Russia-linked hacker gets 5 years in Yahoo security breach

Prosecutors called the 23-year-old an "international hacker-for-hire."

Steven Musil Night Editor / News
Steven Musil is the night news editor at CNET News. He's been hooked on tech since learning BASIC in the late '70s. When not cleaning up after his daughter and son, Steven can be found pedaling around the San Francisco Bay Area. Before joining CNET in 2000, Steven spent 10 years at various Bay Area newspapers.
Expertise I have more than 30 years' experience in journalism in the heart of the Silicon Valley.
Steven Musil
2 min read
Lock placed on computer keyboard
NAZPHOTO / Getty Images

A hacker who worked for a Russian spy agency was sentenced Tuesday to five years in prison for using data stolen in a massive Yahoo data breach to gain access to private emails.

Karim Baratov, 23, also agreed to pay restitution to his victims and a fine of up to $2.25 million, the Department of Justice said in a statement. Baratov pleaded guilty in November to aggravated identity theft and conspiring to commit computer fraud and abuse.

Working with agents from the Russian intelligence agency called FSB, Baratov hacked into email accounts hosted by Google and Yandex. The same agents were also allegedly responsible for the 2014 hack of Yahoo that compromised 500 million user accounts.

Prosecutors called Baratov, a Canadian national, an "international hacker-for-hire" who hacked without discussion or hesitation for Dmitry Dokuchaev, an officer for the FSB.

"The sentence imposed reflects the seriousness of hacking for hire," said Acting U.S. Attorney Alex Tse. "Hackers such as Baratov ply their trade without regard for the criminal objectives of the people who hire and pay them."

Baratov was accused of sending phishing emails to specific email accounts, tricking users into handing over their usernames and passwords, and then sending the login information to Russian agents. 

A two-year investigation by the FBI's San Francisco branch found evidence Russian spies helped to break into Yahoo to steal information from US government officials, Russian dissidents and journalists. The Yahoo breach is the largest hacking case ever handled by the US government.

Other victims of the hacks included employees of a Russian cybersecurity company, a Russian investment banking firm, a French transportation company, US financial firms, a Swiss bitcoin wallet and a US airline. Investigators said the spies also hacked their victims' spouses and children's emails to dig up extra dirt.

First published May 29, 3:36 p.m. PT.
Update, 4:59 p.m.: Adds comments from DOJ, additional details. 

Security: Stay up-to-date on the latest in breaches, hacks, fixes and all those cybersecurity issues that keep you up at night.

Blockchain Decoded: CNET looks at the tech powering bitcoin -- and soon, too, a myriad services that will change your life.