A Canadian man pleaded guilty in an American court Tuesday to nine charges stemming from a massive breach at Yahoo that authorities said was directed by Russian intelligence agents and affected about 500 million user accounts.
Karim Baratov appeared in a jail jumpsuit before a U.S. federal judge and entered the pleas to one count of conspiracy to commit computer fraud and eight counts of aggravated identity theft. He gave "yes" and "no" answers to questions from the judge about his pleas, but said nothing more.
He is scheduled for sentencing on Feb. 20.
U.S. law enforcement officials have called Baratov, 22, a "hacker-for-hire" and said he was paid by members of the Russian Federal Security Service, or FSB, to access more than 80 accounts.
The U.S. Department of Justice said Baratov used spearphishing schemes that would trick victims into entering their account credentials into webpages he built to appear to be from their webmail providers.
Once he obtained their log-in information, he would send it to his clients, the statement said.
"Cybercrime is not only a grave threat to personal privacy and security, but causes great harm to individuals who are hacked and costs the world economy hundreds of billions of dollars every year," district attorney Brian Stretch said in a statement.
"These threats are even more insidious when cyber criminals such as Baratov are employed by foreign government agencies acting outside the rule of law."
Baratov's lawyers told reporters outside court that their client hacked only eight accounts and did not know that he was working for Russian agents connected to the Yahoo breach.
"He's been transparent and forthright with the government since he got here," said lawyer Andrew Mancilla.
Baratov, a Canadian citizen born in Kazakhstan, was arrested in Hamilton in March under the Extradition Act after American authorities indicted him for computer hacking, economic espionage and other crimes.
In August, Baratov decided to forgo his extradition hearing to face the charges in California. His Canadian lawyer at the time said the move was to speed up the legal process.
Before going to the U.S., he was held without bail because an Ontario Superior Court judge ruled that he was too much of a flight risk to be released prior to the extradition hearing.
The judge also found that Baratov's parents would not make appropriate sureties since they had not been suspicious of their son's alleged activities while he lived under their roof.
Also facing charges are Russian agents Dmitry Dokuchaev and Igor Sushchin, who prosecutors say used the information they stole from Yahoo to spy on Russian journalists, U.S. and Russian government officials and employees of financial services and other private businesses.
Dokuchaev, Sushchin and a third Russian national, Alexsey Belan, were also named in the indictment filed in February, though it's not clear whether they will ever step foot in an American courtroom since there's no extradition treaty with Russia.
Though the U.S. government had previously charged individual Russian hackers with cybercrime, this was the first criminal case to name as defendants sitting members of the Russian Federal Security Service for hacking charges, the U.S. Department of Justice said.