SAN FRANCISCO—Sentencing for a man who hacked into Gmail accounts on behalf of Russian intelligence was unexpectedly postponed Tuesday, with a federal judge voicing skepticism over the Justice Department’s request that the hacker spend nearly eight years in prison.
Karim Baratov, a 23-year-old Canadian citizen born in Kazakhstan, pleaded guilty to federal conspiracy and identity theft charges last November in connection with a mercenary hacking service he operated from 2010 until his arrest in March 2017. Baratov charged customers about $100 to obtain another person’s webmail password, using phishing attacks that tricked users into entering their credentials into a fake password reset page. He cracked more than 11,000 accounts in Russia and the U.S. before he was caught.
But in what was supposed to be Baratov’s sentencing hearing, U.S. District Judge Vince Chhabria said he was worried that the government was asking for an unusually long sentence because one of Baratov’s many clients turned out to be a Russian intelligence officer accused in a massive 2014 data breach at Yahoo that impacted 500 million users.
“One concern I have is that the sentence the government is requesting for Mr. Baratov relates to the fact that he’s been caught up with a co-defendant who apparently was the Yahoo mega hacker,” said Chhabria. “Mr. Baratov did not have any involvement in the conspiracy to conduct the Yahoo mega hack.”
“I’m not comfortable with the government’s proposed term of custody without getting more information,” the judge added later, repeating his worries that the government was asking for a sentence disproportionate to Baratov’s own actions because the case is tied up with “the Yahoo mega hack and about Russians.”
The government sought a sentence of seven years, 10 months in prison, while the defense asked for about half that. Instead Chhabria moved the sentencing to May 29 to allow the judge to examine sentences in other hacking cases, and allow time for both sides to file additional briefs.
Federal officials treated Baratov’s case as a national security matter because one of Baratov’s clients worked for Russia’s Federal Security Service, or FSB. Using the alias “Patrick Nag,” the FSB officer allegedly commissioned hacks on 80 people, including victims within other Russian agencies, and government officials in neighboring Eastern European nations.
Only eight of those hack attempts were successful, and the government and Baratov’s defense team agree that the hacker did not know that the commissions were coming from the Russian government.
“It just happened to be a client of his,” said defense lawyer Andrew Mancilla, in an interview ahead of the sentencing hearing. “He didn’t know that he was dealing with the FSB at all.”
Baratov began hacking webmail accounts when he was a kid, and at first it was just a hobby, according to a sentencing brief filed by his lawyers. When a grateful client voluntarily gave him some money as a thank-you, his entrepreneurial drive kicked in. “He began advertising his services across Russian Internet servers, and his business began to grow,” the lawyer wrote.
Pre-sentencing wrangling focused largely on the mercenary flavor of Baratov’s business. Defense lawyers said Baratov generally assumed his clients were jealous lovers or spouses spying on their significant others, and they argued that Baratov’s neutrality—he’d work for anyone with the money to spend—rendered him less culpable than defendants in otherwise similar cases who performed their intrusions as part of a financial fraud scheme or for voyeurism. “Karim is a very different type of hacker,” Mancilla told The Daily Beast. “He didn’t intend to personally harm people.”
The government argued the opposite: If anything Baratov is more culpable because the hacks were individualized, and he just didn’t care who his victims were or why he was hacking them.
“He took orders from his customers… without needing any information about the victims, for example to reveal whether they were adults or children, sick or well, or any other characteristics someone interested in minimizing harm might consider,” prosecutors wrote in a sentencing memorandum. “The correspondence with his customers shows that as long as he was paid, he hacked into victim webmail accounts with little, if any, discussion with his customers about their identity, motives, and plans.”
“You’re saying it’s more nefarious than hacking into a company stealing everyone’s personal information and then selling it on the market?” asked Judge Chhabria at Tuesday’s hearing.
“I think it is, yes,” replied Scott McCullogh, an attorney with the Justice Department’s National Security Division.
The government illustrated its point by filing an affidavit by one of the FBI agents on the case describing the kinds of people Baratov worked for. One of the hacker’s customers was someone who claimed to be in the business of hurting or killing people for money—the customer even sent Baratov a price list. Baratov did business with the ersatz hit-man anyway.
“Subsequently, the defendant provided that customer with stolen passwords for targeted victims,” wrote FBI agent Aleksandr Kobzanets. “The defendant also exchanged emails with that customer through August 2012 about the hacking of and payment for additional victims’ webmail accounts.”
And there’s little chance Baratov thought the FSB officer who ordered hacks on 80 different webmail accounts was a snooping spouse, the government added.
That Russian, Dmitry Dokuchaev, is charged as a co-conspirator in the case, though he’s unlikely to wind up in a San Francisco courtroom. Dokuchaev was arrested in Russia by his FSB colleagues in December 2016 and charged with treason, under circumstances that remain shrouded in mystery.
Another FSB officer, Igor Sushchin, is also charged in the indictment for allegedly overseeing the email hacking, as is a long-notorious Russian hacker named Alexsey Belan who was already wanted in two states for conventional cybercrime. The three Russian nationals are accused of conspiring to commit the 2014 data breach at Yahoo.
They allegedly turned to Baratov to fill the gap when they encountered an FSB target that used Gmail, or another provider, instead of Yahoo where they had complete access.
The government stressed the need to deter hackers like Baratov give how easily they’re weaponized by hostile governments like Russia’s.
“For cybercriminals like the defendant, there must be a significant sentence of imprisonment that accounts for hacking in such a prolific and indifferent manner that one is hired as a proxy for the Russian FSB,” prosecutors wrote.
U.S. sentencing guidelines scale a hacking defendant’s prison term based on the number of victims. Before Tuesday’s hearing concluded, Judge Chhabria said he was uncertain if all 11,000 of Baratov’s victims should be included in that calculus under the law. “It sounds like it’s undisputed that the vast majority of victims we’re looking at… are people who live in Russia who were victimized by somebody who was living in Canada,” he said. “How does this affect the analysis here?”
“We don’t know that all of these victims were in Russia,” answered McCulloch. “We know that some of the Russian speakers were in the United States and were targeted by the FSB for that reason.”
Either way, said McCulloch, the U.S. counts all victims the same, regardless of where they live. To do otherwise would run the risk of emulating Russian law enforcement, which “turns a blind eye” to computer crimes committed by Russian nationals against foreign targets.
“That’s what the FSB does,” said McCulloch.