Hamilton 'hacker for hire' Karim Baratov sentenced to 5 years for Yahoo security breach

A Canadian man has been sentenced to five years in prison in connection with a massive security breach at Yahoo that U.S. federal agents say was directed by Russian government spies.

23-year-old Karim Baratov was also fined $250,000 US

Karim Baratov is shown in a photo from his Instagram account. Baratov, a Canadian man of Kazakh origins, has been sentenced to five years in prison connection with a massive Yahoo security breach. (Instagram/Canadian Press)

A Canadian man has been sentenced to five years in prison in connection with a massive security breach at Yahoo that U.S. federal agents say was directed by Russian government spies.

U.S. Judge Vince Chhabria on Tuesday also fined 23-year-old Karim Baratov $250,000 US.

Baratov pleaded guilty in November to nine felony hacking charges. He acknowledged hacking thousands of webmail accounts for seven years ending with his arrest last year.

He charged customers to obtain another person's webmail passwords by tricking them to enter their credentials into a fake password reset page.

Prosecutors allege that the Russian security service hired the Kazakhstan-born Baratov to target email accounts using information obtained from the Yahoo hack.

His attorneys said Baratov didn't know he was working for the Russian spy agency.

A memorandum filed by U.S. law enforcement officials during the sentencing hearing in April described a "pressing need" to deter cybercriminals whose hacking can lead to other criminal activity, including foreign espionage

Wealth displayed online 

Baratov was scheduled to be sentenced at that time, but Judge Chhabria questioned whether the sentence of seven years and 10 months that prosecutors were seeking was longer than what other hackers had received for similar crimes.

Baratov's attorneys had suggested three years and nine months.

They argued that Baratov, who was 19 at the time the hack began, was simply a curious young man whose fascination with coding "got the best of him" and unintentionally led him to amass the wealth he eagerly displayed on social media.

"He bore no intent to cause harm. He sincerely regrets his actions," wrote Andrew Mancilla and Robert Fantone in their submission to the court. "This is a hard lesson to learn for a young man ... but it is a lesson he has learned."

Karim Baratov poses in front of his house in Ancaster, Ont. in this undated photo. (Facebook)

But authorities said Baratov's actions were not driven by innocent curiosity.

"This is not a case of a teenager making an isolated mistake on the internet out of curiosity," officials wrote. "Rather, this is a case of the defendant making a profession out of breaking into the private lives of thousands of victims."

'Egregious, extensive'

Officials, however ,described Baratov's actions as "egregious, extensive, and reprehensible" and say he hacked into the webmail accounts of 11,000 victims, broke into their digital records, and sold stolen access to their private lives between 2010 and 2017 to live "lavishly."

The Russian agents involved, Dmitry Dokuchaev and Igor Sushchin, used the information they stole from Yahoo to spy on Russian journalists, U.S. and Russian government officials and employees of financial services and other private businesses, according to prosecutors.

Dokuchaev, Sushchin and a third Russian national, Alexsey Belan, were also named in the indictment filed in February, though it's not clear whether they will ever step foot in an American courtroom since there's no extradition treaty with Russia.

Hacker known for flashy cars

Baratov lived in a $650,000 house on a quiet street in the affluent Hamilton suburb of Ancaster, Ont.

Neighbours knew him for his flashy cars, which included a Lamborghini, Porsche, Aston Martin, Mercedes and BMW, according to U.S. officials. He also posted photos on social media, showing off stacks of $100 bills.

But despite the appearance of wealth, American authorities say Baratov seems to have spent his money as he earned it — his only remaining assets are $30,000 from his home, $1,500 U.S. in a PayPal account and $900 that was in his wallet when he was arrested. 

Baratov initially pleaded not guilty to his charges. But he then decided not to fight extradition to the U.S., going there in August of 2017.

Files from Dan Taekema/CBC