Karim Baratov, a Canadian “hacker for hire” convicted in connection with selling his services to Russian intelligence officers accused of compromising 500 million Yahoo accounts in one of the biggest data breaches ever, was sentenced Tuesday in San Francisco federal court.
U.S. District Judge Vince Chhabria ordered Baratov, 23, to spend 60 months in prison and pay a $250,000 fine for his role in an international conspiracy that involved him personally hacking into thousands of email accounts on behalf of clients, including two agents of Russia’s Federal Security Service (FSB) intelligence agency, the Justice Department announced following Tuesday’s sentencing hearing.
“Criminal hackers and the countries that sponsor them make a grave mistake when they target American companies and citizens,” John C. Demers, assistant attorney general for national security, said in a statement. “We will identify them wherever they are and bring them to justice.”
Baratov was arrested in Ontario in March 2017 by Canadian authorities at the request of U.S. prosecutors and charged with multiple counts related to the historic Yahoo breach that compromised 500 million user accounts in 2014.
Russian spies conducted the Yahoo breach and subsequently hired Baratov to leverage the stolen user data, prosecutors said previous.
“When the FSB officers … learned that a target of interest had email accounts at webmail providers other than Yahoo, including through information gained from the Yahoo intrusion, they would task Baratov to access the target’s account at the other providers,” prosecutors.
Baratov initially fought the charges, but he waived his right to an extradition last August and ultimately pleaded guilty in November to nine felony counts related to the conspiracy.
“As part of his plea agreement, Baratov not only admitted to his hacking activities on behalf of his co-conspirators in the FSB, but also to hacking more than 11,000 webmail accounts in total on behalf of the FSB conspirators and other customers from in or around 2010 until his March 2017 arrest by Canadian authorities,” the Justice Department said in a statement Tuesday.
Prosecuting attorneys had called for a 94-month prison term, while the defense sought a 45-month sentence. Baratov was previously scheduled to be sentenced in April, but that hearing was postponed after the judge raised questions about the government’s request for a nearly eight-year prison stint.
“This case is about a young man, younger than most of the defendants in hacking cases throughout this country, who hacked emails, one at a time, for $100 a hack,” defense attorneys argued in support of a shorter sentence.
prosecutors disagreed, arguing that Baratov wasn’t “a teenager making an isolated mistake on the internet out of curiosity,” but rather one “making a profession out of breaking into the private lives of thousands of victims.”
Baratov is satisfied with the sentence, a defense attorney said Tuesday.
“The judge used all criteria possible to assist Karim and, given the time he had already served and the time expected to serve, he will be out in approximately three years,” lawyer Amedeo DiCarlo told The Canadian Press. “The justice system worked for a man who took responsibility and I’m sure he learned many lessons.”