As you might have heard - the US government continues to go after hackers. Most of them are currently behind the Moscow curtain and are unlikely to face trial unless they step foot in the U.S.
However, moving on to places where some form of justice can be meted out, this week a Canadian hacker has plead guilty to a pretty creative cybercrime.
Karim Baratov, who apparently goes by two other names - Karim Akehmet Togbergenov and Karim Taloverov, is one of the 4 hackers that were charged with massive Yahoo data breach back in 2014. Actually, it was 2 hackers - Alexsey Belan and Karim Baratov, and two Russian intelligence officers from Russia’s Federal Security Service (FSB) - Dmitriy Dokuchaev and Igor Sushichin.
The US government went public with the names of these four wily cyber criminals in March and immediately arrested Karim, who was living in Canada.
The other three that were charged decided to hedge their bets in Russia, which appears to have worked out for them, as they cannot be extradited. It's neither shocking nor new, that Karim admitted to his involvement with the Russian government on this hack, where he was able to steal three billion Yahoo accounts.
What is surprising is how little punishment he is actually going to face.
He is being charged with nine counts total: this includes one count of conspiring to violate the Computer Fraud and Abuse Act and eight counts of 'aggravated identity theft'. Aggravated identity theft means that it will be used to commit certain criminal acts. Karim has the Russian government to thank for that. Every single piece of information may be used by them to engineer the next election meddling or worse.
So what is the consequence of this?
Karim could face about 70 to 87 months in jail for the first charge and another 24 months for the identity theft charges. He also agreed to pay a fine up to $2,250,000 to the Yahoo victims.
Another interesting fact here is that he is charged with only eight identity theft counts but the total damage that the two hackers did was to 3 billion accounts. What happened to the 2,999,999,992 accounts? Maybe they only stole partial information on those and didn’t steal their social security numbers or maybe it's just to ludicrous to actually accuse him of 3mil crimes?
It feels that Karim either paid out for a slick and rather well-thought of legal counsel or something is a little amiss. The whole point of "Aggravated Identity theft" is the potential of the crime, it's the Mastermind element and in other areas of the law, the Mastermind will always get the harsher penal punishment.
Alternatively we could be exaggerating the crime. Maybe it looks worse than it really was.
For example, Yahoo stated that the hackers were able to obtain user account information such as names, emails, phone numbers, birthdays and sometimes security questions. They were not able to obtain bank account details or credit card information.
If you had a Yahoo account you definitely should switch to Gmail. Just kidding, seriously, if you had a Yahoo account it’s time to change the password and the security questions. Also, make sure the birthday looks the same, who knows, those Russian hackers might have added a couple of decades to your age just for fun.
Bottom line is the evidence has suggested that the Russian government contracted Baratov to do their hack and even gave him specific targets they wanted to get their hands on. Since we can't punish the Russian government, we are only half punishing Baratov, quite a departure from standard U.S. treatment of patsies working for other governments.
Is this new lenient policy on punishing cross border cybercrimes a trend? Possibly, or there may have been much more going on behind the scenes. Unfortunately, like so many Russian – American political entanglements, we may never really know.