A 23-year-old Canadian was sentenced in federal court in San Francisco Tuesday to five years in prison for hacking emails on behalf of Russian intelligence officials.
Karim Baratov pleaded guilty before U.S. District Judge Vince Chhabria in November to one count of conspiring to commit computer fraud and eight counts of identity theft from the owners of eight Gmail accounts that he hacked between December 2014 and 2016.
He was sentenced by Chhabria, who also ordered him to pay a $250,000 fine.
Two Russian Federal Security Service officers and a Russian citizen who also allegedly hacked emails were indicted together with Baratov by a federal grand jury in San Francisco on Feb. 28, 2017, on charges of the computer fraud conspiracy and other crimes.
The other defendants are believed to be in Russia, according to prosecution documents, and have never been brought to court on the charges.
Baratov was arrested by Royal Canadian Mounted Police and Toronto police in March 2017 and later waived extradition and agreed to be transferred to the federal court for Northern California.
U.S. Attorney’s Office spokesman Abraham Simmons said that during his guilty plea, Baratov acknowledged that one of the alleged co-conspirators, Russian intelligence officer Dmitry Dokuchaev, asked him to obtain the passwords of a total of 80 email accounts. Most were Gmail accounts hosted by Mountain View-based Google, according to the indictment.
Baratov was paid $100 per hack, the indictment said. Prosecutors said Baratov was able to steal the passwords of 18 of the accounts, including the eight cited in his guilty plea.
Tbe indictment alleges that Dokuchaev and his superior at the Russian Federal Security Service, Igor Sushchin, obtained user data but not the content of about 500 million Yahoo email accounts as a result of the theft of a user database from Sunnyvale-based Yahoo by Alexsey Belan, the fourth defendant in the case.
The Russians then allegedly used various techniques to identify the recovery emails linked to some of the Yahoo accounts and Dokuchaev assigned Baratov to hack some of them.
Baratov, who was born in Kazakhstan, advertised his hacking services on Russian language websites. Dokuchaev used a false name to communicate with him and Baratov did not know he was a Russian security officer. But he never questioned Dokuchaev’s identity, motive or plans, prosecutors said in a filing.
The victims whose emails Baratov was asked to hack included Russian officials and businessmen, according to the indictment.
Simmons said Baratov also admitted in his guilty plea that he hacked a total of 11,000 email accounts in the course of the hacking-for-hire business he conducted at his home in Canada between 2010 and 2017.
Defense attorney Andrew Mancilla said in a brief that 9,000 of the hacked accounts were hosted by Russian service providers and the other 2,000 were hosted by U.S. companies.
Most of those hacks were sought by jealous husbands, wives, boyfriends or girlfriends who wanted to snoop on their partners, defense lawyers said.
Mancilla wrote that Baratov moved to Canada with his family at the age of 12 and was able to do advanced computer programming by that age. He began charging for hacking services at age 14.
Baratov spent his gains on a $650,000 house and several luxury cars, according to prosecutors.
Acting Northern California U.S. Attorney Alex Tse said, “The sentence imposed reflects the seriousness of hacking for hire. Hackers such as Baratov ply their trade without regard for the criminal objectives of the people who hire and pay them.
“These hackers are not minor players; they are a critical tool used by criminals to obtain and exploit personal information illegally,” Tse said in a statement.