SAN FRANCISCOA 22-year-old man who ran a successful hacker-for-hire business from his home in Toronto pleaded guilty to federal conspiracy and identity theft charges Tuesday, admitting in open court that he cracked account passwords at Gmail on behalf of a customer who turned out to be an officer with Russias Federal Security Service, or FSB.
Karim Baratovs guilty plea is a minor milestone in U.S. efforts against the Kremlins hacking operations in the wake of last years election interference campaign. Under the terms of his plea agreement, he likely faces between 7 to 8 years in prison when hes sentenced in February.
Baratov, a Canadian citizen born in Kazakhstan, became involved with Russia through a black market hacking service he offered that would obtain other peoples Gmail passwords for an advertised rate of $60 per account. An FSB officer, using a pseudonym, offered him a premium rate of $100-a-head to hit a total of 80 targets over time, including people in other Russian agencies, and government officials in neighboring Eastern European nations.
Only eight of the hack attempts were successful, according to Baratovs defense lawyers, who say Baratov never knew he was working for the Kremlin. He had no idea until the indictment was unsealed, said attorney Robert Fantone.
Baratovs hacking career was abruptly derailed last March when he was arrested in Canada on a U.S. warrant, and hes been locked up in a county jail outside San Francisco since waiving an extradition battle last August. Hes likely the sole defendant that will ever appear in court on a sweeping 47-count indictment unsealed earlier this year that accused him and three Russian nationals of conspiring to commit a massive 2014 data breach at Yahoo that compromised account information on 500 million users.
Hes not accused of participating directly in the Yahoo hack, or even knowing about it. Instead, the FSB used him to fill the gap when they encountered a target that used Gmail, or another provider, instead of Yahoo, where the FSB already had the ability to access any account. Baratov primarily used phishing attacks that tricked users into entering their passwords into a fake password reset page, and he maintained a fleet of look-alike web addresses for Gmail, Russias Mail.Ru, and other webmail providers.
One current and one former FSB officer are also charged in the case, as is a long-notorious Russian hacker named Alexsey Belan who was already wanted in two states for conventional cybercrime. Belan, who allegedly carried out the Yahoo hack, is living beyond the U.S. governments reach in Russia, as is Igor Sushchin, the FSB officer that allegedly oversaw the email hacking.
The fourth defendant, Dmitry Dokuchaev, was allegedly responsible for contracting Baratovs services, but has more pressing legal issues at home. A former officer at the FSBs computer crime branch, Dokuchaev was arrested by his own agency in December 2016 and charged with treason, under circumstances that remain shrouded in mystery.
Baratov never expected to become embroiled in a geopolitical chess match, says defense attorney Andrew Mancilla.
Hes been transparent and forthright with the government since he got here, Mancilla said.
The FSB apparently accounted for only a tiny portion of Baratovs hacking enterprise. In all, the hacker breached 11,000 webmail accounts for various customers over the years. Federal prosecutors Jeffrey Shih and Scott McCulloch, the latter from the Justice Departments National Security Division in Washington, said in court they planned on setting up a dedicated website to notify all the victims of his hacking.