(SAN FRANCISCO, CA) – Karim Baratov, aka Kay, aka Karim Taloverov, aka Karim Akehmet Tokbergenov, 22, a Canadian national and resident of Hamilton, pleaded guilty to charges returned by a grand jury in the Northern District of California in February 2017.
Baratov and three other defendants, including two officers of the Russian Federal Security Service, Russia’s domestic law enforcement and intelligence service, were charged with computer hacking and other criminal offenses in connection with a conspiracy to access Yahoo’s network and the contents of webmail accounts that began in January 2014. Baratov’s co-defendants, all of whom remain at large in Russia, are Dmitry Aleksandrovich Dokuchaev, 33, Igor Anatolyevich Sushchin, 43, and Alexsey Alexseyevich Belan, aka Magg, 29. All are Russian nationals and residents.
“Where a foreign law enforcement or intelligence agency recruits, tasks, or protects criminals targeting the United States and its companies or citizens, instead of taking steps to disrupt them and hold them accountable, the United States will leverage all of its available tools to expose that agency’s conduct and arrest those responsible,” said Acting Assistant Attorney General Dana Boente. “Today’s plea exemplifies the Department’s commitment to pursuing, arresting and bringing to justice even those hackers who work for a foreign law enforcement or intelligence organization. We wish to thank the Canadian authorities for their skillful assistance in the investigation and arrest of Baratov and to acknowledge the contributions of the other nations and law enforcement services that provided invaluable assistance.”
Baratov’s role in the charged conspiracy was to hack webmail accounts of individuals of interest to the FSB and send those accounts’ passwords to Dokuchaev in exchange for money. As alleged in the Indictment, Dokuchaev, Sushchin and Belan compromised Yahoo’s network and gained the ability to access Yahoo accounts. When they desired access to individual webmail accounts at a number of other internet service providers, such as Google and Yandex (based in Russia), Dokuchaev tasked Baratov to compromise those accounts. The Indictment is available here, and its allegations are summarized in greater detail in the press release that attended the unsealing of the Indictment on March 15.
As part of his plea agreement, Baratov not only admitted to his hacking activities on behalf of his co-conspirators in the FSB, but also to hacking more than 11,000 webmail accounts in total on behalf of the FSB conspirators and other customers from, in, or around 2010 until his March 2017 arrest by Canadian authorities.
Baratov advertised his services through a network of primarily Russian-language hacker-for-hire web pages hosted on servers around the world. He admitted that he generally spearphished his victims, sending them emails from accounts he established to appear to belong to the webmail provider at which the victim’s account was hosted, such as Google or Yandex. Baratov’s spearphishing emails tricked victims into visiting web pages he constructed to appear legitimate, as though they belonged to the victims’ webmail providers, and entering their account credentials into those web pages.
Once Baratov collected the victims’ account credentials, he sent his customers screen shots of the victims’ account contents to prove that he had obtained access and, upon receipt of payment, provided his customers the victims’ log-in credentials.
Baratov pleaded guilty to Count One and Counts Forty through Forty-Seven of the Indictment.
Count One charged Baratov, Dokuchaev, Sushchin, and Belan with conspiring to violate the Computer Fraud and Abuse Act by stealing information from protected computers in violation of 18 USC § 1030(a)(2) and causing damage to protected computers in violation of 18 USC § 1030(a)(5)(A).
Counts Forty through Forty-Seven charged Baratov and Dokuchaev with aggravated identity theft in violation of 18 USC § 1028A.
As part of the plea agreement, in addition to any prison sentence, Baratov agreed to pay restitution to his victims and to pay a fine up to $2,250,000, at $250,000 per count, with any assets he has remaining after satisfying a restitution award.
Baratov waived extradition from Canada and is being detained in California without bail.
“This case is a prime example of the hybrid cyber threat we’re facing, in which nation states work with criminal hackers to carry out malicious activities,” said Executive Assistant Director Paul Abbate, of the FBI’s Criminal, Cyber, Response and Services Branch. “Today’s guilty plea illustrates how the FBI continues to work relentlessly with our private sector, law enforcement and international partners to identify and hold accountable those who conduct cyber attacks against our nation, no matter who they’re working with or where they attempt to hide.”
Baratov’s sentencing hearing is scheduled for February 20, 2018, in San Francisco. The maximum statutory penalty for each count in violation of 18 USC §1030(b) is 10 years and a fine of $250,000, plus restitution, if appropriate. The maximum statutory penalty for each count in violation of 18 USC §1028A is two years, mandatory consecutive, and a fine of $250,000, plus restitution, if appropriate.
However, any sentence, including restitution and fine, if any, will be imposed by the court only after consideration of the US Sentencing Guidelines and the federal statute governing the imposition of a sentence, 18 USC § 3553.