The amaz­ing rise and fall of a 22-year-old mil­lion­aire hacker

As a teenager, Karim Bara­tov made mil­lions break­ing into email ac­counts. When a Rus­sian spy asked him for help with a mas­sive Ya­hoo hack, he was flat­tered. He didn’t re­al­ize the FBI was watch­ing his ev­ery move

Toronto Life - - Front Page - By michael lista

as a kid, karim bara­tov spent too much time on his com­puter. He was bright but undis­ci­plined, and he was hyp­no­tized by that ma­chine. Bara­tov be­lieved school was a waste of his time, its ed­u­ca­tional ben­e­fits next to nil, and good for lit­tle more than so­cial­iz­ing. His grades weren’t great, but not be­cause he was stupid—far from it. He was just too busy with his on­line world to study, some­times even to show up to class. At one point, he al­most flunked out of high school.

In 2007, at age 12, he em­i­grated from Kaza­khstan to Canada with his par­ents, Akhmet and Di­nara, and older sis­ter, Sabina. They set­tled in An­caster, the pic­turesque Hamil­ton sub­urb, buy­ing a large brick home with a two-car garage in the af­flu­ent Mead­ow­lands neigh­bour­hood. Bara­tov’s fa­ther was a vet­eri­nary bi­ol­o­gist at a com­pany called Ve­tak­tiv. His mother worked as a nurse in Dun­das. Kaza­khstan does not per­mit dual cit­i­zens, so in 2011 the en­tire fam­ily re­nounced their Kaza­khstani cit­i­zen­ship to be­come Cana­dian.

Bara­tov was boy­ish and clean-cut, with cheru­bic cheeks, shapely eye­brows and a neat hair­line ter­mi­nat­ing in a widow’s peak. He had a gift for coin­ing apho­risms, some­times mo­ti­va­tional and some­times sullen. “Life does not have a re­mote,” he once tweeted. “Get up and change it your­self.” He had a hard-nosed tenac­ity, and he clung to the idea that peo­ple make their own luck. At the same time, he could be silly and im­ma­ture, with a fond­ness for “your mom” jokes.

When Bara­tov was 12, he taught him­self to code—the hobby of a bril­liant but lonely boy in a new coun­try. A year later, he

made his first dol­lar on the web. One day, some­one he de­scribed on­line as a “ran­dom wealthy woman” reached out to him to do some work—he kept the ex­act na­ture of that work hid­den from his friends and fam­ily. When he fin­ished, she asked how much she owed him. At first he re­fused to take her money, but even­tu­ally, at her in­sis­tence, Bara­tov ac­cepted $200, which seemed to him a for­tune. He de­cided he’d never work for free again.

Over the next few years, he reg­is­tered over 80 web­sites to his name. Some of these sites pro­vided hack­ing ser­vices, of­fer­ing cus­tomers ac­cess to any email in­box they wanted. They were mak­ing him rich. By 14, he claimed to be earn­ing more than both of his par­ents com­bined. By 15, he re­port­edly made his first mil­lion. He spent his money lav­ishly. He had two Rolexes and a taste for Ar­mani, but it wasn’t un­til he started col­lect­ing cars that peo­ple won­dered where the cash was com­ing from. To call him an afi­cionado wouldn’t do jus­tice to the ra­pa­cious­ness of his ob­ses­sion. His first car, which he got while he was still in high school, was a Mercedes. He went on to buy a BMW, which he re­gret­ted be­cause it de­pre­ci­ated too quickly. He ac­quired a white Audi, then swapped it out for a Porsche. There was another Mercedes and an As­ton Martin. He held on to the baby-blue Lam­borgh­ini Gal­lardo for al­most a year be­fore get­ting bored with it. He usu­ally af­fixed one of his two trade­mark van­ity plates to his cars: “Mr Karim” or “Kar­rrim.”

Bara­tov was coy about the na­ture of his labour but ful­some about its fruit, driv­ing his cars through the neigh­bour­hood and up­load­ing their images to the web. It was as if he couldn’t help but show off how lu­cra­tive his se­cret was. On In­sta­gram, where he iden­ti­fied as an en­tre­pre­neur, a pro­gram­mer, a web de­vel­oper and a worka­holic, he posted pho­tos of the lux­u­ries he show­ered upon him­self. When some­one asked how he was able to af­ford his cars, he’d chalk it up to good luck. Af­ter a com­menter asked him if he was a Rus­sian as­sas­sin, he quipped sar­cas­ti­cally: “How did you know?” Some of the so­cial me­dia ac­counts were in his own name, with pho­tos of his cars parked in his par­ents’ drive­way. Oth­ers were un­der half-hearted aliases—Karim Taloverov, Kay or Karim Akehmet Tok­bergenov. He had a tat­too that ran down his fore­arm, a bit of bi­nary code that spelled “Karim.”

When Bara­tov was 20, he pur­chased a large de­tached home at 56 Cham­bers Drive for $642,500: it had dou­ble front doors, a closed-cir­cuit se­cu­rity feed, a two-car garage where he parked his su­per­cars and a lit­tle gar­den out front with a Ja­panese maple. It was less than two kilo­me­tres from his child­hood home, and even af­ter he moved in, he still ate din­ner with his par­ents most nights. Bara­tov spent a great deal of time field-test­ing his whips, putting his cars through their paces. He rarely went fur­ther than the park­ing lot of the lo­cal gro­cery store, an eight-minute drive from his folks. A stranger on an In­ter­net fo­rum once asked him, “What’s the pret­ti­est city you have ever been to?” Bara­tov an­swered, “Mead­ow­lands”—the sub­di­vi­sion where he lived. He could af­ford ex­otic things, but he pre­ferred them close to home. He worked in se­cret but wanted des­per­ately to be ac­knowl­edged. And while he could travel faster than any­one he knew, he didn’t have any­where to go.

the proto-hacker sub­cul­ture was born in the early 1960s, when MIT’s Tech Model Rail­way Club de­signed, built and man­aged a model train set so huge it filled an en­tire room. Ac­cord­ing to au­thor Steven Levy in his book Hack­ers, two kinds of kids joined the club. One was the world-builder, who as­sem­bled and painted the trains and the towns they trav­elled through: lit­tle homes next to wa­ter tow­ers, street­cars with their pan­tographs hooked up to cate­nary wires, pretty blocks and bad in­dus­trial neigh­bour­hoods that formed lit­tle cities—our whole world in minia­ture. The other kind of stu­dent was more in­ter­ested in what was un­der­neath

bara­tov spent his money lav­ishly. he had two rolexes, a taste for ar­mani and a baby-blue lam­borgh­ini

the town, a snaking nest of elec­tri­fied wires and ex­changes called the Sys­tem, which pow­ered and con­trolled the world above. When one of them found a clever fix to a traf­fic prob­lem, they called the so­lu­tion a “hack.”

A hack could be witty, el­e­gant, even beau­ti­ful, and its pur­chase ex­ceeded its util­ity. For the rail­way club mem­bers, de­sign­ing hacks be­came so cen­tral to their iden­ti­ties that they started call­ing them­selves “hack­ers.” The first hack­ers ap­plied the skills they’d ac­quired on model train sets to the early punch card com­puter pro­grams they had ac­cess to at MIT. By the time the pre­de­ces­sor to the In­ter­net, ARPANET, ar­rived on cam­pus in 1969, its most savvy users were hack­ers.

Decades later, the In­ter­net now re­sem­bles the Sys­tem un­der­gird­ing the towns in the model rail­way club. The more con­nected we are, the more of our­selves we up­load, the more pow­er­ful a hacker be­comes, tin­ker­ing with real cities in­stead of minia­tures. But the an­ar­chic, de­cen­tral­ized, egal­i­tar­ian, rad­i­cally trans­par­ent techno-utopia those early ide­al­ists en­vi­sioned is trans­form­ing into a near-erad­i­ca­tion of pri­vacy. What they con­ceived as a mech­a­nism for lib­er­a­tion works just as eas­ily as a means of in­den­ture. The In­ter­net has al­lowed hack­ing to trans­form into a rad­i­cally new kind of crime—where an as­sailant can ruin some­one’s life from his mom’s base­ment, a con­ti­nent away. For many hack­ers, pri­vacy is the en­emy of free­dom.

The same tools that hold gov­ern­ments to ac­count can also be used by the state to surveil its peo­ple, or by one cit­i­zen to steal another’s iden­tity. Gov­ern­ment hack­ers, for ex­am­ple, see cy­ber­war­fare as the most revo­lu­tion­ary bat­tle­field in­no­va­tion since the air­plane. State-spon­sored at­tacks in­clude the Stuxnet worm, which sig­nif­i­cantly dam­aged Iran’s nu­clear ca­pa­bil­i­ties, and, of course, the likely Rus­sian in­ter­fer­ence in the Amer­i­can elec­tion. Anti-gov­ern­ment hack­ers—right­eous whis­tle-blow­ers like Chelsea Man­ning and Ed­ward Snow­den—es­pouse a techno-lib­er­tar­i­an­ism that dove­tails with the orig­i­nal ethos of the early utopi­ans. But the vast ma­jor­ity of mod­ern hack­ers are thieves. For ev­ery whis­tle-blower, there are three pick­pock­ets. These are the types that would have joined MIT’s rail­way club in the ’60s: pre­co­ciously smart and in­tro­verted, of­ten un­pop­u­lar and hun­gry for at­ten­tion, with their hands on the levers of the world.

Karim Bara­tov reg­is­tered his first web­site in 2007, us­ing his real name. The site, now archived, was called We­bXakep.net, which trans­lates from Rus­sian as We­bHacker.net. Like his bi­nary tat­too, it was a cypher in plain sight.

The site was in Rus­sian, Bara­tov’s sec­ond lan­guage af­ter Kazakh. In a half-dozen text fields, clients could or­der their hacks. First, they’d en­ter the email ad­dress they wanted to ac­cess, then answer a se­ries of ques­tions. How of­ten does the tar­get check their mail­box? Does the client have phys­i­cal ac­cess to the tar­get’s com­puter? Then the client would en­ter his or her own con­tact in­for­ma­tion and choose the method of pay­ment—hacks cost $90, and the site ac­cepted PayPal, Visa, MasterCard or Western Union. When the client had filled out the fields, he’d click a but­ton that reads: “Or­der hack­ing mail!” The site was oddly con­ge­nial, with sec­tions ex­plain­ing how vis­i­tors could pro­tect them­selves against the very ser­vices it of­fered. Don’t make your pass­words too short or too per­sonal, it warned. “And most im­por­tantly, be very care­ful of emails that ap­pear to be from ad­min­is­tra­tive or tech­ni­cal sup­port de­part­ments from the web­mail com­pany it­self.”

Bara­tov was spear phish­ing, which is one of the eas­i­est ways to break into email ac­counts. Spear phish­ing al­lows a hacker to gain ac­cess to a mail­box with­out chang­ing its user’s pass­word, ren­der­ing the in­tru­sion all but in­vis­i­ble. Bara­tov would reg­is­ter an ac­count on the same server as the tar­get, cre­at­ing

an ad­dress that, at a glance, looked like of­fi­cial tech sup­port. Most email users have never in­ter­acted with the ad­min­is­tra­tive or se­cu­rity de­part­ments from their web­mail com­pany, and so when they’re asked to click a link, or re­set their pass­word, they do. Bara­tov would send his clients pho­tos of the de­sired in­boxes, and only then was pay­ment re­quired. Once he’d gained ac­cess, he’d turn the tar­geted in­box over to his clients, who could do with it what­ever they liked. It was the same kind of hack used to gain il­le­gal ac­cess to the emails of Hil­lary Clin­ton’s cam­paign chair­man, John Podesta, ex­pos­ing his now fa­mous risotto recipe, send­ing a gun­man into a pizza par­lour in Wash­ing­ton, D.C., and quite pos­si­bly cost­ing Clin­ton the 2016 elec­tion.

It took Bara­tov five min­utes to hack a sin­gle ac­count, and he had dozens of sites like We­bXakep reg­is­tered in his name. With a full work­load ded­i­cated just to hack­ing emails, Bara­tov could have made as much as $1,000 an hour. He hired blog­gers to pro­duce con­tent link­ing to his sites, buoy­ing them to the top of search en­gine re­sults. On We­bXakep, there were also two links to in­ter­views, con­ducted by a Rus­sian news or­ga­ni­za­tion in 2011. In the first ar­ti­cle, the anony­mous web hacker (likely Karim Bara­tov) claimed to have led the in­fil­tra­tion of the blog of Sergei Mavrodi, an in­fa­mous fraud­ster com­monly called the Bernie Mad­off of Rus­sia, whose com­pany, MMM, had bilked 40 mil­lion peo­ple out of al­most $10 bil­lion. He said it took him 10 min­utes to crack the blog and that he charged $60.

In the sec­ond ar­ti­cle, now enjoying his no­to­ri­ety, he opened up about the se­cret world of cy­ber­crime. Who were his clients? “Jeal­ous cou­ples, vin­dic­tive peo­ple, cu­ri­ous peo­ple,” he said. There were wives who didn’t trust their hus­bands, boyfriends who needed to know who their girl­friends were email­ing, po­lice­men, gen­er­als and, in one case, the loved ones of a man who’d gone miss­ing. How could he get away with it? The au­thor­i­ties aren’t in­ter­ested in hack­ers tar­get­ing civil­ian email ac­counts, Bara­tov said, be­cause the FBI and the FSB—the Rus­sian Fed­eral Se­cu­rity Ser­vice, the spy agency that suc­ceeded the KGB—are pre­oc­cu­pied with mur­der­ers, rapists and ter­ror­ists. And then the Rus­sian jour­nal­ist asked who he was. The hacker said that his name was Karim, and that his home­land was the In­ter­net.

while Karim Bara­tov was build­ing his busi­ness in 2012, Ya­hoo suf­fered its first ma­jor data breach. It was the work of the hacker col­lec­tive D33Ds Com­pany, who saw them­selves as good sa­mar­i­tans out to warn an easy mark. They were able to com­pro­mise 450,000 ac­counts by crack­ing flimsy, out­dated en­cryp­tion. They left Ya­hoo a note that read: “We hope that the par­ties re­spon­si­ble for man­ag­ing the se­cu­rity of this sub­do­main will take this as a wake-up call.” But Ya­hoo did lit­tle to im­ple­ment a mech­a­nism that could reg­is­ter these kinds of in­fil­tra­tions. A sec­ond mas­sive breach, in 2013, com­pro­mised three bil­lion ac­counts.

Yet another at­tack ar­rived in 2014 at the com­pany’s cor­po­rate head­quar­ters on 1st Av­enue in Sun­ny­vale, Cal­i­for­nia, a sprawl­ing cam­pus of glass atri­ums and can­tilevered canopies. Ac­cord­ing to court doc­u­ments, the hack was or­ga­nized and launched 10,000 kilo­me­tres away, in Moscow’s Lubyanka Build­ing, the grand yel­low-brick of­fice block that houses the FSB. The Krem­lin cat­e­gor­i­cally de­nies any in­volve­ment with the hack, but the FBI be­lieves that the two men who spear­headed the in­tru­sion were FSB of­fi­cers—Rus­sian spies—as­signed to the elite Cen­tre 18, the agency’s Cen­tre for In­for­ma­tion Se­cu­rity. One was Dmitry Dokuchaev, a stout 33-year-old Rus­sian with a messy hair­cut, blue eyes and a mouth that curls para­dox­i­cally down into a frown when he means to smirk, giv­ing his smile the ap­pear­ance of a turn­coat. The other was Dokuchaev’s boss, Igor Sushchin, who’s thin-lipped and hol­low-cheeked, and wears his blond hair parted down the mid­dle.

Their goal was to gather in­tel­li­gence, and their tar­gets were both po­lit­i­cal and fi­nan­cial. Sushchin and Dokuchaev soon re­cruited a third man for the job, Alexsey Be­lan, a 30-year-old Lat­vian free­lancer and one of the most no­to­ri­ous crim­i­nal hack­ers on earth. Be­lan, who went by the on­line alias Magg, had been in­dicted in 2012 and 2013 by courts in Nevada and north­ern

It took Bara­tov fIve mIn­utes to hack a sIn­gle ac­count. wIth a full work­load, he could have Been mak­Ing $1,000 an hour

Cal­i­for­nia for hack­ing into three Amer­i­can e-com­merce com­pa­nies. He was ar­rested in 2013 in Greece, but just as he was set to be ex­tra­dited to the States to stand trial, a Greek court granted him bail. He van­ished, flee­ing to Rus­sia. Be­lan ap­peared on the FBI’s list of most wanted cy­ber­crim­i­nals—they were of­fer­ing $100,000 for in­for­ma­tion lead­ing to his ar­rest—and he was the sub­ject of an In­ter­pol Red No­tice. In­stead of ar­rest­ing him, the Rus­sians hired him. Sushchin and Dokuchaev taught him FSB tech­niques to avoid de­tec­tion and seek out other hack­ers. And then in early 2014, they put Be­lan to work.

The group al­legedly leased servers in var­i­ous coun­tries and used vir­tual pri­vate net­works to hide their ori­gins. Be­lan was look­ing for two things that, to­gether, could un­lock ev­ery Ya­hoo web­mail ac­count. The first was the user data­base, or UDB, the master list that holds all the user reg­is­tra­tion in­for­ma­tion for ev­ery ac­count—names, al­ter­nate email ad­dresses, phone num­bers, the ques­tions and an­swers to pass­word re­cov­er­ies. For each email ad­dress, the UDB recorded some­thing called its “nonce,” a dig­i­tal fin­ger­print as­so­ci­ated with each ac­count that mor­phed only when a user changed their pass­word. The sec­ond thing Be­lan was look­ing for was the Ya­hoo ac­count man­age­ment tool, or AMT, which al­lowed Ya­hoo to ac­cess, track and edit the data stored in the user data­base. From his hid­ing place in Moscow, Be­lan logged se­cretly onto the Ya­hoo servers and went hunt­ing for both the UDB and AMT.

By late 2014, he’d found both. In early De­cem­ber, au­thor­i­ties say, he down­loaded a por­tion of the Ya­hoo user data­base onto his com­puter, in­clud­ing the nonces. He up­loaded soft­ware that al­lowed him ac­cess to the AMT while si­mul­ta­ne­ously cov­er­ing his tracks. Next, he used a tool that al­lowed him to fraud­u­lently mint cook­ies. A cookie is a tiny bit of in­for­ma­tion that records when you’ve been to a web­site; in web­mail it’s used to keep you logged into your in­box. Sud­denly, Dokuchaev, Sushchin and Be­lan could ac­cess any Ya­hoo web­mail ac­count they wanted with­out even en­ter­ing or chang­ing a pass­word. To Ya­hoo, their lo­gins looked valid and were all but un­de­tectable.

The trio had ac­cess to some 500 mil­lion ac­counts, and in­ves­ti­ga­tors say they logged into roughly 32 mil­lion in­boxes. They broke into ac­counts be­long­ing to Rus­sian politi­cians who were crit­i­cal of Vladimir Putin—cit­i­zens, diplo­mats, min­is­ters, cur­rent and for­mer gov­ern­ment of­fi­cials, and those from neigh­bour­ing states. They ac­cessed the ac­counts of Rus­sian jour­nal­ists, in­clud­ing an in­ves­tiga­tive re­porter at Kom­m­er­sant, a daily news­pa­per. They gath­ered in­tel­li­gence on a con­sul­tant who was re­search­ing Rus­sia’s bid for mem­ber­ship in the World Trade Or­ga­ni­za­tion.

The breaches also tar­geted ev­ery­day peo­ple. Kim­ber­ley Heines from Cal­i­for­nia con­nected her Ya­hoo ac­count to a ser­vice called Di­rect Ex­press, through which she col­lected her So­cial Se­cu­rity pay­ments. In 2015, she re­al­ized that her ben­e­fits were be­ing stolen. She couldn’t pay her bills, and she was hounded by col­lec­tion agen­cies for pur­chases she didn’t make. Another Cal­i­for­nian, Paul Du­gas, had four Ya­hoo ac­counts, and when he went to file his taxes on­line, he was informed that a tax re­turn had al­ready been filed in his name. As a re­sult, he was un­able to ap­ply for fi­nan­cial aid for his daugh­ter’s univer­sity tu­ition. Most ter­ri­fy­ing of all, Dokuchaev and Sushchin ac­cessed the ac­counts of U.S. gov­ern­ment of­fi­cials, mem­bers of the mil­i­tary, cy­ber­se­cu­rity per­son­nel and even White House of­fi­cials in the Obama ad­min­is­tra­tion.

Amid the trea­sures they found in the hacked Ya­hoo ac­counts, they also found vic­tims’ email ad­dresses from other web­mail com­pa­nies, like Gmail. And so in the fall of 2014, Dokuchaev, the spy with the up­side-down smile, found the fi­nal mem­ber of their team, a per­son with a rep­u­ta­tion for break­ing into Gmail ac­counts. His name was Karim Bara­tov.

By 2015, Bara­tov was liv­ing at the house he’d bought for him­self. He was his own man now, 20 years old, fin­ished high school and fo­cused on the hack­ing busi­ness he’d built from the ground up. He wasn’t hard to find.

He had a rou­tine: he’d wake up at 7 and work for an hour and a half be­fore head­ing out to the gym. He was a gym rat, with mus­cles that flexed and bulged un­der his pro­lif­er­at­ing tat­toos. He did weights and whey, and put his pipes to the test in arm-wrestling matches that he recorded and up­loaded to a YouTube chan­nel called Iron Hands. Af­ter din­ner with his par­ents, he’d be home by 11 to do another two or three hours of work be­fore head­ing to bed.

Dokuchaev in­tro­duced him­self as “Pa­trick Nagel” and asked for the stan­dard Bara­tov job at the stan­dard Bara­tov price, now up to $100. Karim was likely be­ing swept into some­thing more pow­er­ful than he could un­der­stand. A good num­ber of Dokuchaev’s tar­gets were Rus­sian gov­ern­ment and in­tel­li­gence as­sets. He wanted the email ad­dress of the deputy chair­man of the Rus­sian Fed­er­a­tion, one of the gov­ern­ment’s top politi­cians, Yury Trut­nev. He wanted ac­cess to the in­boxes of three high­rank­ing em­ploy­ees at one of Rus­sia’s lead­ing cy­ber­se­cu­rity

com­pa­nies. He tasked Bara­tov with hack­ing into the email of an of­fi­cer from Depart­ment K at Rus­sia’s Min­istry of In­ter­nal Af­fairs, which in­ves­ti­gates cy­ber­crime. Bara­tov was help­ing Dokuchaev spy on his col­leagues. He didn’t have spe­cial skills the oth­ers lacked—he was prob­a­bly the least tal­ented of the four hack­ers. But he had a Cana­dian IP ad­dress. By em­ploy­ing Bara­tov, the agents seemed to be putting dis­tance be­tween them­selves and the hack, cre­at­ing wig­gle room for plau­si­ble de­ni­a­bil­ity. In all like­li­hood, Bara­tov was a patsy.

When Bara­tov would get into the de­sired in­box, he’d send Dokuchaev a screen grab. Dokuchaev’s pay­ments went through Bara­tov’s We­bMoney and PayPal ac­counts. The PayPal ac­count was reg­is­tered to Karim Bara­tov us­ing a thinly veiled email ad­dress, karim@taloverov.com. It linked to an RBC ac­count un­der the same name. Ev­ery fi­nan­cial in­stru­ment led back to Bara­tov. Au­thor­i­ties say that he at­tempted to hack about 80 email ac­counts for the FSB and charged $100 for each. That means that for his part in one of the largest data breaches in history, Bara­tov might have made only $8,000.

For two years, Dokuchaev and Bara­tov worked in se­cret. The warn­ings were there: in the sum­mer of 2016, a group of hack­ers from eastern Europe claimed to have Ya­hoo ac­count in­for­ma­tion on 200 mil­lion users and of­fered it for sale on the dark web. In Au­gust, an in­de­pen­dent in­tel­li­gence of­fi­cer at an Ari­zona-based cy­ber­se­cu­rity com­pany warned Ya­hoo, but the com­pany dis­missed him as a false Cassandra. Ya­hoo would later ad­mit in SEC fil­ings that their se­cu­rity team had known that the user data­base was com­pro­mised as early as 2014, but that se­nior ex­ec­u­tives didn’t fully un­der­stand or in­ves­ti­gate the ex­tent of the dam­age.

At some point along the way, the FBI launched an in­ves­ti­ga­tion into the breach, iden­ti­fy­ing Bara­tov and his as­so­ci­ates as the per­pe­tra­tors. Two years af­ter Be­lan first in­fil­trated its servers, Ya­hoo fi­nally re­vealed that it had been the vic­tim of a se­ries of colos­sal cy­ber­at­tacks. Its stock fell six per cent in a sin­gle day. Ver­i­zon, which was in the process of buy­ing Ya­hoo for $4.8 bil­lion, cut the com­pany’s val­u­a­tion by $350 mil­lion. No one was sure if the deal would still go through, and there was talk of a mass ex­o­dus of users from Ya­hoo.

Bara­tov had been walk­ing into a trap. He was the eas­i­est mem­ber of his team to track, the weak­est and most vul­ner­a­ble link in their chain, and the only one within the reach of the U.S. gov­ern­ment. What’s more, Dokuchaev, the Rus­sian spy with a turn­coat smile, was likely a dou­ble agent, turned by the Amer­i­cans and work­ing for the CIA. In De­cem­ber of 2016, the FSB ar­rested him for trea­son.

Be­fore Bara­tov could ap­pre­ci­ate how much trou­ble he was in, the net de­scended on him. On Fe­bru­ary 28, 2017, a grand jury in San Fran­cisco in­dicted the four men—in­clud­ing Dokuchaev, per­haps to keep his cover—and a war­rant was is­sued for Karim Bara­tov’s ar­rest. Four days later, early in the morn­ing, mem­bers of the Toronto Fugi­tive Squad ar­rived at 56 Cham­bers Drive. Bara­tov would have been able to see them com­ing for him over his closed-cir­cuit cam­era feed. They took him into cus­tody, walk­ing him down his drive­way. Of the four con­spir­a­tors, the only man to be ar­rested was the one who had the least to do with the hacks—his al­leged co-con­spir­a­tors were still in Rus­sia and out of the FBI’s reach. The po­lice seized $30,000 in cash from a safe in Bara­tov’s house, $914 from his wal­let, and his last Mercedes and As­ton Martin from the garage.

When Bara­tov was ar­rested, his par­ents pe­ti­tioned the court to bail him into their cus­tody, putting their own home up as surety, along with the $10,000 cash that con­sti­tuted their life sav­ings, of­fer­ing to have Karim wear an elec­tronic an­kle bracelet and promis­ing not to let him any­where near a com­puter. It was no use. In Au­gust, he went to Cal­i­for­nia to stand trial. He has pleaded guilty to eight counts of ag­gra­vated iden­tity theft and one count of con­spir­acy to com­mit com­puter fraud and abuse. He claims he had no idea he was work­ing for Rus­sian spies. His sen­tenc­ing is sched­uled for Fe­bru­ary, and pros­e­cu­tors are ex­pected to seek a prison term of seven to nine years.

Both Bara­tov and his fam­ily de­clined to speak to Toronto Life for this ar­ti­cle. One cool morn­ing in Septem­ber, I drove out to his par­ents’ home in An­caster. Walk­ing up the drive­way, I no­ticed a lit­tle brass sign on their front door that they’d put up re­cently, a bul­wark against the cu­rios­ity crowd­ing in upon their home. It read, “No agents, ped­dlers or so­lic­i­tors.” All they wanted was what their son had stolen from so many oth­ers: their pri­vacy. ∫

the only man the FBI ar­rested Was the one Who lIkely had the least to do WIth the hacks. Bara­tov pleaded guIlty In novem­Ber

The FBI has ac­cused Karim Bara­tov of col­lud­ing with, from top, Rus­sian spies Dmitry Dokuchaev and Igor Sushchin, and Lat­vian hacker Alexsey Be­lan in the Ya­hoo breach

The hack in­fil­trated the Ya­hoo cam­pus in Sun­ny­vale, Cal­i­for­nia

Bara­tov, shown here at the Ni­a­gara Es­carp­ment, never planned to leave his home­town of An­caster

Karim, with his mother, Di­nara, bought his own house less than two kilo­me­tres away from his par­ents but con­tin­ued to eat din­ner with them most nights

He spent his earn­ings on lav­ish su­per­cars, like this Mercedes

Bara­tov ar­rived in Canada in 2007 and quickly taught him­self to code. By the time he was 15, he’d made his first mil­lion

Bara­tov’s par­ents, Akhmet and Di­nara, ar­rive at their son’s Toronto court ap­pear­ance in July 2017 with one of his lawyers, Deepak Parad­kar

Newspapers in English

Newspapers from Canada

© PressReader. All rights reserved.