March 15, 2017

“Between two evils, I always pick the one I never tried before.” -Karim Baratov (paraphrasing Mae West)

The U.S. Justice Department today unsealed indictments against four men accused of hacking into a half-billion Yahoo email accounts. Two of the men named in the indictments worked for a unit of the Russian Federal Security Service (FSB) that serves as the FBI’s point of contact in Moscow on cybercrime cases. Here’s a look at the accused, starting with a 22-year-old who apparently did not try to hide his tracks.

According to a press release put out by the Justice Department, among those indicted was Karim Baratov (a.k.a. Kay, Karim Taloverov), a Canadian and Kazakh national who lives in Canada. Baratov is accused of being hired by the two FSB officer defendants in this case — Dmitry Dokuchaev, 33, and Igor Sushchin, 43 — to hack into the email accounts of thousands of individuals.

Karim Baratov, as pictured in 2014 on his own site, mr-karim.com.

Karim Baratov (a.k.a. Karim Taloverov), as pictured in 2014 on his own site, mr-karim.com. The license plate on his BMW pictured here is Mr. Karim.

Reading the Justice Department’s indictment, it would seem that Baratov was perhaps the least deeply involved in this alleged conspiracy. That may turn out to be true, but he also appears to have been the least careful about hiding his activities, leaving quite a long trail of email hacking services that took about 10 minutes of searching online to trace back to him specifically.

Security professionals are fond of saying that any system is only as secure as its weakest link. It would not be at all surprising if Baratov was the weakest link in this conspiracy chain.

A look at Mr. Baratov’s Facebook and Instagram photos indicates he is heavily into high-performance sports cars. His profile picture shows two of his prized cars — a Mercedes and an Aston Martin — parked in the driveway of his single-family home in Ontario.

A simple reverse WHOIS search at domaintools.com on the name Karim Baratov turns up 81 domains registered to someone by this name in Ontario. Many of those domains include the names of big email providers like Google and Yandex, such as accounts-google[dot]net and www-yandex[dot]com.

Other domains appear to be Web sites selling email hacking services. One of those is a domain registered to Baratov’s home address in Ancaster, Ontario called infotech-team[dot]com. A cached copy of that site from archive.org shows this once was a service that offered “quality mail hacking to order, without changing the password.” The service charged roughly $60 per password.

Archive.org's cache of infotech-team.com, an email hacking service registered to Baratov.

Archive.org’s cache of infotech-team.com, an email hacking service registered to Baratov.

The proprietors of Infotech-team[dot]com advertise the ability to steal email account passwords without actually changing the victim’s password. According to the Justice Department, Baratov’s service relied on “spear phishing” emails that targeted individuals with custom content and enticed the recipient into clicking a link.

Antimail[dot]org is another domain registered to Baratov that was active between 2013 and 2015. It advertises “quality-mail hacking to order!”:

antimail

Another email hacking business registered to Baratov is xssmail[dot]com, which also has for several years advertised the ability to break into email accounts of virtually all of the major Webmail providers. XSS is short for “cross-site-scripting.” XSS attacks rely on vulnerabilities in Web sites that don’t properly parse data submitted by visitors in things like search forms or anyplace one might enter data on a Web site.

In the context of phishing links, the user clicks the link and is actually taken to the domain he or she thinks she is visiting (e.g., yahoo.com) but the vulnerability allows the attacker to inject malicious code into the page that the victim is visiting.

This can include fake login prompts that send any data the victim submits directly to the attacker. Alternatively, it could allow the attacker to steal “cookies,” text files that many sites place on visitors’ computers to validate whether they have visited the site previously, as well as if they have authenticated to the site already.

Archive.org's cache of xssmail.com

Archive.org’s cache of xssmail.com

Perhaps instead of or in addition to using XSS attacks in targeted phishing emails, Baratov also knew about or had access to other cookie-stealing exploits collected by another accused in today’s indictments: Russian national Alexsey Alexseyevich Belan.

According to government investigators, Belan has been on the FBI’s Cyber Most Wanted list since 2013 after breaking into and stealing credit card data from a number of e-commerce companies. In June 2013, Belan was arrested in a European country on request from the United States, but the FBI says he was able to escape to Russia before he could be extradited to the U.S.

A screenshot from the FBI's Cyber Most Wanted List for Alexsey Belan.

A screenshot from the FBI’s Cyber Most Wanted List for Alexsey Belan.

The government says the two other Russian nationals who were allegedly part of the conspiracy to hack Yahoo — the aforementioned FSB Officers Dokuchaev and Sushchin — used Belan to gain unauthorized access to Yahoo’s network. Here’s what happened next, according to the indictments:

“In or around November and December 2014, Belan stole a copy of at least a portion of Yahoo’s User Database (UDB), a Yahoo trade secret that contained, among other data, subscriber information including users’ names, recovery email accounts, phone numbers and certain information required to manually create, or ‘mint,’ account authentication web browser ‘cookies’ for more than 500 million Yahoo accounts.

“Belan also obtained unauthorized access on behalf of the FSB conspirators to Yahoo’s Account Management Tool (AMT), which was a proprietary means by which Yahoo made and logged changes to user accounts. Belan, Dokuchaev and Sushchin then used the stolen UDB copy and AMT access to locate Yahoo email accounts of interest and to mint cookies for those accounts, enabling the co-conspirators to access at least 6,500 such accounts without authorization.”

U.S. investigators say Dokuchaev was an FSB officer assigned to Second Division of FSB Center 18, also known as the FSB Center for Information Security. Dokuchaev’s colleague Sushchin was an FSB officer and embedded as a purported employee and Head of Information Security at a Russian financial firm, where he monitored the communications of the firm’s employees.

dokuchaev-fbi

According to the Justice Department, some victim accounts that Dokuchaev and Sushchin asked Belan and Baratov to hack were of predictable interest to the FSB (a foreign intelligence and law enforcement service), such as personal accounts belonging to Russian journalists; Russian and U.S. government officials; employees of a prominent Russian cybersecurity company; and numerous employees of other providers whose networks the conspirators sought to exploit. Other personal accounts belonged to employees of commercial entities, such as a Russian investment banking firm, a French transportation company, U.S. financial services and private equity firms, a Swiss bitcoin wallet and banking firm and a U.S. airline.

“During the conspiracy, the FSB officers facilitated Belan’s other criminal activities, by providing him with sensitive FSB law enforcement and intelligence information that would have helped him avoid detection by U.S. and other law enforcement agencies outside Russia, including information regarding FSB investigations of computer hacking and FSB techniques for identifying criminal hackers,” the Justice Department charged in its press statement about the indictments.

“Additionally, while working with his FSB conspirators to compromise Yahoo’s network and its users, Belan used his access to steal financial information such as gift card and credit card numbers from webmail accounts; to gain access to more than 30 million accounts whose contacts were then stolen to facilitate a spam campaign; and to earn commissions from fraudulently redirecting a subset of Yahoo’s search engine traffic,” the government alleges.

suchchin-fbi

Each of the four men face 47 criminal charges, including conspiracy, computer fraud, economic espionage, theft of trade secrets and aggravated identity theft.

Dokuchaev, who is alleged to have used the hacker nickname “Forb,” was arrested in December in Moscow. According to a report by the Russian news agency Interfax, Dokuchaev was arrested on charges of treason for alleging sharing information with the U.S. Central Intelligence Agency (CIA). For more on that treason case, see my Jan. 28, 2017 story, A Shakeup in Russia’s Top Cybercrime Unit.

For more on Dokuchaev’s allegedly checkered past (Russian news sites report that he went to work for the FSB to avoid being prosecuted for bank fraud) check out this fascinating story from Russian news outlet Vedomosti, which featured an interview with the hacker Forb from 2004.

In September 2016, Yahoo first disclosed the theft of 500 million accounts that is being attributed to this conspiracy. But in December 2016, Yahoo acknowledged a separate hack from 2013 had jeopardized more than a billion user accounts.

The New York Times reports that Yahoo said it has not been able to glean much information about that attack, which was uncovered by InfoArmor, an Arizona security firm. Interestingly, that attack also involved the use of forged Yahoo cookies, according to a statement from Yahoo’s chief information security officer.

The one alleged member of this conspiracy who would have been simple to catch is Baratov, as he does not appear to have hidden his wealth and practically peppers the Internet with pictures of six-digit sports cars he has owned over the years.

Baratov was arrested on Tuesday in Canada, where the matter is now pending with Canadian authorities. U.S. prosecutors are now trying to seize Baratov’s black Mercedes Benz C54 and his Aston Martin DBS, arguing that they were purchased with the proceeds from cybercrime activity.

A redacted copy of the indictment is available here.

Update, Mar. 16, 5:20 p.m. ET: A previous caption on one of the above photos misidentified the make and model of a car. Also, an earlier version of this story incorrectly stated that Yahoo had attributed its 2013 breach to a state-sponsored actor; the company says it has not yet attributed that intrusion to any one particular actor.


31 thoughts on “Four Men Charged With Hacking 500M Yahoo Accounts

  1. SB

    Surely the car pictured is a BMW and not a Merc? Great article though!

  2. Dave

    The car pictured in the photo is a BMW, not a Mercedes.

  3. Zinc Whiskers

    That’s a Beemer in the photo, not a Merc…

  4. IRS iTunes Card (real)

    Thanks for posting this article !

  5. Paul G

    Brian,

    Having just finished your book, Spam Nation, and now this…you’ve rekindled my passion as an ethical hacker and Infosec engineer 🙂

    Your work is greatly appreciated,
    Paul
    @netlocksecurity

  6. Richard Bartel

    Karim / Taloverov might be at 1243 W King St Apt 106 or Apt 301
    York, PA 17404-3459/3463

    Richard Bartel
    Cyber Investigator
    PO Box 40051
    Arlington, VA 22204
    (410) 903-2759

  7. cthulhu

    You got the Mercedes in the caption but missed the one in the paragraph.

  8. David

    So yet again, these ‘master cyber criminals’ are totally incompetent when it comes to hiding their own identities on the web!

  9. kurtyoik

    Bmw is great car.
    but to maintain bmw its expensive thats why you need to steal
    coz bmw not cheap.
    in russia and eastern europe Bmw is car what criminals drive.
    in russia there is even song Bumer. And movie name Bumer.
    and bmw knows who are their customers

    1. phread

      In America, you drive car. In Soviet Russia, car drive you!
      -Y.S.

  10. wtff

    Wtf? Fsb protected those guys. But it was lia.
    its like feds offer you protection but at the end you in prison.
    same thing with drugs.
    poor hackers just other victims.

  11. NoTalentHack

    Hi Brian,
    Thanks for another great article. But can you clarify this sentence:

    “Dokuchaev’s colleague Sushchin was an associate of FSB officer was embedded as a purported employee and Head of Information Security at a Russian financial firm, where he monitored the communications of the firm’s employees.”

    What exactly is Sushchin? An FSB officer undercover in the financial firm? And how does that relate to the Yahoo hack?

    1. BrianKrebs Post author

      There were a few extra words in that sentence that might have confused things. I’ve fixed that, thanks.

      As I described at length in my book, Spam Nation, it is very common for decent-sized companies in Russia to have at least one FSB person on their payroll. There are all kinds of rationales for why this is the case, but one of the more believable is that the FSB officers offer what’s called “krusha” or “roof” in Russian, which refers to providing a company legal protection from extortion and other criminal activities.

      1. JasonR

        So protection from protection? Sounds like a racket.

      2. Who is your "Krisha" Brian

        Who is your “KRISHA ” Brian is it FBI or PD or NSA or CIA or maybe all of them ?
        Frankly specking every US business have “Krisha ” it called POLICE . Simple as that !!!
        The only difference is that in US you dont have to pay POLICE for protection , in Russian it works better if you have police officer/s on the payroll . ( they will arrive faster )

  12. Mike

    Things have come a long way since those days of chatroom booters (or have they?).

    I walked away from yahoo many years ago to pursue a more lofty goal and deeper interests. If my accounts even still exist, they can do with them as they please.

    As for the cars….
    Well, everyone has ‘their thing’.

    My only real concern at this point is with the fact that the ONLY thing everyone else is concerned about are the hackers. No one seems all that interested in holding yahoo accountable. As long as ‘the hackers’ are takin down, everything else is business-as-usuall.

    lol…..where is the updates and patches to protect people from this issue?

  13. Phoenix

    Speaking of hacking in think somebody has hacked into the proxyvote website, the site used to vote corporate share. I don’t advise trying it. It comes up with page that wants to fix tour computer’s time and date.

  14. Ari Trachtenberg

    Any chance that Dokuchev is related to Stuxnet-Doku?

  15. Igor Artimovich

    Dokuchaev is the same hacker as you are a journalist, Brian. He’s in Russian prison together with Mikhailov. State treason, have you forgotten, Brian? This show a petty atempt of American authorities to free the person who was working for them.

    1. Igor Artimovich

      You can try to translate this topic http://www.crutop.nu/forum/index.php?threads/85852/#post-1058568 Red Friend (aka Pavel Vrublevsky) wanted to buy some information about known webmaster for Mikhailov. Red Friend perfectly knew what activity Mikhailov was engaged in. That’s rather strange for a such petty crook like Vrublevsky to know what happens in the organization where Mikhailov was an employee. So he wrote about their joint activity.

  16. Stephen Cobb

    Thanks Brian – best coverage of the indictments I’ve read, but no surprise there 🙂

    Like many cybercriminals, Mr.Karim does not appear to be the kind of hardened crook who refuses to cooperate with the authorities. And unless his co-conspirators used above average compartmentalization he may have a lot of beans to spill.

    Keep the news coming…Stephen

  17. Steve Carr

    Steve Carr to youshow details
    Wikileaks may have finally opened up peoples eyes to what is really going on in our world. Wake up people save our country now or its over. Also a safe search engine that doesn’t track you, a good old fashion private search engine Lookseek.com. Have a awesome day.

Comments are closed.