A Canadian national pleaded guilty in San Francisco federal court to nine criminal counts related to the data breach that compromised a half-billion Yahoo accounts in 2014.
Karim Baratov, 22, pleaded guilty Tuesday to one count of computer hacking and eight counts of aggravated identity theft connected to the colossal Yahoo breach, the Department of Justice announced following Tuesday’s court hearing, setting the stage for him to face up to 26 years in federal prison when he’s sentenced next year.
Baratov was one of four men indicted in February in connection with the Yahoo breach and is the only one currently in U.S. custody. His three co-defendants — Russian nationals, including two employees of the Federal Security Service (FSB) intelligence agency — remain at large, prosecutors acknowledged in a statement Tuesday.
Russian spies breached Yahoo’s network in early 2014 and eventually gained unauthorized access to the personal data associated with more than 500 million user accounts, according to U.S. prosecutors.
“When the FSB officers … learned that a target of interest had email accounts at webmail providers other than Yahoo, including through information gained from the Yahoo intrusion, they would task Baratov to access the target’s account at the other providers,” federal prosecutors said previously.
Baratov was hired to access the emails of targets ranging from Russian journalists to White House personnel and was ultimately paid to hack into at least 80 email accounts, including 50 Google accounts, according to prosecutors.
He was arrested in March in Ontario, Canada, and in August he waived his right to an extradition hearing and agreed to surrender to U.S. authorities.
“As part of his plea agreement, Baratov not only admitted to his hacking activities on behalf of his co-conspirators in the FSB, but also to hacking more than 11,000 webmail accounts in total on behalf of the FSB conspirators and other customers from in or around 2010 until his March 2017 arrest by Canadian authorities,” the Justice Department said in a statement Tuesday.
An attorney for Mr. Baratov said that his client only hacked eight accounts and was unaware he was working for Russian intelligence, The Associated Press reported following Tuesday’s court hearing.
“He’s been transparent and forthright with the government since he got here,” said the attorney, Andrew Mancilla, AP reported.
Baratov is currently scheduled to be sentenced before U.S. District Judge Vincent Chhabria on Feb. 20.