Skip to main content
canada

Karim Baratov, who was born in Kazakhstan but has Canadian citizenship, has been charged with two Russian spies and another criminal hackers for allegedly pilfering 500 million Yahoo user accounts in 2014.

A little more than a year ago, Karim Baratov posted on his Instagram account a photo of the TV reality star Tila Tequila. He humble-bragged to his thousands of social-media followers that he had mixed feelings after learning that the aspiring model was the previous owner of one of his fancy cars, a baby blue Lamborghini Gallardo.

Mr. Baratov frequently used his broad presence on social media to make a show of his financial success, but never discussed exactly what he did. However, the same week he widely shared his thoughts on the provenance of his vehicle, records show that someone with the same name in Ancaster, Ont., registered two domain names, Mail-Yandex.com and Accounts-Google.net.

Neither were officially linked to Google or Yandex, a popular Russian web portal.

Why would someone from a Hamilton suburb claim the rights to two web addresses that mimicked those of legitimate sites?

The answer, according to a court indictment unsealed this week in San Francisco, is that Mr. Baratov, a 22-year-old Canadian of Khazhak origin, is alleged to have engaged in spear phishing – that is, tricking people into visiting a bogus link to get them to reveal their passwords.

A review of public records and cached versions of defunct websites indicates that an e-mail address linked to a domain registered by a Karim Baratov was listed in 2009 on an ad for hacking services.

At the time, Mr. Baratov was still a teen. He has said on social media that, "At 14 I was making more than both of my parents combined."

The U.S. indictment alleges Mr. Baratov was part of a massive breach of millions of Yahoo accounts that was engineered with the complicity of two Russian intelligence officers.

The conspiracy began in early 2014, when a Russian hacker named Alexsey Belan stole a database of Yahoo users' records, according to the indictment.

It alleges that the two intelligence officers, Dmitry Dokuchaev and Igor Sushchin, then hired Mr. Baratov in fall, 2014, to use phishing to gain access to the victims' other e-mail accounts, mainly Gmail accounts.

The indictment also says Mr. Baratov used aliases such as Karim Akehmet Tokbergenov, Kay and Karim Taloverov.

In an e-mail on Wednesday night, Toronto lawyer Jag Virk said he represented Mr. Baratov. "My client maintains his innocence. We believe the charges against him may be politically motivated by the U.S. He is a 22-year-old young man with no criminal record. Everyone should wait for the facts to come out before rushing to judgement," the e-mail said.

Mr. Virk did not respond to requests for comment on Thursday.

Since 2010, at least 105 website domains have been registered by an Ancaster resident using either the name Karim Baratov or Karim Taloverov, according to public records.

Many of those domains looked similar to official ones, such as Reset-Mail.org and Login-System.info, and included 10 variations of the name of the Russian portal Yandex.

Daniel Tobok, chief executive officer of the Toronto computer security firm Cytelligence Inc., said in an e-mail interview that people who use phishing tactics "create a honey pot and trick people into thinking these are legitimate websites, and then when credentials are stolen it's mission accomplished."

From August, 2015, to August, 2016, during the period when Mr. Baratov is alleged to have hacked into Gmail accounts for the Russian intelligence officers, a Karim Baratov had registered the domain Login-Google.com, using as contact information the e-mail address kay@taloverov.com.

On his blog, the computer-security journalist Brian Krebs noted that two of the domains registered led to two websites explicitly advertising hacking services.

One site was Antimail.org, whose domain a Karim Baratov claimed between December, 2013, and February, 2014.

The site is no longer active, but an archived version from January, 2014, shows that it touted e-mail hacking services for $50. "We work 24/7. Completely anonymous!" it said.

The e-mail address provided in the registration record for Antimail.org was vzlom@live.com. That e-mail appears in a December, 2009, post on a Russian online forum hosted by HackZone.Ru. The post also sells e-mail hacking services.

HackZone.Ru is a Russian site that provides news, hacking tips and connections to hackers, Mr. Tobok said.

Another domain name that someone named Karim Baratov held in 2013 and 2014 was Infotech-team.com.

That site is no longer online, but an archived version from November, 2013, shows a Russian-language Web page offering e-mail hacking services.

The site charged $30 to $50 and boasted that it received good online reviews and that the breach would be done without changing passwords so the victims would not notice they had been hacked.

The Infotech-team.com site even mentioned at the bottom of its page that it was copyrighted "by Mr. Kay."

The news site NetworkWorld.com identified two other domains registered by a Karim Baratov that led to web pages advertising hacking work.

One of the two, X2mail.net, was still owned this year by a Karim Baratov of Ancaster and still offered password hacking.

In its promotional text, X2mail.net claimed that there are legitimate reasons to hire a hacker: to recover a password from a breached account, to "check on a loved one" or an employee, to protect yourself from business competitors.

Mr. Tobok noted that the allegations against Mr. Baratov suggest he played a minor role in the Yahoo hack. "It takes higher security skills and depth of knowledge to conduct actual penetration into networks," he said.

Mr. Baratov left a broad digital footprint, both because of the domains he publicly registered, listing a phone number and home address in Ancaster, and because of his large social-media presence.

Until it was taken down on Thursday afternoon, Mr. Baratov's Instagram account documented a lifestyle punctuated by steakhouse dinners, cigars, martinis and Rolex watches. There were also shots of $100 bills, and dozens of photos of high-performance cars. One picture showed him holding a bottle of Barolo wine next to the steering wheel of a BMW.

"Most hackers and typical guys are 'hands behind the keyboard types' who don't drive around in fancy cars and post selfies in the fashion Mr. Baratov did. They are much more low-profile," Mr. Tobok said.7

Follow related authors and topics

Authors and topics you follow will be added to your personal news feed in Following.

Interact with The Globe