Russia-linked hacker Karim Baratov gets 5 years in U.S. prison & $250,000 fine for Yahoo breach

A Canadian man born in Kazakhstan has been sentenced to five years in prison for crimes connected to the massive Yahoo security breach that U.S. federal agents say was directed by Russian government spies.

"Karim Baratov, an FSB go-to guy for webmail hacking, was sentenced to 5 years in prison this morning, less than the nearly 8 years sought by the Justice Department," says Daily Beast's Kevin Poulsen.

Below, why 5 years in prison is actually a good outcome for Baratov, who is 23.


Karim Baratov, a Canadian citizen born in Kazakhstan, pleaded guilty to federal conspiracy and identity theft charges last November in connection with a black market no-questions-asked hacking service he operated from 2010 until his arrest in March 2017. Baratov charged customers about $100 to obtain another person's webmail password, using phishing attacks that tricked users into entering their passwords into a fake password reset page. He cracked more than 11,000 accounts in Russia and the US before he was caught.

One of Baratov's clients was an officer with Russia's Federal Security Service, or FSB, who used an alias to commission hacks on 80 targets in all, including people in other Russian agencies, and government officials in neighboring Eastern European nations. Prosecutors had sought a sentence of seven years, 10 months in prison, in part to make other hackers think twice about offering their skills—knowingly or unknowingly—to hostile intelligence agencies.

(…) Only eight of the FSB-related hack attempts were successful, and the government and Baratov's defense team agree that the hacker did not know that the commissions were coming from the Russian government.

Baratov was fined $250,000, in addition to the prison sentence.

More from Poulsen:

Dmitry Dokuchaev, the former FSB officer who allegedly hired Baratov, is charged as a coconspirator in the case, though he's unlikely to wind up in a San Francisco courtroom. Dokuchaev was arrested by his own agency in December 2016 and charged with treason, under circumstances that remain shrouded in mystery.

Another FSB officer, Igor Sushchin, is also charged in the same indictment for allegedly overseeing the email hacking, as is a long-notorious Russian hacker named Alexsey Belan who was already wanted in two states for conventional cybercrime. The three Russian nationals are accused of conspiring to commit a massive 2014 data breach at Yahoo that compromised account information on 500 million users. They allegedly turned to Baratov to fill the gap when they encountered an FSB target that used Gmail, or another provider, instead of Yahoo where they had complete access.

And from an earlier piece by Poulsen on the Baratov case, this gem…

Pre-sentencing wrangling focused largely on the mercenary flavor of Baratov's business. Defense lawyers said Baratov generally assumed his clients were jealous lovers or spouses spying on their significant others, and they argued that Baratov's neutrality—he'd work for anyone with the money to spend—rendered him less culpable than defendants in otherwise similar cases who performed their intrusions as part of a financial fraud scheme or for voyeurism. "Karim is a very different type of hacker," Mancilla told The Daily Beast. "He didn't intend to personally harm people."

PHOTO: Karim Baratov poses in front of his house in Ancaster, Ontario, in an undated photo. (Facebook)