Karim Baratov, a 22-year-old Canadian born in Kazakhstan, is one of four alleged hackers named in a federal indictment for helping Russian intelligence officials break into numerous Yahoo and Google email accounts. Unlike the other suspects, however, Baratov appears to have worked as a sort of cyber-mercenary. Charging documents say he received thousands of dollars from the Federal Security Service, or FSB, to compromise targets.
Baratov, known cybercriminal Aleksey Belan and FSB agents Dmitry Dokuchaev and Igor Sushchin are accused of breaching Yahoo multiple times between 2014 and late 2016. The suspects allegedly used their access to the platform to enrich themselves and spy on business executives, journalists and foreign government officials.
The Justice Department said Wednesday in its indictment that Baratov was consistently paid for his hacking services by Dmitry Dokuchaev, a credit card fraudster turned spy who was arrested in December on treason charges by Russian law enforcement, under the order of his apparent superior, Igor Sushchin, a senior FSB officer.
A mysterious figure with a lavish lifestyle and notable social media following, Baratov was arrested by Canadian authorities on Tuesday. He remains the only suspect in custody.
Pictures posted on what appears to be Baratov’s Instagram and Facebook accounts show he owned several exotic cars, lived in a single family home in Ancaster, Ontario, and partied frequently. A profile image features Baratov posing between a Mercedes and an Aston Martin. Both social media accounts were shut down at some point Thursday.
“I really think he’s the wild card in this,” said Ian Gray, a senior analyst at Flashpoint, a dark web intelligence firm. “Baratov and Belan’s involvement here I think shows where this case crosses into the dark web.”
Gray and his colleagues at Flashpoint have begun scouring the internet for traces of the Yahoo hackers’ past ventures.
The dark web can only be reached using the anonymous Tor browser, which bounces encrypted traffic around between volunteer nodes on its network, making its origin virtually untraceable.
Belan, Gray said, was known to frequent a hacking forum named InsidePro. Around 2012, Belan visited the forum and posted a message, hoping to find someone that could assist with cracking hashes and brute forcing passwords, Gray told CyberScoop.
In 2013, the FBI added Belan to their most wanted list. U.S. law enforcement believes he previously hacked into three U.S. e-commerce companies based in Nevada and California.
Baratov, Gray said, was also active in the underground hacking community.
A hidden website that offers email hacking services, webxakep.net, has been linked to an email address previously associated with Baratov, Gray told CyberScoop. The domain, which encourages interested clients to directly contact “experts” by sending a message into a nondescript text box, remains accessible.
Employing cyber-criminals to launch cyberattacks is a realistic strategy for foreign intelligence services that seek to add some level of plausible deniability to their operations, said Gray.
Vice News found that Baratov’s name and address were also listed on the registration for seven different websites. Several of those properties appear to be linked to spear phishing schemes, similar to those described in the FBI indictment.
Toronto Police and the Royal Canadian Mounted Police, in support of the FBI, conducted Baratov’s arrest.