The Canadian hacker who helped Russian agents by breaking into more than 11,000 Yahoo email accounts could spend the next eight years behind bars, if American prosecutors get their way.
The case against Karim Baratov entered its sentencing phase this week as both sides submitted to a California federal district judge their proposals for how long the hacker will remain on ice. He was convicted last year on one count of conspiracy to commit computer fraud and eight counts of aggravated identity theft.
The defense, understandably, is seeking a much shorter term of 45 months.
Last year, Baratov plead guilty to the nine counts after prosecutors showed how, between 2010 and 2017, he compromised and re-sold credentials for more than 11,000 email accounts. Among the buyers were representatives of Russia's FSB, who requested at least 80 specific accounts be hacked (Baratov has claimed he did not know his customers were FSB at the time).
Prosecutors argue that Baratov should receive a term of seven years and 10 months, citing the lavish lifestyle he flaunted online with the money he made hacking accounts.
Russian! spies! 'brains! behind!' Yahoo! mega-hack! – four! charged!READ MORE
"This is not a case of a teenager making an isolated mistake on the Internet out of curiosity. Rather, this is a case of the defendant making a profession out of breaking into the private lives of thousands of victims," the prosecutors say in their proposal [PDF].
"The defendant setup, operated, and grew a criminal hacker-for-hire business that gave his customers the ability (and provided a layer of concealment for their identities) to commit a whole spectrum of additional crimes (e.g. against the victims’ dignity, finances, safety, privacy, or other interests)."
Baratov's team, meanwhile, contends this was his first run-in with the law and he was in his teens for much of the alleged activity
"The Extenuating circumstances in the instant matter are plentiful. This is Mr Baratov’s first arrest. Additionally, Mr Baratov was under the age of 22 during the majority of the time that he hacked email accounts," they argue [PDF].
"No prior contact with law enforcement combined with Mr Baratov’s young age weigh heavily in favor of a low culpability calculation."
The defense is also raising the issue of jurisdiction. They claim that while he is charged for hacking targets within the US, most of his activity was against accounts located in Russia and hosted by foreign companies such as Yandex, meaning many of his crimes occurred outside of American jurisdiction.
Baratov is set to be sentenced by Judge Vince Chhabria on April 24. ®