The Canadian man who pled guilty last year to a massive spear-phishing operation of Yahoo employees—which ultimately resulted in 500 million accounts being compromised—has been sentenced to five years in prison.
Karim Baratov, 23, was also ordered on Tuesday by a federal judge in San Francisco to pay a $250,000 fine.
“The sentence imposed reflects the seriousness of hacking for hire,” acting US Attorney Alex Tse said in a statement. He also wrote:
Hackers such as Baratov ply their trade without regard for the criminal objectives of the people who hire and pay them. These hackers are not minor players; they are a critical tool used by criminals to obtain and exploit personal information illegally. In sentencing Baratov to five years in prison, the Court sent a clear message to hackers that participating in cyber attacks sponsored by nation states will result in significant consequences.
Baratov had previously admitted that his role was to “hack webmail accounts of individuals of interest to the FSB,” the Russian internal security service. The hacker then sent those passwords to his alleged co-conspirator, Dmitry Aleksandrovich Dokuchaev. Baratov was indicted in late February 2017 along with three other men who remain in Russia.
As Ars reported in March 2017, the targeted attack allowed the four (and possibly other unnamed parties) to gain direct access to Yahoo’s internal networks. Once in, Alexsey Belan—a co-defendant hacker already wanted in the United States for a series of intrusions into the networks of e-commerce providers—is alleged to have conducted reconnaissance of Yahoo’s networks. In the process, he discovered two key assets, according to the FBI: Yahoo’s User Database (UDB) and an administrative tool called the Account Management Tool.
While the UDB’s contents did not necessarily give him everything required to access individual user accounts, it did give Belan and the two FSB agents information that could be used to locate and target specific accounts of interest. And the Account Management Tool could be used to make alterations to targeted accounts, including password changes.