A Canadian computer hacker has been sentenced to five years in prison in connection with a massive security breach at Yahoo that federal agents say was directed by Russian government spies.
U.S. Judge Vince Chhabria on Tuesday also fined 23-year-old Karim Baratov $250,000.
Baratov pleaded guilty in November to nine felony hacking charges.
Karim Baratov (above), a Canadian man, pleaded guilty Tuesday to charges stemming from a massive breach at Yahoo! that authorities say was directed by two Russian intelligence agents and affected at least a half billion user accounts
Baratov pleaded guilty to the charges and will now spend the next five years behind bars
He acknowledged hacking thousands of webmail accounts for seven years ending with his arrest last year.
Baratov charged customers $100 to obtain another person’s webmail passwords by tricking them to enter their credentials into a fake password reset page.
Prosecutors allege that the Russian security service hired the Kazakhstan-born Baratov to target email accounts using information obtained from the Yahoo hack.
Baratov’s attorneys said their client hacked only eight accounts for the Russians and that he didn’t know he was working for the Russian spy agency.
U.S. District Judge Vince Chhabria had openly struggled to find the right sentence for Baratov, noting that he’s a relatively young defendant with no prior criminal history and strong family connections.
Karim Baratov was convicted after hacking into email accounts on behalf of Russian intelligence
Baratov was arrested in Hamilton, Ontario, and later agreed to forego an extradition hearing and face the US charges.
‘He’s been transparent and forthright with the government since he got here,’ said one of his attorneys, Andrew Mancilla.
Much of the discussion in court focused on weighing the seriousness of Baratov’s crimes compared to other hacking cases according to the Daily Beast.
Baratov’s lawyers argued for a 45 month sentence, arguing that his hacking was less serious than the large-scale thefts of credit card numbers that have drawn prison terms as high as 25 years in the United States.
Prosecutors countered that Baratov was actually worse, because he targeted individuals on behalf of anonymous clients without regard for the consequences.
Akhmet Tokbergenov, left, and Dinara Tokbergenova, parents of alleged Yahoo hacker Karim Baratov, leave the court after their son was sentenced to five years in jail
In this courtroom sketch, Karim Baratov, right, addresses the court as his lawyer Amedeo Dicarlo, bottom left,, Crown Heather Graham, second from left, lawyer Deepak Paradkar,top left, and Justice Alan Whitten look on during Baratov’s bail hearing in Hamilton, Ontario
One of Baratov’s clients was an officer with Russia’s Federal Security Service, or FSB, who used an alias to commission hacks on 80 targets in all, including people in other Russian agencies, and government officials in neighboring Eastern European nations.
The Russian agents, Dmitry Dokuchaev and Igor Sushchin, used the information they stole from Yahoo! to spy on Russian journalists, US and Russian government officials and employees of financial services and other private businesses, according to prosecutors.
Dokuchaev, Sushchin and a third Russian national, Alexsey Belan, were also named in the indictment filed in February, though it’s not clear whether they will ever set foot in an American courtroom since there’s no extradition treaty with the Kremlin.
Karim Baratov, a Canadian citizen born in Kazakhstan, pleaded guilty to federal conspiracy and identity theft charges last November with a black market no-questions-asked hacking service he operated from 2010 until his arrest in March 2017
The Russian agents, Dmitry Dokuchaev and Igor Sushchin, used the information they stole from Yahoo! to spy on Russian journalists, US and Russian government officials and employees of financial services and other private businesses, according to prosecutors. The Kremlin is seen above in Moscow
Baratov’s attorneys said their client hacked only eight accounts for the Russians and did not know that he was working for Russian agents connected to the Yahoo! breach
Though the US government had previously charged individual Russian hackers with cybercrime – as well as hackers directly linked to the Chinese and Iranian governments – this was the first criminal case to name as defendants sitting members of the FSB for hacking charges, the Justice Department said.
Yahoo user accounts began being compromised at least as early as 2014.
Dokuchaev and Sushchin turned to Baratov after learning that one of their targets had accounts at webmail providers other than Yahoo, prosecutors said.
‘It is hard to catch these people,’ Assistant U.S. Attorney Jeffrey Shih said in court. ‘And in terms of the state-sponsored connection, it really is a deterance concern.’
YAHOO! DATA BREACH TIMELINE
Former Yahoo! CEO Marissa Mayer is seen above in this 2014 file photo
During the second half of 2016, Yahoo! reported two major data breaches perpetrated by hackers.
In September 2016, the company said that at least 500 million of its accounts were hacked in 2014 by what it believed was a state-sponsored actor, a theft that appeared to be the world’s biggest known cyber breach by far.
Cyber thieves may have stolen names, email addresses, telephone numbers, dates of birth and encrypted passwords, the company said.
But unprotected passwords, payment card data and bank account information did not appear to have been compromised, signaling that some of the most valuable user data was not taken.
In December 2016, it was learned that an even bigger breach took place in August 2013.
The company admitted that all three billion of Yahoo!’s users were affected by the 2013 data theft that the company originally said had only affected 1 billion users.
The additional two billion data theft victims came to light as Yahoo! was being integrated with Verizon, which bought the company in June for $4.5billion.
‘During integration, the company recently obtained new intelligence and now believes, following an investigation with the assistance of outside forensic experts, that all Yahoo user accounts were affected by the August 2013 theft,’ the company said in a statement posted on its website.
The investigation found that the stolen user account information did not include passwords in clear text, payment card data, or bank account information.
‘Online intrusions and thefts by state-sponsored actors have become increasingly common across the technology industry,’ Yahoo! said in a statement at the time of the attacks.
Source: Reuters, DailyMail.com