US prosecutors set to punish Karim Baratov after he compromised 11,000 accounts.
A Canadian hacker who sold Yahoo login details to Russian agents could face eight years in jail, if US prosecutors are successful.
Karim Baratov compromised 11,000 accounts between 2010 and 2017, and re-sold the credentials to buyers including Russian FSB agents.
He pleaded guilty last year and claimed he didn’t know the buyers were government agents.
Baratov now faces seven years and 10 months in prison as US prosecutors look to incarcerate him.
The prosecution said in a proposal: “This is not a case of a teenager making an isolated mistake on the Internet out of curiosity. Rather, this is a case of the defendant making a profession out of breaking into the private lives of thousands of victims.”
It added: “The defendant setup, operated, and grew a criminal hacker-for-hire business that gave his customers the ability… to commit a whole spectrum of additional crimes.”
His defense, meanwhile, is asking for a lesser sentence of 45 months.
Baratov and three other defendants, including two FSB agents, were charged with computer hacking and other criminal offenses in connection with a conspiracy to access Yahoo’s network and the contents of email accounts that began in January 2014.
Baratov’s co-defendants, all of whom remain at large, all are Russian nationals and residents: Dmitry Aleksandrovich Dokuchaev, Igor Anatolyevich Sushchin, and Alexsey Alexseyevich Belan.
He admitted to attempting to hack at least 80 of the email accounts on behalf of the Russian accused and to compromising the 11,000 accounts.
Baratov is thought to have advertised his services on hacker-for-hire websites until his arrest in Canada last year.
He said that he spearphished his victims, sending them emails from accounts he established to appear to belong to the webmail provider, where the victim’s account was hosted, US lawmakers said.
Once Baratov collected the victims’ account credentials, he sent his customers screenshots of the victims’ account contents to prove that he had obtained access and, upon receipt of payment, provided his customers the victims’ login credentials.
His defense rests on the fact that Baratov was a teenager when he carried out the majority of the hacks, and that since most of his victims were located in Russia, his crimes are outside US jurisdiction.