SAN FRANCISCO (CN) – A Canadian man pleaded guilty Tuesday to federal computer hacking charges related to a 2014 breach at Yahoo which ultimately compromised 500 million user accounts.
Karim Baratov, 22, admitted to conspiring with three other defendants, including two members of the Russian Federal Security Service – Russia’s domestic law enforcement and intelligence service – to access Yahoo’s website and the email contents of its customers, according to a release issued by U.S. Attorney Brian Stretch.
“The illegal hacking of private communications is a global problem that transcends political boundaries,” Stretch said. “Cybercrime is not only a grave threat to personal privacy and security, but causes great financial harm to individuals who are hacked and costs the world economy hundreds of billions of dollars every year.”
The Russian intelligence officers – Dmitry Aleksandrovich Dokuchaev, 33, and Igor Anatolyevich Sushchin, 43 – and Russian national Alexsey Alexseyevich Belan, 29, remain at large in Russia.
Baratov sold his services to the Russian government, according to Stretch, and admitted to hacking about 11,000 Yahoo accounts from 2010 until his arrest in 2017.
Russia has been the source of a flurry of hacking accusations, not the least of which includes the hacking of Hillary Clinton’s campaign chair John Podesta. WikiLeaks released Podesta’s emails incrementally every day over a six-week period leading up to the 2016 presidential election.
The former Soviet republic has been accused of attempting to sway the election in favor of President Donald Trump, who has since appointed special prosecutor Robert Mueller to determine the extent of Russian hacking and whether the Trump campaign actively participated in or assisted it.
While Baratov’s guilty plea may not be as important as Mueller’s investigation, law enforcement officials say it displays America’s resolve when it comes to bringing hackers to justice.
“This case is a prime example of the hybrid cyber threat we’re facing, in which nation states work with criminal hackers to carry out malicious activities,” said Paul Abbate, executive assistant director of the FBI’s Criminal, Cyber, Response and Services Branch.
Tuesday’s guilty plea is only peripherally related to at least two large hacks of Yahoo that are so far the largest data breaches in history. The company faces numerous lawsuits, with plaintiffs saying the company failed to do enough to protect their private information.
Baratov advertised his hacking prowess via a series of Russian-language hacker-for-hire websites hosted throughout the world. In his plea, Baratov admitted he typically “spearfished” his victims, tricking them into providing their usernames and passwords by sending them pages that appeared to be generated by Google, Yahoo and other legitimate sources.
Once he obtained the usernames and passwords of victims he would send screenshots to his counterparts in Russian, receiving payment in return.
Baratov pleaded guilty to eight criminal counts, including a count of conspiracy to commit computer fraud and seven counts of aggravated identity theft. As part of the plea agreement, he agreed to pay a $2.25 million fine with whatever money he has left after satisfying a restitution award to victims.
He faces years in prison and will be sentenced on Feb. 20.