Karim Baratov, in an undated photo posted to his Facebook account. (Source: Facebook)A Canadian man accused of participating in a massive hack attack against Yahoo has waived his right to an extradition hearing in Canada and is due to appear in U.S. court within the next two weeks, Canadian Broadcasting Corporation reports.
See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach
Karim Baratov, a 22-year-old Ontario resident, was arrested March 14 by local police under Canada's Extradition Act after an indictment filed in San Francisco federal court charged him with hacking into 80 Yahoo accounts. He faces up to 20 years in prison if convicted of all charges filed against him.
Baratov was one of four men indicted by the U.S. Justice Department on computer hacking, economic espionage and other criminal offenses tied to the hack of Yahoo in 2014, which exposed 500 million user accounts. The other three men are still at large, and were last known to be in Russia, the U.S. Justice Department said on March 15, when it announced the indictment.
U.S. prosecutors have accused Baratov of being a "hacker for hire." They have also accused two of the other suspects named in the indictment - Dmitry Dokuchaev and Igor Sushchin - of working for an intelligence unit that's part of Russia's state security service, the FSB, and being Baratov's handlers.
The FBI collaborates with the FSB on international cybercrime investigations.
The fourth man named in the indictment is Alexsey Belan, a Latvian who was arrested in Greece in 2013 on separate hacking charges. After he was released on bail, he fled to Russia, benefiting from "the protection afforded by Russian government officials, and from U.S. law enforcement's inability to reach him in Russia," according to the Justice Department's application for his arrest (see Russian Cybercrime Rule No. 1: Don't Hack Russians).
Held Without Bail
Baratov has been behind bars since his arrest. In Canadian court, the United States cited the example of Belan having fled Greek custody to argue that Baratov was a flight risk. An Ontario Superior Court judge denied Baratov's request for bail.
Now, Baratov's attorney, Amedeo DiCarlo, expects his client to be handed over to U.S. Marshals on September 8, but said at a press conference that the transfer could happen any time in the next two weeks. He's said in media interviews that his client is bored and wants to face the charges filed against him as quickly as possible.
"Go there, finish it there, let's get some lawyers and let's move on with this," DiCarlo told CBC News in a recent interview. "Keeping him here, I think, is just going to waste more time."
Baratov Could Face Additional Charges
Karim Baratov pictured at his home in Ancaster, Ontario, in an undated photo. (Photo: Facebook)On Friday, Justice Andrew Goodman warned Baratov that by waiving his right to an extradition hearing, the United States could bring additional charges against him, CBC reports.
Instead, Baratov could have consented to the extradition hearing, after which Canada's justice minister would have had 90 days to approve the suspect's transfer to the United States. Consenting would also have ensured that the United States could not later expand the list of charges against Baratov, but only prosecute him for the offenses detailed in its extradition request, under a principle of international law known as protection of specialty.
But Baratov signed the waiver in court, after which the judge ordered him to be transferred to U.S. custody, CBC reports.
DiCarlo, his attorney, could not be immediately reached for comment. But he's previously argued that his client did not know who he was dealing with or what he was doing, and claimed that the indictment does not accurately reflect his client's activities. He's also emphasized that waiving the extradition hearing is in no way an admission of guilt.
Furthermore, Baratov reportedly chose to waive the extradition hearing after receiving assurances from U.S. federal prosecutors. "We've had some fruitful discussions with the U.S.; I'm pretty confident the 'consent' route was the wrong way to go," DiCarlo told reporters after the Friday court hearing, CBC reports. "The waiver was the right way to go."
Baratov's lawyer Amedeo DiCarlo speaking to media outside of John Sopinka Courthouse @CHCHNews @morninglive #hamont pic.twitter.com/PRlDoD1UlF
Allegation: Russia Outsourced Hacking
Beyond Karim Baratov and two alleged FSB officers, Latvian Alexsey Belan has also been charged with helping to hack Yahoo in 2014.Yahoo issued its first public alert about the 2014 hack attack against it on Sept. 22, 2016. The search giant said it learned about the breach from law enforcement agencies.
Prosecutors have accused the FSB of ordering up the breach (see Outsourcing Cyber Espionage Landed Russia in Trouble).
"When the FSB officers, Sushchin and Dokuchaev, learned that a target of interest had email accounts at webmail providers other than Yahoo, including through information gained from the Yahoo intrusion, they would task Baratov to access the target's account at the other providers," according to the U.S. indictment. "When Baratov was successful, as was often the case, his handling FSB officer, Dokuchaev, paid him a bounty."
Russian authorities, however, have denied that the FSB was involved in the Yahoo hack.
Yahoo's Breach Epidemic
On Dec. 14, 2016, meanwhile, Yahoo said that it had discovered a separate breach, which it believed occurred in August 2013, that had compromised 1 billion accounts.
Yahoo had the misfortune to have discovered the 2013 breach, as well as the full extent of its 2014 breach, after Verizon offered to buy the struggling search giant for $4.83 billion in July 2016. News of the breaches threatened to derail the deal, and ultimately saw the purchase price reduced to $4.48 billion.
After the deal closed in June, Verizon removed Yahoo's leadership team, including CEO Marissa Mayer, during whose tenure the breaches had occurred (see Marissa Mayer Bids Adieu to Yahoo).
Verizon has been combining its AOL business with various Yahoo properties into a new subsidiary named Oath, led by Tim Armstrong, former CEO of AOL. Oautho includes HuffPost, Yahoo Sports, AOL.com, Tumblr, Yahoo Finance and Yahoo Mail, among other properties.