Russian Hackers’ Helper in Yahoo Attack Gets 5 Years' PrisonBy
U.S. judge calls case ‘unusual,’ says sentencing is difficult
Karim Baratov, a Kazakhstan-born Canadian, says he’s humbled
A Canadian accused of hacking Yahoo! Inc. email accounts on behalf of the Russian government was sentenced to five years in a U.S. prison for computer fraud.
Karim Baratov, 23, was one of four people charged by the U.S. last year in a hacking plot allegedly tied to Russia’s FSB security service. He was extradited to San Francisco federal court. In November, he pleaded guilty to conspiracy to commit computer fraud and identity theft.
Justice Department officials have previously said there was no link between the Yahoo case and a national security probe into Russian interference in the U.S. presidential election, though the list of hacking victims in the U.S. was diverse, including the White House and its military and diplomatic corps.
Conspirators also reaped information on a swath of global companies and their executives, including a U.S. financial-services company, an airline and a private equity firm, the U.S. said, without identifying them.
Not a Ringleader
Prosecutors sought a 94-month prison sentence, while Baratov requested 45 months. U.S. District Judge Vince Chhabria voiced concern at a hearing last month that Baratov might be unfairly tainted by “headlines about the Yahoo hack and Russians” even though he wasn’t one of the ringleaders.
At Tuesday’s sentencing hearing, the judge said the need for deterrence calls for a stiff sentence, while the defendant’s personal history and circumstances point toward leniency.
“Obviously this is a difficult case,” Chhabria said. “It’s unusual.”
The judge imposed a $250,000 fine. Chhabria said that might make up for a shorter prison term than prosecutors wanted, and that Baratov “appears to be able to make money.”
Baratov apologized to everyone he hurt and promised to put his skills to good use.
“The last 14 months have been a very humbling and eye-opening experience,” he told the judge. “There is no excuse for my actions,” he said, adding that “all I can do is promise to be a better man.”
While the U.S. government has little chance of getting the others extradited from Russia, it used the announcement of the indictment to make a public and detailed case that Moscow is orchestrating criminal hacks and shielding those who commit them.
Disclosures about the depth of the 2014 Yahoo hack, and another breach in 2013, threatened to derail its acquisition by Verizon Communications Inc. and lowered the purchase price.
Federal prosecutors claim Kazakhstan-born Baratov was paid to gain access to 80 email accounts, including 50 Google accounts. He mounted spear-phishing attacks, used fake emails to compel targets to provide sensitive information and sold passwords he obtained to Dmitry Dokuchaev, a notorious cybercriminal, according to the indictment.
When Baratov received hacking requests, he had no idea at the time that they came from Dokuchaev, according to his lawyer, Robert M. Fantone.
"He was trying to hack Russians on behalf of Russians," Fantone said. "In instances where he thought someone was a government official or worked for a financial regulator, he tried to not do those, he tried to stay away from government officials. He tried to stick to the petty stuff."
The case is U.S. v. Dokuchaev, 17-cr-00103, U.S. District Court, Northern District of California (San Francisco).