The US is looking to lock up one of the Yahoo mega-breach spearphishers for 94 months: nearly eight years.
On Tuesday, Department of Justice (DOJ) prosecutors asked a San Francisco federal court judge to impose that sentence on Karim Baratov, a Canadian citizen born in Kazakhstan who was indicted in March 2017 for working with two officers of the Russian Federal Security Service (FSB) -that’s Russia’s successor to the KGB – to pull off the historic Yahoo breach.
Yahoo confirmed in September 2016 that it had discovered a raid that affected half a billion Yahoo accounts in 2014.
Just a few months later, Yahoo confirmed yet another, separate breach, dating back to 2013, that affected a staggering three billion.
Baratov pleaded guilty in November 2017 to nine counts related to the 2014 breach, including aggravated identity theft and violating the Computer Fraud and Abuse Act (CFAA) by stealing information from protected computers.
Under federal guidelines, his maximum sentence is up to 20 years in prison, according to the DOJ. Baratov’s attorneys have asked for a sentence of 45 months: about half of what the DOJ is after.
According to the sentencing memorandum (PDF), Baratov was a hacker-for-hire who took orders to target specific victims without asking his customers to explain their own identity, their motives, or their objectives.
He took his operations to the international stage between 2014 and 2016, when he started working with a co-defendant, FSB officer Dmitry Dokuchaev. Based on information stolen in the Yahoo breach, Dokuchaev allegedly paid Baratov to break into 80 webmail accounts belonging to people of interest to Russian intelligence.
Running his business out of his home in Ontario, Baratov had a few websites to advertise his services to Russians. One site, named “webhacker,” offered “hacking of email accounts without prepayment”. The site said that Baratov could take over webmail accounts of Google and Russian providers, such as Mail.ru and Yandex.
He used the money he earned from his illegal activities to buy himself a cushy life: he bought a $650,000 home and luxury cars that included a Lamborghini, a Porsche, an Aston Martin, a Mercedes and a BMW. He bragged about it all on social media, including one post showing him with a fanned-out stack of $100 Canadian bills.
Baratov’s hacking was a springboard for his customers to go after their victims with a laundry list of crimes that followed the webmail account breaches, prosecutors said. From the sentencing memorandum:
The defendant setup, operated, and grew a criminal hacker-for-hire business that gave his customers the ability (and provided a layer of concealment for their identities) to commit a whole spectrum of additional crimes (e.g. against the victims’ dignity, finances, safety, privacy, or other interests).
Yes, but he was just a pup when he was hacking people’s email accounts, Baratov’s legal team is arguing (PDF).
The Extenuating circumstances in the instant matter are plentiful. This is Mr Baratov’s first arrest. Additionally, Mr Baratov was under the age of 22 during the majority of the time that he hacked email accounts.
No prior contact with law enforcement combined with Mr Baratov’s young age weigh heavily in favor of a low culpability calculation.
Baratov is due to be sentenced by Judge Vince Chhabria on 24 April.
Will
Not to say 8 years isn’t appropriate for what he’s done here, but he profited mightily from this clearly. Contrast that with Aaron Swartz and his “hack” of JSTOR where prosecutors wanted the max penalty of 35 years levied. It seems the justice system still doesn’t quite know what’s appropriate in cases like these. 500 mil personal accounts/details vs. 4.8 mil documents already available for public consumption. I’d say the hacker for hire should be the one to send your message to, not the activist.