Karim Baratov, the 23-year-old Canadian man implicated in the hacking of 500 million Yahoo accounts, pleaded guilty to multiple charges in a California court on Tuesday. He faces up to 20 years in prison for his limited role in the coordinated effort, and will be sentenced in February.
Baratov pleaded guilty to one count of conspiracy to commit computer fraud and abuse, and eight counts of aggravated identity theft.
As a Canadian citizen, Baratov waived his right to an extradition hearing in his native country earlier this year. Once in the US, he initially submitted a not guilty plea, but on Wednesday his lawyers told a judge in federal court in San Francisco that their client was prepared to accept responsibility for his actions.
Prosecutors have accused Baratov of being responsible for hacking at least 80 accounts, at least 50 of which were hosted by Google. He and three other men, two of which are officers in Russia’s Federal Security Service (FSB), are the only people to have had formal charges brought against them for the hack. In a statement, the US Department of Justice wrote:
The defendants used unauthorised access to Yahoo’s systems to steal information from about at least 500 million Yahoo accounts and then used some of that stolen information to obtain unauthorized access to the contents of accounts at Yahoo, Google and other webmail providers, including accounts of Russian journalists, US and Russian government officials and private-sector employees of financial, transportation and other companies. One of the defendants also exploited his access to Yahoo’s network for his personal financial gain, by searching Yahoo user communications for credit card and gift card account numbers, redirecting a subset of Yahoo search engine web traffic so he could make commissions and enabling the theft of the contacts of at least 30 million Yahoo accounts to facilitate a spam campaign.
Yahoo has claimed that the 2014 hack was state-sponsored, and the other men live in Russia so they are unlikely to be extradicted to the United States. The FSB officers, Dmitry Dokuchaev and Igor Sushchin, are believed to have coordinated with Alexsey Belan, one of the FBI’s most wanted hackers, to execute the breach.