A 22-year-old Canadian man has pleaded guilty to compromising thousands of webmail accounts and selling the log-ins to Russian agents accused of the 2014 Yahoo breach.
Kazakhstan-born Karim Baratov is said to have been paid to hack Gmail, Yandex and other accounts on behalf of Dmitry Dokuchaev and Igor Sushchin, two officers from the Russian Federal Security Service (FSB).
The Department of Justice said they enlisted the help of FBI most-wanted cyber-criminal, Alexsey Alexseyevich Belan, to hack Yahoo in 2014, resulting in the breach of 500 million user accounts.
However, when they wanted access to accounts managed by other providers, they called in hacker-for-hire Baratov, who apparently advertised his services on Russian language sites.
Baratov admitted hacking 80 webmail accounts for the FSB and over 11,000 in total as part of this and other raids from 2010 to 2017, when he was arrested in Canada and extradited to the US.
The attacks were undertaken via a simple spearphishing tactic which directed unwitting victims to a spoofed log-in page where he harvested their account credentials.
Baratov pleaded guilty to nine counts of conspiring to violate the Computer Fraud and Abuse Act and aggravated identity theft and will be sentenced on February 20 2018 in San Francisco.
As part of the plea agreement, he has agreed to pay restitution to his victims and a fine up to $2.25m: that’s $250,000 per count.
“Where a foreign law enforcement or intelligence agency recruits, tasks, or protects criminals targeting the United States and its companies or citizens, instead of taking steps to disrupt them and hold them accountable, the United States will leverage all of its available tools to expose that agency’s conduct and arrest those responsible,” said acting assistant attorney general Dana Boente.
“Today’s plea exemplifies the department’s commitment to pursuing, arresting and bringing to justice even those hackers who work for a foreign law enforcement or intelligence organization.”