SAN FRANCISCO—A 22-year-old man who ran a successful hacker-for-hire business from his home in Toronto pleaded guilty to federal conspiracy and identity theft charges Tuesday, admitting in open court that he cracked account passwords at Gmail on behalf of a customer who turned out to be an officer with Russia’s Federal Security Service, or FSB.
Karim Baratov’s guilty plea is a minor milestone in U.S. efforts against the Kremlin’s hacking operations in the wake of last year’s election interference campaign. Under the terms of his plea agreement, he likely faces between 7 to 8 years in prison when he’s sentenced in February.
Baratov, a Canadian citizen born in Kazakhstan, became involved with Russia through a black market hacking service he offered that would obtain other people’s Gmail passwords for an advertised rate of $60 per account. An FSB officer, using a pseudonym, offered him a premium rate of $100-a-head to hit a total of 80 targets over time, including people in other Russian agencies, and government officials in neighboring Eastern European nations.
Only eight of the hack attempts were successful, according to Baratov’s defense lawyers, who say Baratov never knew he was working for the Kremlin. “He had no idea until the indictment was unsealed,” said attorney Robert Fantone.
Baratov’s hacking career was abruptly derailed last March when he was arrested in Canada on a U.S. warrant, and he’s been locked up in a county jail outside San Francisco since waiving an extradition battle last August. He’s likely the sole defendant that will ever appear in court on a sweeping 47-count indictment unsealed earlier this year that accused him and three Russian nationals of conspiring to commit a massive 2014 data breach at Yahoo that compromised account information on 500 million users.
He’s not accused of participating directly in the Yahoo hack, or even knowing about it. Instead, the FSB used him to fill the gap when they encountered a target that used Gmail, or another provider, instead of Yahoo, where the FSB already had the ability to access any account. Baratov primarily used phishing attacks that tricked users into entering their passwords into a fake password reset page, and he maintained a fleet of look-alike web addresses for Gmail, Russia’s Mail.Ru, and other webmail providers.
One current and one former FSB officer are also charged in the case, as is a long-notorious Russian hacker named Alexsey Belan who was already wanted in two states for conventional cybercrime. Belan, who allegedly carried out the Yahoo hack, is living beyond the U.S. government’s reach in Russia, as is Igor Sushchin, the FSB officer that allegedly oversaw the email hacking.
The fourth defendant, Dmitry Dokuchaev, was allegedly responsible for contracting Baratov’s services, but has more pressing legal issues at home. A former officer at the FSB’s computer crime branch, Dokuchaev was arrested by his own agency in December 2016 and charged with treason, under circumstances that remain shrouded in mystery.
Baratov never expected to become embroiled in a geopolitical chess match, says defense attorney Andrew Mancilla.
“He’s been transparent and forthright with the government since he got here,” Mancilla said.
The FSB apparently accounted for only a tiny portion of Baratov’s hacking enterprise. In all, the hacker breached 11,000 webmail accounts for various customers over the years. Federal prosecutors Jeffrey Shih and Scott McCulloch, the latter from the Justice Department’s National Security Division in Washington, said in court they planned on setting up a dedicated website to notify all the victims of his hacking.