A Canadian man has pleaded guilty to conspiring with Russian intelligence agents and breaking into email accounts as part of the massive 2014 Yahoo data breach that affected at least half a billion accounts. Karim Baratov, a 22-year-old Canadian citizen born in Kazakhstan, pleaded guilty to one count of conspiracy to commit computer fraud and abuse and eight counts of aggravated identity theft on Tuesday (28 November).
In March, the US Justice Department announced charges against Baratov and three other men, including two officers in Russia's Federal Security Service (FSB) - the country's domestic law enforcement and intelligence service - over their roles in the 2014 breach that compromised 500 million Yahoo accounts.
Baratov initially pleaded not guilty to the charges but later was scheduled for a "change of plea" hearing.
Prosecutors accused FSB officers Dmitry Dokuchaev and Igor Sushchin of directing and paying hackers to obtain information from the email accounts of "individuals of interest to the FSB".
Some of the accounts they sought to access for spying activities included the accounts of Russian and US government officials, Russian journalists, employees of a prominent Russian cybersecurity firm, the chief executive of a metals company and a prominent banker.
After they learned that one of their targets had accounts at webmail providers other than Yahoo, they turned to Baratov. He was hired to compromise at least 80 email accounts at Google, Yandex and Yahoo and other webmail providers and then hand over the details to Dokuchaev in exchange for a bounty.
Baratov targeted at least 50 Gmail accounts, the indictment said. He also admitted to hacking more than 11,000 email accounts in total for both the FSB and customers between 2010 until his arrest in March 2017 by Canadian authorities.
Prosecutors said he advertised his nefarious services on a number of Russian-language hacker-for-hire websites. Some of these services included spearphishing victims, sending emails designed to look like official messages from webmail providers such as Google and Yandex, and tricking users into divulging their login credentials via phony websites constructed by him.
After gathering the victims' account credentials, he then sent screenshots of the victim's account contents to his customer as proof and send the stolen details over once he received payment.
"This case is a prime example of the hybrid cyber threat we're facing, in which nation states work with criminal hackers to carry out malicious activities," Paul Abbate, executive assistant director of the FBI's Criminal, Cyber, Response and Services Branch, said in a statement.
Baratov is currently being detained in California without bail and faces a maximum of 10 years in prison, a hefty fine and restitution. He has agreed to pay restitution to his victims and pay a fine up to $2,250,000 at $250,000 per count.
His sentencing hearing is scheduled for 20 February 2018.
"The illegal hacking of private communications is a global problem that transcends political boundaries," US Attorney Brian Stretch said. "Cybercrime is not only a grave threat to personal privacy and security but causes great financial harm to individuals who are hacked and costs the world economy hundreds of billions of dollars every year. These threats are even more insidious when cybercriminals such as Baratov are employed by foreign government agencies acting outside the rule of law."
Baratov is the only person arrested to date in the case while the other three Russian nationals are still at large. The Kremlin has denied that FSB employees were involved in the Yahoo hack.