The only person to have been arrested for the massive breach of Yahoo accounts in 2014 is expected to plead guilty tomorrow, according to court records.

22-year old Canadian citizen Karim Baratov was arrested in March, and earlier this year waived his right to fight a US extradition request. In August, he pleaded not guilty to conspiring to commit computer fraud, access device fraud and wire fraud, and aggravated identity theft.

Tuesday’s proceedings before US District Judge Vince Chhabria are scheduled as a “change of plea” hearing, with The Wall Street Journal reporting that Baratov is expected to enter a guilty plea following extensive negotiations.

Three other men, including two officers in Russia’s Federal Security Service (FSB), have been charged for their role in a cyber attack that affected at least 500 million Yahoo accounts. They are believed to be residing in Russia.


In court on Tuesday, Baratov pleaded guilty to one count of conspiring to violate the Computer Fraud and Abuse Act and eight counts of aggravated identity theft.

Original story continues:

– Sebastian Moss

Russian ties

The United States indictment alleges that FSB officers Dmitry Dokuchaev and Igor Sushchi paid and directed hackers to collect information by illegally accessing computer systems. 

The indictment claims that the FSB officers employed Russian hacker, Alexsey Belan, to breach Yahoo and steal information from more than 500 million accounts

This information was then used by Russian agents to access data on Russian journalists, politicians, citizens, government officials, officials from countries bordering Russia, and US government officials (“including cyber security, diplomatic, military, and White House personnel”).

In addition, cloud computing companies were targeted. The indictment states:

“In or around February 2016, the conspirators sought access to Yahoo accounts of employees of a U.S. cloud storage company’s (“U.S. Cloud Computing Company 1”). On or about February 26,2016, DOKUCHAEV gained accessed to the Yahoo user accounts of three different officers of U.S. Cloud Computing Company 1, in each case by minting cookies.”

It adds: “On or about September 29, 2015, BELAN gained access to a Yahoo user account controlled by an officer of a U.S.-based technology and internet-related services company (the “U.S. Technology Company”) and then searched that account for terms and phrases including “[U.S. Technology Company]” … password ” “VPN,” and “[Yahoo user name]@[U.S. Technology Company].com.”

In comparison, Baratov’s alleged actions were on a smaller scale. He is accused of accessing individual accounts of email users held with other email providers, sometimes using information obtained through unauthorized access to Yahoo’s network and its accounts.

People to be targeted allegedly included an assistant to the Deputy Chairman of the Russian Federation, several employees of a major Russian cyber security firm, a physical training expert working in the Ministry of Sports of a Russian republic, and others.

In one cited case, the indictment claims that Dokuchaev gained access to a Yahoo account belonging to an International Monetary Fund official, and then gave data from the account to Batarov, enabling him to him access the IMF official’s Google account.

In total, Baratov is charged with “obtaining unauthorized access to at least 80 identified email accounts, including at least 50 identified Google accounts.”

The indictment states: “BARATOV knowingly and with intent to defraud sought unauthorized access to Google and other accounts on behalf of DOKUCHAEV and SUSHCHIN through techniques such as spear phishing. He created and maintained multiple email accounts for the purpose of sending spear phishing emails to victims that he targeted at DOKUCHAEV and SUSHCHIN’s behest.”

It claims that whenever Baratov successfully gained access, he demanded payment, generally around US$100. “Once DOKUCHAEV sent BARATOV a payment, BARATOV provided DOKUCHAEV with valid, illicitly obtained account credentials permitting DOKUCHAEV, SUSHCHIN, and others known and unknown to thereafter access the victim’s account without further assistance from BARATOV.”