Minerva Studio - Fotolia

Yahoo hacker sentenced to five years in prison for massive breach

One of four Yahoo hackers was sentenced to five years in prison for his role in the massive 2014 breach, which included accessing millions of sensitive email accounts.

The Yahoo "hacker for hire" Karim Baratov, charged with helping Russian intelligence officers access compromised Yahoo email accounts, received a sentence of five years in prison, as well as a fine amounting to the forfeiture of all his remaining assets.

Baratov, a 23-year-old Kazakh native, was a Canadian national at the time of his arrest last year in Canada for his role in one of the largest breaches ever uncovered: the 2014 exposure of 500 million Yahoo email accounts.

According to the Justice Department's announcement of the sentencing, Baratov's function in the caper was to hack the webmail accounts of "individuals of interest to his co-conspirator who was working for the FSB" (Federal Security Service) and sending the account passwords to an FSB agent in exchange for money.

"It's difficult to overstate the unprecedented nature of this conspiracy, in which members of a foreign intelligence service directed and empowered criminal hackers to conduct a massive cyber-attack against 500 million victim user accounts," said Special Agent in Charge John F. Bennett in the announcement. "Today's sentencing demonstrates the FBI's unwavering commitment to disrupt and prosecute malicious cyber actors despite their attempts to conceal their identities and hide from justice."

The 2014 Yahoo breach enabled the co-conspirators to forge session authentication cookies needed to access Yahoo email accounts. Baratov was charged with using those cookies to access email account passwords.

"Beginning no later than 2014," read the indictment released last year, "the conspirators stole non-content information regarding more than 500 million Yahoo user accounts as a result of their malicious intrusion. The theft of user data was part of a larger intrusion into Yahoo's computer network, which continued to and including at least September 2016. As part of this intrusion, malicious files and software tools were downloaded onto Yahoo's computer network, and used to gain and maintain further unauthorized access to Yahoo's network and to conceal the extent of such access."

Baratov pleaded guilty in December to nine felony hacking charges, out of the 48 charges he faced for his role in accessing the private email accounts of journalists, U.S. and Russian government officials and private sector employees of financial, transportation and other companies. The Yahoo hacker was arrested in Canada in March of last year; Baratov was the only defendant arrested and prosecuted of the four men indicted in the case.

The other three accused Yahoo hackers are Russian nationals who remain out of reach of U.S. law enforcement agencies. Two of the men indicted, Dmitry Aleksandrovich Dokuchaev and Igor Anatolyevich Sushchin, are officers of Russia's FSB; the third, Alexsey Alexseyevich Belan, was previously indicted twice before for computer fraud and abuse, access device fraud and aggravated identity theft.

Belan was arrested in 2013 in Europe, but he was able to return to Russia before he could be extradited to the U.S. The FBI placed Belan on its "Cyber Most Wanted" list in 2013, and he is the subject of a "Red Notice" request for Interpol member nations to arrest and extradite him; Russia has ignored that and other extradition demands by the U.S.

Dig Deeper on Threats and vulnerabilities

Enterprise Desktop
Cloud Computing