The scheme targeted the email accounts of journalists and U.S. government officials, as well as employees of a French transportation company, a Swiss bitcoin wallet and an American airline. In some cases, accounts of their spouses and children.
Federal prosecutors in San Francisco say that starting in 2014, a team of hackers working for the Russian Federal Security Service, an intelligence and law enforcement agency, illegally accessed more than 30 million Yahoo accounts and several Gmail accounts, and stole data on more than 500 million Yahoo users.
The youngest of the group, a 22-year-old Canadian named Karim Baratov who sold his hacking services to Russian agents, pleaded guilty Tuesday to one count of conspiring to violate the computer fraud and abuse act, and eight counts of aggravated identity theft, according to the U.S. attorney’s office.
His alleged accomplices — three Russian nationals named Dmitry Dokuchaev, 33, Igor Sushchin, 43, and Alexsey Belan, 29 — remain fugitives and are believed to be in Russia.
“This case is a prime example of the hybrid cyber threat we’re facing, in which nation states work with criminal hackers to carry out malicious activities,” Paul Abbate, executive assistant director of the FBI’s Criminal, Cyber, Response and Services Branch, said in a statement.
Prosecutors said the hackers used several methods to break into accounts and conceal their steps. They leased servers in numerous countries, used virtual private networks and created accounts using false information, according to a federal grand jury indictment.
They allegedly tricked people into clicking on links or downloading attachments that triggered the installation of malware that gave the hackers access to a victim’s computer. Or they lured the user to provide valid login credentials by sending emails that looked like they came from trustworthy senders.
The hackers also allegedly manually created account authentication “cookies,” which enable email providers to recognize a user who has previously logged into an account. That way, the user can access the account without having to reenter their password.
On their own computers, the intruders made it appear to Yahoo’s servers as if they’d logged in as the victim before, allowing them to gain access without entering a username and password.
Prosecutors say Baratov was directed by Dokuchaev to hack at least 80 email accounts, including 50 Google accounts, of people of interest to the Russian government agency.
The indictment alleged that Baratov sent Dokuchaev at least eight Gmail passwords, and that over the course of a year, Dokuchaev paid Baratov at least $1,000.
As part of his plea agreement, Baratov agreed to pay restitution to his victims and to pay a fine of up to $2.25 million with any assets left over, according to the U.S. attorney’s office.
Officials said he also admitted to hacking more than 11,000 email accounts for various customers, including the Russian Federal Security Service, since 2010, advertising his services through a network of primarily Russian-language hacker-for-hire Web pages, officials said.
He is scheduled to be sentenced in February.