A young hacker faces five years in prison for his part in using data stolen in Yahoo’s infamous 2014 breach.
A hacker was sentenced in a US court on 29 May for his part in a major data breach at Yahoo in 2014.
Karim Baratov, an international hacker for hire, was named in a federal indictment in 2017. Two Russian spies were also charged with orchestrating the 2014 breach affecting 500m users.
No research carried out
AP reported that prosecutors in the case said Baratov did little to no research on the clients he worked for and unwittingly collaborated with a Russian spy agency when he used the stolen data from Yahoo. He was arrested last year in Toronto.
His modus operandi was relatively simple: charging customers to obtain another person’s email passwords by tricking the target to enter their details into a phoney password reset page. Baratov maintained the website in Russian, advertising services for “hacking of email accounts without prepayment”, according to court documents.
Russian operatives paid the hacker to target email accounts using data stolen from the Yahoo hack. According to prosecution in the case, the country’s Federal Security Service zeroed in on Russian journalists, government employees in Russia and the US, financial services employees, and other private enterprises. Spies also hacked the emails of spouses and children of victims to dig up further information.
Baratov’s defence team echoed the assertion from the prosecution that he unwittingly entered into the agreement with the Russian spy organisation. Two Russian spies, Dmitry Aleksandrovich Dokuchaev and Igor Anatolyevich, were charged by the US, but remain at large. They are believed to be residing in Russia, which does not have an extradition arrangement with the US.
Acting US attorney Alex Tse said: “The sentence imposed reflects the seriousness of hacking for hire. Hackers such as Baratov ply their trade without regard for the criminal objectives of the people who hire and pay them.”
The San Francisco branch of the FBI investigated the case for two years, in what is the largest hacking case ever encountered by the US government.