchin, 43; and 29-year-old Alexsey Alexseyevich Belan, aka Magg.
In an indictment announced in March 2017, the United States government said Dokuchaev, Sushchin and Belan compromised Yahoo’s network and gained the ability to access Yahoo accounts.
Baratov was charged for hacking the webmail accounts of individuals of interest to the FSB and for sending the passwords of those accounts to Dokuchaev, in exchange for money. When looking to access individual webmail accounts at other Internet service providers, Dokuchaev asked Baratov to compromise those accounts.
As part of his plea agreement in the Northern District of California federal court, Baratov admitted to hacking accounts on behalf of his co-conspirators in the FSB, and also revealed he hacked over 11,000 webmail accounts from 2010 until March 2017, when he was arrested by Canadian authorities. He also agreed to pay restitution to his victims and to pay a fine up to $2,250,000, in addition to any prison sentence.
“Baratov advertised his services through a network of primarily Russian-language hacker-for-hire web pages hosted on servers around the world. He admitted that he generally spearphished his victims, sending them emails from accounts he established to appear to belong to the webmail provider at which the victim’s account was hosted (such as Google or Yandex),” the DoJ said.
Baratov’s emails attempted to trick victims into visiting fake web pages and entering their credentials on those pages. Once the victims’ account credentials were collected, Baratov would send screenshots of the victims’ account contents to his customers to prove access to the accounts and provided login credentials after receiving payment.
Baratov pleaded guilty to count One and counts Forty through Forty-Seven of the indictment, which charged him and his co-conspirators with stealing information from protected computers, causing damage to protected computers, and aggravated identity theft.
Baratov is currently detained in California without bail. His sentencing hearing is scheduled for Feb. 20.
Baratov’s actions appear unrelated to a 2013 breach that exposed all three billion accounts at Yahoo. The hack was initially said to have affected only 500 million accounts.