Inside the Yahoo hack: A twisted tale of international cybercrime
U.S. indictment and media reports offer details on allegations against two Russian intelligence officers, a Latvian-born hacker and a 22-year-old Ancaster resident in case of massive Yahoo data breach.
|Report an Error|
Share via Email
Russian spies and cybercrime, FBI warrants and Interpol, treason and luxury cars.
The details surrounding last week’s indictment of four men in connection with a massive hacking ring are the stuff of paperback spy novels.
The Russian Federal Security Service, successor to the KGB, recruited wanted cybercriminals who embarked on a prolific hacking scheme that breached about 500 million Yahoo email accounts and targeted diplomats, bureaucrats, journalists and business executives for political and financial gain, according to the U.S. indictment.
None of the charges have been proven in court.
Mixed into the fray is a baby-faced Canadian of Kazakh origins, just 19 years old at the scheme’s outset, with an ostentatious lifestyle carefully documented in boastful social media posts.
But what do we know of the lives of Russian intelligence officers Igor Sushchin and Dmitry Dokuchaev, Latvian-born hacker Alexsey Belan and 22-year-old Ontario resident Karim Baratov.
In the mid-2000s, Dokuchaev was a well-known hacker, operating under the pseudonym “Forb,” according to Russian media reports.
In a 2004 interview with a Moscow-based newspaper, Forb, then about 20 years old, claimed to have hacked U.S. government websites and made a significant amount of money from credit card fraud.
Journalists in Russia have reported that the Federal Security Service (known by its Russian abbreviation, FSB) threatened to jail Dokuchaev for credit card scams unless he went to work for their Centre for Information Security.
Like Dokuchaev, Belan gained notoriety as a young hacker with U.S. targets in his sights.
The FBI alleges that, between January 2012 and April 2013, Belan breached the computer networks of three major American e-commerce businesses, stealing their user databases in order to sell them.
On Sept. 12, 2012, a U.S. federal court in Las Vegas issued a warrant for Belan’s arrest on charges of aggravated identity theft, obtaining information from a protected computer and possession of 15 or more “unauthorized devices.”
Before the end of 2012, Belan had landed on the FBI’s Most Wanted List for cybercriminals. His name has remained there ever since.
While Dokuchaev was being pressed into service as a Russian agent, and Belan was evading capture by the FBI, Baratov was attending high school in Ancaster, Ont.
He was a quiet, introverted kid, remembered by one former Ancaster High School classmate as “really weird.”
But the teenage Baratov was already turning heads with his expensive clothes and flashy cars, absurdly out of step with a typical high school student’s lifestyle.
In October 2012, he affixed a vanity licence plate reading “Mr Karim” to a 2011 Mercedes E-Class, worth about $60,000 when new.
A month later, he switched the plate to a 2010 BMW, which would have retailed at more than $100,000 when new.
In an online Q&A that Baratov appears to have started in 2013, he described himself as a “programmer” and claimed to have made his “first million” by age 15.
In a February post on what seems to be his Facebook page, Baratov claimed to have been suspended from high school in early 2013 “for threatening to kill my ex-friend as a joke.”
The suspension gave Baratov time to grow his business, he wrote. When his punishment was over, he got himself expelled from school by cursing at his principal so he could spend more time on work, he claimed.
A spokesperson for the Hamilton-Wentworth District School Board confirmed that Baratov had once been a student in one of its schools. The board declined, however, to reveal any other information about Baratov or his alleged expulsion, citing privacy concerns.
As Baratov allegedly wrapped up his high school career, a U.S. federal court some 3,600 kilometres away was preparing to indict Belan for further cybercrimes.
On June 6, 2013, the San Francisco-area court issued a warrant for Belan’s arrest on two counts of aggravated identity theft and two counts of fraud in connection with a computer.
The American warrants led to Belan being arrested in Greece, the Washington Post has reported. But, before he could be extradited to the U.S., he managed to flee the country, escaping to Russia.
The Kremlin does not have an extradition treaty with the U.S., but they are members of Interpol, which called for Belan to be arrested.
The U.S. Department of Justice alleges that, instead of arresting Belan, Russia’s FSB “used him,” recruiting the hacker into its Centre for Information Security and furnishing him with sensitive internal information that would help him continue hacking without being caught.
The hacking campaign against Yahoo email accounts began no later than January 2014, according to the U.S. indictment.
By that time, Sushchin, Dokuchaev and Belan were all working for the FSB — Sushchin and Dokuchaev as agents, and Belan as a kind of private contractor. Sushchin, the highest ranking of the three, was also “embedded” as the head of information security at a Russian financial firm, the U.S. Department of Justice said.
A Russian news report on Saturday said Sushchin was security director at Renaissance Capital, an investment bank owned by billionaire Mikhail Prokhorov, who also owns the Brooklyn Nets basketball team.
The report in the business newspaper Kommersant cited Renaissance Capital as saying Sushchin’s employment was ended on Thursday, the day after U.S. authorities announced their case.
Before the end of 2014, Belan had allegedly stolen a copy of Yahoo’s user database, containing customer names, phone numbers, email addresses and security questions and answers of approximately 500 million email accounts.
Belan, who was allegedly tasked with the hands-on hacking of Yahoo accounts, is accused of using that data to access the emails of specific targets, including Russian and American government officials, diplomats and bureaucrats from Russia’s neighbouring states, journalists, and high-ranking executives from banks, web companies and other large corporations, including the financial firm that Sushchin ran security for.
Other Yahoo accounts were breached by “spear phishing,” a common online scam in which the victim is sent an email, purportedly from someone they know, containing a link that exposes them to a hack, the U.S. indictment said.
The conspirators searched the targeted Yahoo accounts for links and data pertaining to VIPs’ alternate email accounts, ostensibly because those other accounts contained more valuable information.
It was allegedly Baratov’s job to get into those sought-after email accounts.
Starting in about October 2014, Sushchin and Dokuchaev allegedly sent dozens of email addresses to the young Canadian.
Each time Baratov retrieved a password for one of the accounts, Dokuchaev would send him around $100 (U.S.) in American, Russian, Ukrainian or EU currency, according to the indictment.
Dokuchaev and Sushchin allegedly assigned Baratov at least 80 emails in all, more than half of them Gmail addresses.
In its indictment, the Department of Justice makes note of only eight passwords allegedly uncovered by Baratov between 2014 and 2016.
While Dokuchaev and Sushchin were said to be pulling Baratov’s strings, Belan was allegedly working cyber-scams on the side to carve out some personal profit.
In November 2014, the hacker is accused of modifying code for Yahoo’s English-language search engine so that users searching for erectile dysfunction drugs would be directed to an online pharmacy. Belan earned a commission from the pharmacy for driving traffic to their site, the indictment said.
Soon Belan was searching Yahoo emails for credit card numbers, online payment accounts and digital gift cards, U.S. authorities allege.
Between April 2015 and April 2016, Dokuchaev allegedly sent Baratov the equivalent of roughly $1,000, suggesting Baratov had found 10 passwords in that period.
As he entered his 20s, Baratov continued to baffle onlookers with his flashy lifestyle.
Over the course of 2015, his “Mr Karim” licence plate was attached to a Lamborghini, a Porsche, an Audi and a BMW.
His biggest purchases, however, were made with borrowed money.
In September 2015, Baratov bought a two-storey, $642,500 house in Ancaster with a middle-aged married couple named Akhmet Tokbergenov and Dinara Tokbergenova.
The trio took out a mortgage of $514,000, which has not yet been paid off.
Tokbergenov and Tokbergenova also own a nearly identical house less than a five-minute drive away.
The U.S. Department of Justice said Baratov sometimes goes by the name “Karim Akehmet Tokbergenov.”
His neighbours say he lives alone but that an older couple, who they take to be Baratov’s parents, visit regularly.
In 2016 Baratov took out loans of more than $104,000 for an Aston Martin and $65,000 for a Mercedes.
While he posed for photos with these new additions to his stable of luxury cars, news of the Yahoo hacks went public.
On Sept. 22, 2016, the company revealed that at least 500 million accounts had been compromised in 2014, exposing users’ personal information.
Yahoo attributed the hack to a “state-sponsored actor.” For three months, it was known as one of the largest data security breaches to date.
Then, in December, Yahoo announced that a separate 2013 hack had exposed personal information connected to more than one billion accounts. Yahoo said the 2013 and 2014 hacks were unrelated.
As 2016 drew to a close, Dokuchaev was arrested by Russian authorities in Moscow and charged with treason. It was alleged that the hacker-turned-government agent had passed information to the CIA, Russian media reported.
Also charged in the supposed CIA conspiracy was senior FSB officer Col. Sergei Mikhailov.
Days later, president Barack Obama passed an executive order expelling 35 Russian diplomats from the U.S. for their suspected spying activities, and imposing sanctions against the FSB and another Russian intelligence agency.
It was retaliation for Russia’s alleged interference in the 2016 U.S. presidential election, Obama said.
In co-ordination with the president’s order, the U.S. Treasury Department placed Belan on a sanctions list for his “significant malicious cyber-enabled misappropriation of personal identifiers for private financial gain,” blocking his assets and prohibiting Americans from dealing with him.
The U.S. Department of Justice has repeatedly said the hacks allegedly committed by Dokuchaev, Sushchin, Belan and Baratov were not related to the U.S. election.
On Feb. 28, 2017, a federal court in San Francisco indicted Dokuchaev, Sushchin, Belan and Baratov in connection with their alleged hacks of Yahoo and other email accounts.
Dokuchaev, Sushchin and Belan were charged with criminal espionage, computer hacking and conspiracy-related offences. Baratov faces less severe charges of aggravated identity theft and conspiring to commit fraud.
On Monday, Baratov’s Ancaster house was put up for sale, with an asking price of approximately $930,000 (Canadian).
On Tuesday, the Toronto police fugitive squad arrested Baratov at his home and turned him over to the RCMP.
On Wednesday, Baratov’s house was delisted, but on Thursday the office of the real estate agent handling the sale confirmed it was back on the market.
Baratov’s lawyer, Amedeo DiCarlo, said the allegations levelled at his client are unfounded.
“This is an attack by the U.S. government, it’s a challenge by the U.S. government. We are fighting that challenge,” DiCarlo said.
Baratov will seek to be released on bail, the lawyer added, noting that a hearing has been scheduled for April 5.
The next step, according to DiCarlo, will be a hearing on Baratov’s extradition to the U.S.
With no extradition treaty between the U.S. and Russia, it’s likely Baratov is the only one of the four men charged who will see the inside of an American courtroom.
With files from Alicja Siekierska, The Canadian Press and The Associated Press