A 22 year-old Canadian national accused of carrying attacks on Yahoo pleaded guilty on Tuesday to charges returned by a grand jury in the Northern District of California in February 2017.
The man, Karim Baratov, aka Kay, aka Karim Taloverov, aka Karim Akehmet Tokbergenov, an immigrant from Kazakhstan, was arrested in Canada in March 2017, on a U.S. warrant. He was denied bail in April and waived his right to an extradition hearing in August, while waiting to be handed over to US marshals.
Baratov was charged with “computer hacking and other criminal offenses in connection with a conspiracy to access Yahoo’s network and the contents of webmail accounts that began in January 2014,” the U.S. Department of Justice announced.
Three other individuals were charged along Baratov, including two officers of the Russian Federal Security Service (FSB), Russia’s domestic law enforcement and intelligence service. All three are Russian nationals and residents and all remain at large: Dmitry Aleksandrovich Dokuchaev, 33; Igor Anatolyevich Sushchin, 43; and 29-year-old Alexsey Alexseyevich Belan, aka Magg.
In an indictment announced in March 2017, the United States government alleged that Dokuchaev, Sushchin and Belan compromised Yahoo’s network and gained the ability to access Yahoo accounts. Russia denied any official Russian involvement in the attacks.
Baratov was charged for hacking the webmail accounts of individuals of interest to the FSB and for sending the passwords of those accounts to Dokuchaev, in exchange for money. When looking to access individual webmail accounts at other Internet service providers, Dokuchaev asked Baratov to compromise those accounts.
As part of his plea agreement, Baratov admitted to hacking accounts on behalf of his co-conspirators in the FSB, and also revealed that he hacked over 11,000 webmail accounts in total from 2010 until March 2017, when he was arrested by Canadian authorities. He also agreed to pay restitution to his victims and to pay a fine up to $2,250,000, in addition to any prison sentence.
“Baratov advertised his services through a network of primarily Russian-language hacker-for-hire web pages hosted on servers around the world. He admitted that he generally spearphished his victims, sending them emails from accounts he established to appear to belong to the webmail provider at which the victim’s account was hosted (such as Google or Yandex),” the DoJ said.
Baratov’s emails attempted to trick victims into visiting fake web pages and entering their credentials on those pages. Once the victims’ account credentials were collected, Baratov would send screenshots of the victims’ account contents to his customers to prove access to the accounts and provided login credentials after receiving payment.
Baratov pleaded guilty to count One and counts Forty through Forty-Seven of the indictment, which charged him and his co-conspirators with stealing information from protected computers, causing damage to protected computers, and aggravated identity theft.
Baratov is currently detained in California without bail. His sentencing hearing is scheduled for Feb. 20, 2018.