SAN FRANCISCO — Just past 8 a.m. on March 14, police trod quietly through the snow to the double-fronted doors of Karim Baratov’s lavish home in Ancaster, Ontario. The officers passed by the garage where Baratov’s jet-black Mercedes Benz and Aston Martin DBS were parked, two of the only outward indications that the 22-year-old had money to spend. Minutes later, they took the Canadian-Kazakh hacker away into custody — a subdued end to an international cyber drama that involved the highest levels of the US government, Russian spies, a global cybercrime syndicate, and hundreds of millions of unsuspecting Americans.
The baby-faced Baratov is currently awaiting trial in the US on charges that he helped hack into half a billion Yahoo accounts — the largest known hack in history. His co-conspirators are Alexsey Belan, 29, a notorious Russian hacker still at large, and two Russian intelligence officers, Dmitry Aleksandrovich Dokuchaev, 33, and Igor Anatolyevich Sushchin, 43. The case against them is the starkest public example of the ways in which the Russian government works with cybercriminals to achieve its global agenda through cyberwarfare, and why those attacks have proven so difficult for governments around the world to track, let alone prosecute.
Baratov, according to accounts given by US law enforcement, was a hacker for hire. It appears he simply took the wrong job.
“The Yahoo hack is a great example of the US government coming forward and saying we know what you are doing and we can prove it,” said Milan Patel, the former chief technology officer of the FBI’s cyber division and now managing director at the K2 Intelligence cybersecurity firm. “In the past the US and Russia engaged in a lot of tit-for-tat covert operations. But with Russia now, a lot is coming to the forefront and being made public about how they run their cyberactivities.”
“We would tip them off about a person we were looking for, and they would mysteriously disappear, only to appear later on working for the Russian government.”
That’s not always how it was. In the mid-2000s, FBI agents tried to work with their counterparts in the FSB, Russia's Federal Security Service, to investigate hackers, with regular bilateral meetings featuring US and Russian agents working together in the hope that the two countries could stem the growing tide of online crime. At least that’s how the Americans saw it.
“We would tip them off about a person we were looking for, and they would mysteriously disappear, only to appear later on working for the Russian government,” Patel said. “We basically helped the FSB identify talent and recruit by telling them who we were after.”
The arrest of Baratov and his co-conspirators signals a broader US government crackdown on Russian cybercriminals. For years, cybersecurity researchers and US authorities have traced the ties between cybercriminals and the Russian state, including how malware first developed for criminal enterprises has made its way into state-sponsored cyberattacks on Russia’s neighbors, and how botnet armies created by hackers have been repurposed to launch attacks on Russian targets. Now, they appear ready to strike. Earlier this month, Spanish authorities acting on behalf of the US arrested Pyotr Levashov, long known to authorities as one of the world’s most prolific spam kingpins. Five months ago, the US named a number of well-known Russian hackers as being behind the hacks on the Democratic National Committee, which they say were aimed at influencing the US elections. For those following the murky dealings of the world’s top hackers, the names did not come as a surprise. What was new was the willingness of US officials to publicly name the hackers, and to aggressively pursue Russian cybercriminals who aid Russia’s increasingly aggressive strides into cyberwarfare.
"Russia is playing with different rules — or maybe just without rules."
Three Russian hackers told BuzzFeed News over the last month that there was “panic” about how far the arrests would go, and for how long hackers would be pursued by US authorities. US security officials told BuzzFeed News that they would do well to be scared, as “the gloves were coming off” with Russian hackers.
“We’ve reached a boiling point with Russia. They are the closest competitor to the US when it comes to cyberespionage and cyberattacks,” Patel said. “But Russia is playing with different rules — or maybe just without rules.”
Ask Americans to describe a typical Russian hacker who targets the US and they will likely describe a scruffy Russian teenager in a dimly lit basement, or a chiseled military figure in a warehouse-like room filled with hundreds of hackers, pounding away at their keyboards as they plot to take down the US. The truth is that Russian cyber operations are far more complex than either of those scenarios, with the Russian state relying on a network of hackers it hires within its military and intelligence divisions, as well as cybercriminal networks and hackers for hire it can recruit or co-opt as it needs.
“It’s a multilayered system, and it is very flexible. That’s what makes it so hard to track,” said one FBI agent who currently works within the bureau’s cyber division. He asked to speak off the record so that he could discuss open cases with BuzzFeed News. “Let’s say, for instance that Russian intelligence decide they want to hack into eBay to try and find information about a certain person. They might do that through an existing team they have in place, or they might go to a hacker, who has already infected a computer they want compromised and tell him to give them access or else … or they might just pay a guy who has previously hacked eBay to do it for them again.”
That flexibility makes it very difficult for the FBI, or any other law enforcement agency, to track what is being hacked, and why, the FBI agent said.
“They will use whatever method they need to use to get in, and they have no lines between criminals who are hacking for profit and those who are hacking for the government,” he said. “They might be going into eBay to steal credit cards, or they might be doing it as part of a covert op to target a US member of Congress. They might be doing both, really. It makes it hard to know when a hack is a matter of national security and when it is not.”
The hack on Yahoo that compromised the information of more than 500 million people lays out the complex relationship between the hackers and their targets. The accounts were hacked in 2014, with Yahoo only discovering the compromised accounts in September 2016. Just a few months later, Yahoo announced it had discovered a second, earlier breach, which had affected an additional 500 million people in 2013. Together, the hacks cost the company roughly $350 million, as users fled from the platform amid security concerns. It was, cybersecurity experts said, a death blow for Yahoo.
A spokesman for Yahoo did not answer a request for comment from BuzzFeed News. In a public statement published soon after the indictment was issued, Yahoo wrote: "The indictment unequivocally shows the attacks on Yahoo were state-sponsored. We are deeply grateful to the FBI for investigating these crimes and the DOJ for bringing charges against those responsible."
For weeks, cybersecurity researchers investigating the hacks believed they were looking at a case of corporate espionage. But as the scope of the breach was discovered, researchers began to fear that an enemy of the US was compiling a massive database of all US nationals, complete with personal details and email accounts they could mine for vulnerable information. The indictments issued last month against Baratov, Belan, and the FSB officers revealed that the group had breached Yahoo looking for both political targets and financial targets. The hundreds of millions of other people who had been caught up in the breach were just collateral damage.
The hundreds of millions of other people who had been caught up in the breach were just collateral damage.
“The guys who did this to Yahoo, they were criminals. They could have turned around and sold the entire database to the highest bidder,” the FBI agent said. “We are lucky they didn’t.”
Enough is known about the four men to sketch a rough timeline of how they came together to carry out the hack. Dokuchaev was once known in hacker circles as “Forb,” and he spoke openly about hiring out his services until he was recruited into government work, as the Russian newspaper RBC has reported. At the FSB, Dokuchaev was partnered with Sushchin, and the two recruited Belan, a Latvian-born hacker who had been on a list of the FBI’s most wanted since 2012.
“This is the way it goes: They trap one hacker and then they get him to trap his friends,” said one Russian hacker, who agreed to speak to BuzzFeed News via an encrypted app on condition of anonymity. The hacker, who recently served time in a Russian prison and had fled the country once he was released, said the “pressure was intense” to do work on behalf of Russian intelligence officers. “They press on you. It’s not, like, a nice request. It’s a knock on your door and maybe a knock on your ass. If they can’t threaten you they threaten your family.”
It’s unclear how the men were connected to Baratov, who immigrated to Canada from Kazakhstan with his family in 2007. Investigators say Baratov was a hacker for hire. In a July 14, 2016, post on his Facebook page, Baratov wrote that he first discovered how profitable hacking could be when he was expelled from his high school for "threatening to kill my ex-friend as a joke." The time off school "allowed me to work on my online projects 24/7, and really move my businesses to the next level." The post, which included photos of a BMW, Audi, and Lamborghini, claims he made “triple and even quadruple the normal amount” of income. He ended the post with "Taking shortcuts doesn't mean shortcutting the end result."
Once the group had gained access to Yahoo, its targets included an economic development minister of a country bordering Russia, an investigative reporter who worked for Russian newspaper Kommersant, and a managing director of a US private equity firm, court documents show. FBI investigators believe that in addition to searching for the political targets requested by the FSB, Belan also used the Yahoo database to line his own pockets by searching for credit card information and devising various schemes to target Yahoo users. In November 2014, he began tampering with the Yahoo database so that anyone interested in erectile dysfunction treatments was redirected to his own online pharmacy store, from which he got a commission for driving traffic to the site.
"It’s a knock on your door and maybe a knock on your ass. If they can’t threaten you they threaten your family."
“When you look at this case, you realize it has national security and criminal elements. It doesn’t fit neatly into one box or the other,” the FBI agent involved in the case said.
Patel said that the FBI often had difficulty distinguishing between cyber cases that were criminal in nature, versus those which were politically motivated, or had ties to the Russian state. “The government is making an effort to bridge the gap between investigations that involve classified national security issues, and those which are criminal because those worlds aren’t separate anymore,” he said, explaining that departments were trying to form more joint task forces and share classified information when possible.
It’s unclear who within the FSB was responsible for the group, or if their orders ultimately came from another arm of Russia’s government. In December 2016, Dokuchaev was arrested in Russia and accused of treason. His arrest appeared to be part of a roundup of Russian military and cybersecurity figures, though little information has emerged since their arrests.
Andrei Soldatov, a Russian investigative journalist and co-author of The Red Web, a book about the Kremlin’s online activities, said that while the Russian government’s tactic of outsourcing cyber operations to various groups is helpful in distancing themselves (and ultimately providing deniability), it also left them vulnerable to hackers running amuck.
“Hackers are not people who are traditionally easy to control,” said Soldatov. “They might disobey you sometimes.”
When asked why they first started hacking, many Russian hackers say you’ve asked them to solve the question of which came first, the chicken or the egg.
"I hacked because I wanted to get online, and then I was online because I was hacking," said one Russian hacker, who considers himself a veteran of the Russian hacking scene due to his early involvement in credit cards schemes in the 1990s. He agreed to speak with BuzzFeed News on condition of anonymity, as he was concerned for the safety of himself and his family. “In the '90s you could only afford the internet in Russia if you were rich, or a hacker.”
The internet came to Russia after the fall of the Soviet Union. A devastated economy and uncertain political times meant that few had access to the internet, which could cost hundreds of dollars to surf for just a few hours. The Russian hacker said he and his friends got involved in early credit card schemes as a way of paying for internet use, which they then used to discover more about burgeoning online crime.
“We were baby hackers. Nobody knew what was possible,” he said. “But when the internet came to Russia, so did the hackers.”
Police initially ignored cybercriminals, and a de facto rule came into effect that as long as the hackers were targeting people and institutions outside of Russia, they would be left alone by the state.
“We were baby hackers. Nobody knew what was possible,” he said. “But when the internet came to Russia, so did the hackers.”
By the early 2000s, the money trickling in from various online schemes had become a flood. Patel, who helped the FBI investigate cybercrimes during those years, said that organized crime families in Russia began to take notice of the new source of revenue.
“Traditional organized crime in Russia converted to cybercrime when they saw the potential for profit. When they took it over, the whole structure changed,” Patel said. “Once organized crime was involved there was structure, which then made it easier for the nation state to tap into it and get involved.”
The US was still working with Russia when the Kremlin launched what is widely acknowledged as the first nation state attack on a sovereign country. Using a botnet army established by a Russian cybercriminal network, Russian hackers took down the internet in Estonia through a distributed denial-of-service (DDoS) attack.
“The DDoS attack in Estonia is 2007 was a public-private partnership,” said Toomas Hendrik Ilves, the former president of Estonia. “It was the Russian state working with the existing Russian cybercriminal network to carry out a goal. The Russian state paid for this service, like they would anything else.”
Ruslan Stoyanov, the former head of cybercrime investigations at Kaspersky Lab, a Moscow-based cybersecurity company, recently went public with claims that the Russian government systematically recruits hackers from the criminal underground, and gives them immunity in exchange for their services, in a letter published by the independent television station Dozhd. Stoyanov wrote the letter from pretrial detention, where he has been locked up since December on treason charges. He was arrested in the same roundup that targeted Dokuchaev.
“The essence of the deal is that the state gets access to the technologies and information of ‘cyberthieves’ in exchange for allowing them to steal abroad with impunity,” Stoyanov wrote. He said he believed he was thrown in jail because he threatened the business interests of Russian military and intelligence figures who were making a cut off the profit of the cybercriminals.
Hackers say that the Kremlin is not the only government that tries to trap them into these sorts of arrangements. Mikhail Rytikov, a 27-year-old Ukrainian national, is currently wanted by the US for providing his services to a cybercriminal ring that stole 160 million credit card numbers. Rytikov, who is currently in Ukraine, told BuzzFeed News that he was pursuing a criminal case against the US, accusing US government agents of attempting to pressure him into doing work on behalf of the government in exchange for immunity. Other hackers arrested in the US have told of similar arrangements reached with the FBI, which saw them trade time in jail in exchange for assisting US law enforcement.
“Russia is not the only one to do this,” said Arkady Bukh, a New York-based lawyer who has worked with dozens of Russian hackers. “Russia has made more of a system of this.”
Arkady Bukh has been defending hackers, most of them Russian or Eastern European, in US courts for over a decade. Over the last year, something has changed.
“More and more the hackers ask me what the penalties will be before they commit the crime. More and more they want to understand the repercussions,” said Bukh, who spends time on Russian-language forums advising hackers on where the law stood on computer fraud in the US. “They want to know how far they can go. What crosses the line?”
One Russian hacker, who spoke to BuzzFeed News via an encrypted messaging app from a Southeast Asian country where he is currently on an “extended vacation,” said that Russian hackers are facing a turning point — both in their relationship with the US and to their future role in cybercrime.
“Until now, everyone felt free to do this business. It was easy money, and unless you fucked up big, you would be living well,” said the hacker.
That might change, he said, if pressure by the US doesn’t let up. Once a Russian hacker has either been named as a person of interest or indicted by the US or EU, they are effectively forced to find safe haven within Russia, where authorities have become more aggressive in forcing hackers within their borders to do their bidding, he said.
“The guys in Russia that the US wants, how long will they be happy in Russia? They are trapped. That’s not a good life,” he said.
Yet all those trapped hackers are part of an industry that is bringing in hundreds of millions of dollars each year. Russia, say cybersecurity researchers, is at the forefront of some of the world’s best, and most prolific, malware. Ransomware, a type of malware that installs itself on a device and then holds the device hostage until a ransom is paid, largely originates in Russia. Kaspersky Lab estimates that 75% of ransomware originates in Russia, though other firms have put that figure even higher. Nobody knows exactly how much money is coming in, but some of it, say cybersecurity companies, is being used to develop ever more dangerous, complex, and profitable schemes.
It’s not the type of profit most people could — or would — walk away from.
“The more computers they hack, the more access the Russian government gets when they want it,” said the hacker. “There is a lot of pressure for them to hack hack hack.” ●
Outside Your Bubble is a BuzzFeed News effort to bring you a diversity of thought and opinion from around the internet. If you don't see your viewpoint represented, contact the curator at firstname.lastname@example.org. Click here for more on Outside Your Bubble.
Sheera Frenkel is a cybersecurity correspondent for BuzzFeed News based in San Francisco. She has reported from Israel, Egypt, Jordan and across the Middle East. Her secure PGP fingerprint is 4A53 A35C 06BE 5339 E9B6 D54E 73A6 0F6A E252 A50F
Got a confidential tip? Submit it here.