The Hacker King
As a teenager, Karim Baratov made millions breaking into email accounts. When a Russian spy asked him for help with a massive Yahoo hack, he was flattered. He didn’t realize the FBI was watching his every move
As a kid, Karim Baratov spent too much time on his computer. He was bright but undisciplined, and he was hypnotized by that machine. Baratov believed school was a waste of his time, its educational benefits next to nil, and good for little more than socializing. His grades weren’t great, but not because he was stupid—far from it. He was just too busy with his online world to study, sometimes even to show up to class. At one point, he almost flunked out of high school.
In 2007, at age 12, he emigrated from Kazakhstan to Canada with his parents, Akhmet and Dinara, and older sister, Sabina. They settled in Ancaster, the picturesque Hamilton suburb, buying a large brick home with a two-car garage in the affluent Meadowlands neighbourhood. Baratov’s father was a veterinary biologist at a company called Vetaktiv. His mother worked as a nurse in Dundas. Kazakhstan does not permit dual citizens, so in 2011 the entire family renounced their Kazakhstani citizenship to become Canadian.
Baratov was boyish and clean-cut, with cherubic cheeks, shapely eyebrows and a neat hairline terminating in a widow’s peak. He had a gift for coining aphorisms, sometimes motivational and sometimes sullen. “Life does not have a remote,” he once tweeted. “Get up and change it yourself.” He had a hard-nosed tenacity, and he clung to the idea that people make their own luck. At the same time, he could be silly and immature, with a fondness for “your mom” jokes.
When Baratov was 12, he taught himself to code—the hobby of a brilliant but lonely boy in a new country. A year later, he made his first dollar on the web. One day, someone he described online as a “random wealthy woman” reached out to him to do some work—he kept the exact nature of that work hidden from his friends and family. When he finished, she asked how much she owed him. At first he refused to take her money, but eventually, at her insistence, Baratov accepted $200, which seemed to him a fortune. He decided he’d never work for free again.
Over the next few years, he registered over 80 websites to his name. Some of these sites provided hacking services, offering customers access to any email inbox they wanted. They were making him rich. By 14, he claimed to be earning more than both of his parents combined. By 15, he reportedly made his first million. He spent his money lavishly. He had two Rolexes and a taste for Armani, but it wasn’t until he started collecting cars that people wondered where the cash was coming from. To call him an aficionado wouldn’t do justice to the rapaciousness of his obsession. His first car, which he got while he was still in high school, was a Mercedes. He went on to buy a BMW, which he regretted because it depreciated too quickly. He acquired a white Audi, then swapped it out for a Porsche. There was another Mercedes and an Aston Martin. He held on to the baby-blue Lamborghini Gallardo for almost a year before getting bored with it. He usually affixed one of his two trademark vanity plates to his cars: “Mr Karim” or “Karrrim.”
Baratov was coy about the nature of his labour but fulsome about its fruit, driving his cars through the neighbourhood and uploading their images to the web. It was as if he couldn’t help but show off how lucrative his secret was. On Instagram, where he identified as an entrepreneur, a programmer, a web developer and a workaholic, he posted photos of the luxuries he showered upon himself. When someone asked how he was able to afford his cars, he’d chalk it up to good luck. After a commenter asked him if he was a Russian assassin, he quipped sarcastically: “How did you know?” Some of the social media accounts were in his own name, with photos of his cars parked in his parents’ driveway. Others were under half-hearted aliases—Karim Taloverov, Kay or Karim Akehmet Tokbergenov. He had a tattoo that ran down his forearm, a bit of binary code that spelled “Karim.”
When Baratov was 20, he purchased a large detached home at 56 Chambers Drive for $642,500: it had double front doors, a closed-circuit security feed, a two-car garage where he parked his supercars and a little garden out front with a Japanese maple. It was less than two kilometres from his childhood home, and even after he moved in, he still ate dinner with his parents most nights. Baratov spent a great deal of time field-testing his whips, putting his cars through their paces. He rarely went further than the parking lot of the local grocery store, an eight-minute drive from his folks. A stranger on an Internet forum once asked him, “What’s the prettiest city you have ever been to?” Baratov answered, “Meadowlands”—the subdivision where he lived. He could afford exotic things, but he preferred them close to home. He worked in secret but wanted desperately to be acknowledged. And while he could travel faster than anyone he knew, he didn’t have anywhere to go.
The proto-hacker subculture was born in the early 1960s, when MIT’s Tech Model Railway Club designed, built and managed a model train set so huge it filled an entire room. According to author Steven Levy in his book Hackers, two kinds of kids joined the club. One was the world-builder, who assembled and painted the trains and the towns they travelled through: little homes next to water towers, streetcars with their pantographs hooked up to catenary wires, pretty blocks and bad industrial neighbourhoods that formed little cities—our whole world in miniature. The other kind of student was more interested in what was underneath the town, a snaking nest of electrified wires and exchanges called the System, which powered and controlled the world above. When one of them found a clever fix to a traffic problem, they called the solution a “hack.”
A hack could be witty, elegant, even beautiful, and its purchase exceeded its utility. For the railway club members, designing hacks became so central to their identities that they started calling themselves “hackers.” The first hackers applied the skills they’d acquired on model train sets to the early punch card computer programs they had access to at MIT. By the time the predecessor to the Internet, ARPANET, arrived on campus in 1969, its most savvy users were hackers.
Decades later, the Internet now resembles the System undergirding the towns in the model railway club. The more connected we are, the more of ourselves we upload, the more powerful a hacker becomes, tinkering with real cities instead of miniatures. But the anarchic, decentralized, egalitarian, radically transparent techno-utopia those early idealists envisioned is transforming into a near-eradication of privacy. What they conceived as a mechanism for liberation works just as easily as a means of indenture. The Internet has allowed hacking to transform into a radically new kind of crime—where an assailant can ruin someone’s life from his mom’s basement, a continent away. For many hackers, privacy is the enemy of freedom.
The same tools that hold governments to account can also be used by the state to surveil its people, or by one citizen to steal another’s identity. Government hackers, for example, see cyber-warfare as the most revolutionary battlefield innovation since the airplane. State-sponsored attacks include the Stuxnet worm, which significantly damaged Iran’s nuclear capabilities, and, of course, the likely Russian interference in the American election. Anti-government hackers—righteous whistle-blowers like Chelsea Manning and Edward Snowden—espouse a techno-libertarianism that dovetails with the original ethos of the early utopians. But the vast majority of modern hackers are thieves. For every whistle-blower, there are three pickpockets. These are the types that would have joined MIT’s railway club in the ’60s: precociously smart and introverted, often unpopular and hungry for attention, with their hands on the levers of the world.
Karim Baratov registered his first website in 2007, using his real name. The site, now archived, was called WebXakep.net, which translates from Russian as WebHacker.net. Like his binary tattoo, it was a cypher in plain sight.
The site was in Russian, Baratov’s second language after Kazakh. In a half-dozen text fields, clients could order their hacks. First, they’d enter the email address they wanted to access, then answer a series of questions. How often does the target check their mailbox? Does the client have physical access to the target’s computer? Then the client would enter his or her own contact information and choose the method of payment—hacks cost $90, and the site accepted PayPal, Visa, MasterCard or Western Union. When the client had filled out the fields, he’d click a button that reads: “Order hacking mail!” The site was oddly congenial, with sections explaining how visitors could protect themselves against the very services it offered. Don’t make your passwords too short or too personal, it warned. “And most importantly, be very careful of emails that appear to be from administrative or technical support departments from the webmail company itself.”
Baratov was spear phishing, which is one of the easiest ways to break into email accounts. Spear phishing allows a hacker to gain access to a mailbox without changing its user’s password, rendering the intrusion all but invisible. Baratov would register an account on the same server as the target, creating an address that, at a glance, looked like official tech support. Most email users have never interacted with the administrative or security departments from their webmail company, and so when they’re asked to click a link, or reset their password, they do. Baratov would send his clients photos of the desired inboxes, and only then was payment required. Once he’d gained access, he’d turn the targeted inbox over to his clients, who could do with it whatever they liked. It was the same kind of hack used to gain illegal access to the emails of Hillary Clinton’s campaign chairman, John Podesta, exposing his now famous risotto recipe, sending a gunman into a pizza parlour in Washington, D.C., and quite possibly costing Clinton the 2016 election.
It took Baratov five minutes to hack a single account, and he had dozens of sites like WebXakep registered in his name. With a full workload dedicated just to hacking emails, Baratov could have made as much as $1,000 an hour. He hired bloggers to produce content linking to his sites, buoying them to the top of search engine results. On WebXakep, there were also two links to interviews, conducted by a Russian news organization in 2011. In the first article, the anonymous web hacker (likely Karim Baratov) claimed to have led the infiltration of the blog of Sergei Mavrodi, an infamous fraudster commonly called the Bernie Madoff of Russia, whose company, MMM, had bilked 40 million people out of almost $10 billion. He said it took him 10 minutes to crack the blog and that he charged $60.
In the second article, now enjoying his notoriety, he opened up about the secret world of cybercrime. Who were his clients? “Jealous couples, vindictive people, curious people,” he said. There were wives who didn’t trust their husbands, boyfriends who needed to know who their girlfriends were emailing, policemen, generals and, in one case, the loved ones of a man who’d gone missing. How could he get away with it? The authorities aren’t interested in hackers targeting civilian email accounts, Baratov said, because the FBI and the FSB—the Russian Federal Security Service, the spy agency that succeeded the KGB—are preoccupied with murderers, rapists and terrorists. And then the Russian journalist asked who he was. The hacker said that his name was Karim, and that his homeland was the Internet.
While Karim Baratov was building his business in 2012, Yahoo suffered its first major data breach. It was the work of the hacker collective D33Ds Company, who saw themselves as good samaritans out to warn an easy mark. They were able to compromise 450,000 accounts by cracking flimsy, outdated encryption. They left Yahoo a note that read: “We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call.” But Yahoo did little to implement a mechanism that could register these kinds of infiltrations. A second massive breach, in 2013, compromised three billion accounts.
Yet another attack arrived in 2014 at the company’s corporate headquarters on 1st Avenue in Sunnyvale, California, a sprawling campus of glass atriums and cantilevered canopies. According to court documents, the hack was organized and launched 10,000 kilometres away, in Moscow’s Lubyanka Building, the grand yellow-brick office block that houses the FSB. The Kremlin categorically denies any involvement with the hack, but the FBI believes that the two men who spearheaded the intrusion were FSB officers—Russian spies—assigned to the elite Centre 18, the agency’s Centre for Information Security. One was Dmitry Dokuchaev, a stout 33-year-old Russian with a messy haircut, blue eyes and a mouth that curls paradoxically down into a frown when he means to smirk, giving his smile the appearance of a turncoat. The other was Dokuchaev’s boss, Igor Sushchin, who’s thin-lipped and hollow-cheeked, and wears his blond hair parted down the middle.
Their goal was to gather intelligence, and their targets were both political and financial. Sushchin and Dokuchaev soon recruited a third man for the job, Alexsey Belan, a 30-year-old Latvian freelancer and one of the most notorious criminal hackers on earth. Belan, who went by the online alias Magg, had been indicted in 2012 and 2013 by courts in Nevada and northern California for hacking into three American e-commerce companies. He was arrested in 2013 in Greece, but just as he was set to be extradited to the States to stand trial, a Greek court granted him bail. He vanished, fleeing to Russia. Belan appeared on the FBI’s list of most wanted cybercriminals—they were offering $100,000 for information leading to his arrest—and he was the subject of an Interpol Red Notice. Instead of arresting him, the Russians hired him. Sushchin and Dokuchaev taught him FSB techniques to avoid detection and seek out other hackers. And then in early 2014, they put Belan to work.
The group allegedly leased servers in various countries and used virtual private networks to hide their origins. Belan was looking for two things that, together, could unlock every Yahoo webmail account. The first was the user database, or UDB, the master list that holds all the user registration information for every account—names, alternate email addresses, phone numbers, the questions and answers to password recoveries. For each email address, the UDB recorded something called its “nonce,” a digital fingerprint associated with each account that morphed only when a user changed their password. The second thing Belan was looking for was the Yahoo account management tool, or AMT, which allowed Yahoo to access, track and edit the data stored in the user database. From his hiding place in Moscow, Belan logged secretly onto the Yahoo servers and went hunting for both the UDB and AMT.
By late 2014, he’d found both. In early December, authorities say, he downloaded a portion of the Yahoo user database onto his computer, including the nonces. He uploaded software that allowed him access to the AMT while simultaneously covering his tracks. Next, he used a tool that allowed him to fraudulently mint cookies. A cookie is a tiny bit of information that records when you’ve been to a website; in webmail it’s used to keep you logged into your inbox. Suddenly, Dokuchaev, Sushchin and Belan could access any Yahoo webmail account they wanted without even entering or changing a password. To Yahoo, their logins looked valid and were all but undetectable.
The trio had access to some 500 million accounts, and investigators say they logged into roughly 32 million inboxes. They broke into accounts belonging to Russian politicians who were critical of Vladimir Putin—citizens, diplomats, ministers, current and former government officials, and those from neighbouring states. They accessed the accounts of Russian journalists, including an investigative reporter at Kommersant, a daily newspaper. They gathered intelligence on a consultant who was researching Russia’s bid for membership in the World Trade Organization.
The breaches also targeted everyday people. Kimberley Heines from California connected her Yahoo account to a service called Direct Express, through which she collected her Social Security payments. In 2015, she realized that her benefits were being stolen. She couldn’t pay her bills, and she was hounded by collection agencies for purchases she didn’t make. Another Californian, Paul Dugas, had four Yahoo accounts, and when he went to file his taxes online, he was informed that a tax return had already been filed in his name. As a result, he was unable to apply for financial aid for his daughter’s university tuition. Most terrifying of all, Dokuchaev and Sushchin accessed the accounts of U.S. government officials, members of the military, cyber-security personnel and even White House officials in the Obama administration.
Amid the treasures they found in the hacked Yahoo accounts, they also found victims’ email addresses from other webmail companies, like Gmail. And so in the fall of 2014, Dokuchaev, the spy with the upside-down smile, found the final member of their team, a person with a reputation for breaking into Gmail accounts. His name was Karim Baratov.
By 2015, Baratov was living at the house he’d bought for himself. He was his own man now, 20 years old, finished high school and focused on the hacking business he’d built from the ground up. He wasn’t hard to find.
He had a routine: he’d wake up at 7 and work for an hour and a half before heading out to the gym. He was a gym rat, with muscles that flexed and bulged under his proliferating tattoos. He did weights and whey, and put his pipes to the test in arm-wrestling matches that he recorded and uploaded to a YouTube channel called Iron Hands. After dinner with his parents, he’d be home by 11 to do another two or three hours of work before heading to bed.
Dokuchaev introduced himself as “Patrick Nagel” and asked for the standard Baratov job at the standard Baratov price, now up to $100. Karim was likely being swept into something more powerful than he could understand. A good number of Dokuchaev’s targets were Russian government and intelligence assets. He wanted the email address of the deputy chairman of the Russian Federation, one of the government’s top politicians, Yury Trutnev. He wanted access to the inboxes of three high-ranking employees at one of Russia’s leading cybersecurity companies. He tasked Baratov with hacking into the email of an officer from Department K at Russia’s Ministry of Internal Affairs, which investigates cybercrime. Baratov was helping Dokuchaev spy on his colleagues. He didn’t have special skills the others lacked—he was probably the least talented of the four hackers. But he had a Canadian IP address. By employing Baratov, the agents seemed to be putting distance between themselves and the hack, creating wiggle room for plausible deniability. In all likelihood, Baratov was a patsy.
When Baratov would get into the desired inbox, he’d send Dokuchaev a screen grab. Dokuchaev’s payments went through Baratov’s WebMoney and PayPal accounts. The PayPal account was registered to Karim Baratov using a thinly veiled email address, email@example.com. It linked to an RBC account under the same name. Every financial instrument led back to Baratov. Authorities say that he attempted to hack about 80 email accounts for the FSB and charged $100 for each. That means that for his part in one of the largest data breaches in history, Baratov might have made only $8,000.
For two years, Dokuchaev and Baratov worked in secret. The warnings were there: in the summer of 2016, a group of hackers from eastern Europe claimed to have Yahoo account information on 200 million users and offered it for sale on the dark web. In August, an independent intelligence officer at an Arizona-based cybersecurity company warned Yahoo, but the company dismissed him as a false Cassandra. Yahoo would later admit in SEC filings that their security team had known that the user database was compromised as early as 2014, but that senior executives didn’t fully understand or investigate the extent of the damage.
At some point along the way, the FBI launched an investigation into the breach, identifying Baratov and his associates as the perpetrators. Two years after Belan first infiltrated its servers, Yahoo finally revealed that it had been the victim of a series of colossal cyberattacks. Its stock fell six per cent in a single day. Verizon, which was in the process of buying Yahoo for $4.8 billion, cut the company’s valuation by $350 million. No one was sure if the deal would still go through, and there was talk of a mass exodus of users from Yahoo.
Baratov had been walking into a trap. He was the easiest member of his team to track, the weakest and most vulnerable link in their chain, and the only one within the reach of the U.S. government. What’s more, Dokuchaev, the Russian spy with a turncoat smile, was likely a double agent, turned by the Americans and working for the CIA. In December of 2016, the FSB arrested him for treason.
Before Baratov could appreciate how much trouble he was in, the net descended on him. On February 28, 2017, a grand jury in San Francisco indicted the four men—including Dokuchaev, perhaps to keep his cover—and a warrant was issued for Karim Baratov’s arrest. Four days later, early in the morning, members of the Toronto Fugitive Squad arrived at 56 Chambers Drive. Baratov would have been able to see them coming for him over his closed-circuit camera feed. They took him into custody, walking him down his driveway. Of the four conspirators, the only man to be arrested was the one who had the least to do with the hacks—his alleged co-conspirators were still in Russia and out of the FBI’s reach. The police seized $30,000 in cash from a safe in Baratov’s house, $914 from his wallet, and his last Mercedes and Aston Martin from the garage.
When Baratov was arrested, his parents petitioned the court to bail him into their custody, putting their own home up as surety, along with the $10,000 cash that constituted their life savings, offering to have Karim wear an electronic ankle bracelet and promising not to let him anywhere near a computer. It was no use. In August, he went to California to stand trial. He has pleaded guilty to eight counts of aggravated identity theft and one count of conspiracy to commit computer fraud and abuse. He claims he had no idea he was working for Russian spies. His sentencing is scheduled for February, and prosecutors are expected to seek a prison term of seven to nine years.
Both Baratov and his family declined to speak to Toronto Life for this article. One cool morning in September, I drove out to his parents’ home in Ancaster. Walking up the driveway, I noticed a little brass sign on their front door that they’d put up recently, a bulwark against the curiosity crowding in upon their home. It read, “No agents, peddlers or solicitors.” All they wanted was what their son had stolen from so many others: their privacy.