Governance & Risk Management , Incident & Breach Response , Managed Detection & Response (MDR)

Alleged Yahoo 'Hacker for Hire' Waives Extradition Hearing

Canadian Karim Baratov Will Fight Hacking Charges in U.S. Court
Alleged Yahoo 'Hacker for Hire' Waives Extradition Hearing
Karim Baratov, in an undated photo posted to his Facebook account. (Source: Facebook)

Update (Aug. 24): Baratov appeared in San Francisco federal court on Wednesday, where he pleaded not guilty to related charges. His attorney, Amedeo DiCarlo, told Information Security Media Group that Baratov's extradition proceeded much more rapidly than anticipated.

See Also: Secureworks Named a Major Player in the 2024 IDC MDR Marketscape

A Canadian man accused of helping the group that allegedly launched the massive hack attack against Yahoo has waived his right to an extradition hearing in Canada and is due to appear in U.S. court within the next two weeks, Canadian Broadcasting Corporation reports.

Karim Baratov, a 22-year-old Ontario resident, was arrested March 14 by local police under Canada's Extradition Act after an indictment filed in San Francisco federal court charged him with hacking into 80 webmail accounts. He faces up to 20 years in prison if convicted of all charges filed against him.

Baratov was one of four men indicted by the U.S. Justice Department on computer hacking, economic espionage and other criminal offenses tied to the hack of Yahoo in 2014, which exposed 500 million user accounts. The other three men are still at large, and were last known to be in Russia, the U.S. Justice Department said on March 15, when it announced the indictment.

U.S. prosecutors have accused Baratov of being a "hacker for hire." They have also accused two of the other suspects named in the indictment - Dmitry Dokuchaev and Igor Sushchin - of working for an intelligence unit that's part of Russia's state security service, the FSB, and being Baratov's handlers.

The FBI collaborates with the FSB on international cybercrime investigations.

The fourth man named in the indictment is Alexsey Belan, a Russian citizen - born Latvia - who was arrested in Greece in 2013 on separate hacking charges. After he was released on bail, he fled to Russia, benefiting from "the protection afforded by Russian government officials, and from U.S. law enforcement's inability to reach him in Russia," according to the Justice Department's application for his arrest (see Russian Cybercrime Rule No. 1: Don't Hack Russians).

Held Without Bail

Baratov has been behind bars since his arrest. In Canadian court, the United States cited the example of Belan having fled Greek custody to argue that Baratov was a flight risk. An Ontario Superior Court judge denied Baratov's request for bail.

Now, Baratov's attorney, Amedeo DiCarlo, expects his client to be handed over to U.S. Marshals by September 8, but said at a press conference that the transfer could happen any time in the next two weeks. He's said in media interviews that his client is bored and wants to face the charges filed against him as quickly as possible.

"Go there, finish it there, let's get some lawyers and let's move on with this," DiCarlo told CBC News in a recent interview. "Keeping him here, I think, is just going to waste more time."

Baratov Could Face Additional Charges

Karim Baratov pictured at his home in Ancaster, Ontario, in an undated photo. (Photo: Facebook)

On Friday, Justice Andrew Goodman warned Baratov that by waiving his right to an extradition hearing, the United States could bring additional charges against him, CBC reports.

Instead, Baratov could have consented to the extradition hearing, after which Canada's justice minister would have had 90 days to approve the suspect's transfer to the United States. Consenting would also have ensured that the United States could not later expand the list of charges against Baratov, but only prosecute him for the offenses detailed in its extradition request, under a principle of international law known as protection of specialty.

But Baratov signed the waiver in court, after which the judge ordered him to be transferred to U.S. custody, CBC reports.

DiCarlo, his attorney, previously argued that his client did not know who he was dealing with or what he was doing, and claimed that the indictment does not accurately reflect his client's activities. He's also emphasized that waiving the extradition hearing is in no way an admission of guilt.

Furthermore, Baratov reportedly chose to waive the extradition hearing after receiving assurances from U.S. federal prosecutors. "We've had some fruitful discussions with the U.S.; I'm pretty confident the 'consent' route was the wrong way to go," DiCarlo told reporters after the Friday court hearing, CBC reports. "The waiver was the right way to go."

Allegation: Russia Outsourced Hacking

Russian citizen Alexsey Belan has been charged with helping the FSB hack into Yahoo accounts from 2014 to 2016.

Yahoo issued its first public alert about the 2014 hack attack against it on Sept. 22, 2016. The search giant said it learned about the breach from law enforcement agencies.

Prosecutors have accused the FSB of ordering up the breach (see Outsourcing Cyber Espionage Landed Russia in Trouble).

"When the FSB officers, Sushchin and Dokuchaev, learned that a target of interest had email accounts at webmail providers other than Yahoo, including through information gained from the Yahoo intrusion, they would task Baratov to access the target's account at the other providers," according to the U.S. indictment. "When Baratov was successful, as was often the case, his handling FSB officer, Dokuchaev, paid him a bounty."

Russian authorities, however, have denied that the FSB was involved in the Yahoo hack.

Yahoo's Breach Epidemic

On Dec. 14, 2016, meanwhile, Yahoo said that it had discovered a separate breach, which it believed occurred in August 2013, that had compromised 1 billion accounts.

Yahoo had the misfortune to have discovered the 2013 breach, as well as the full extent of its 2014 breach, after Verizon offered to buy the struggling search giant for $4.83 billion in July 2016. News of the breaches threatened to derail the deal, and ultimately saw the purchase price reduced to $4.48 billion.

After the deal closed in June, Verizon removed Yahoo's leadership team, including CEO Marissa Mayer, during whose tenure the breaches had occurred (see Marissa Mayer Bids Adieu to Yahoo).

Verizon has been combining its AOL business with various Yahoo properties into a new subsidiary named Oath, led by Tim Armstrong, former CEO of AOL. Oautho includes HuffPost, Yahoo Sports,, Tumblr, Yahoo Finance and Yahoo Mail, among other properties.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.