Karim Baratov, a 22-year-old Canadian national, pleaded guilty to charges related to the FBI's investigation into the Yahoo 2014 data breach.
The US Department of Justice charged four hackers in this investigation in March 2017. Two are well-known cyber-criminals, while two are high-ranking Russian Federal Security Service (FSB) agents.
According to court documents, the two FSB agents —Igor Anatolyevich Sushchin, 43, and Dmitry Aleksandrovich Dokuchaev, 33— contracted the two hackers and offered money and/or protection for their services.
The one who carried out the actual Yahoo hack is 29-year-old Alexsey Alexseyevich Belan, aka "Magg," a Russian national still at large.
According to the FBI's investigation, Belan most likely spear-phished a Yahoo employee and gained access to a section of Yahoo's internal network, including Yahoo's User Database (UDB) and an administrative tool called the Account Management Tool (AMT).
Belan stole a copy of the Yahoo user database via FTP and provided a copy to the two FSB agents. He also used the Yahoo AMT to "mint authentication cookies" and access Yahoo accounts without needing their password. Belan later discovered a method to create such cookies outside of Yahoo's internal network.
The trio used the database to target over 6,500 persons of interest. The FSB agents breached political targets while Belan hacked for profit.
The FSB agents' targets included Russian journalists, Russian and US government officials, employees of a prominent Russian cybersecurity company, and numerous employees of web providers whose networks the three wanted to exploit.
Belan also accessed the personal Yahoo accounts of employees at commercial entities, such as a Russian investment banking firm, a French transportation company, US financial services and private equity firms, a Swiss Bitcoin wallet and banking firm, and a US airline. Belan is also on the FBI's Cyber Most Wanted list, and he's been on the list since its creation a few years back.
Baratov, the hacker who pleaded guilty, had a marginal role in the entire scheme. According to the DOJ, the FSB agents found Baratov on a hacker-for-hire website and reached out for his services.
They called on him when Yahoo users changed their passwords and they couldn't forge authentication cookies for those accounts, or when they needed to break into other, non-Yahoo accounts.
Baratov used spear-phishing techniques, posing as various service providers, to trick users into handing over passwords and gaining access to victims' accounts.
FSB agents asked Baratov to hack into over 80 email accounts but is unclear how many the hacker managed to breach. The FSB agents would financially remunerate Baratov for successful hacks.
According to US officials, Google detected some of these attempted intrusions against Gmail accounts and also filed a complaint with authorities.
Baratov was already under custody when the DOJ announced charges back in March. The young hacker did not fight his extradition for long and eventually agreed to surrender to US authorities.
Baratov's sentencing hearing is scheduled for February 20, 2018. The hacker faces up to 16 years in prison, but a light sentence is expected following his guilty plea and marginal role.