Karim Baratov, a 23-year-old Canadian citizen who was accused of participating in a hack of Yahoo that resulted in more than 500 million accounts being stolen, pleaded guilty to multiple charges Tuesday in a California court.

Baratov pleaded guilty to one count of conspiracy to commit computer fraud and abuse and eight counts of aggravated identity theft. The hacker could face up to 20 years in prison for his role in the hack of Yahoo. The Canadian citizen will be sentenced in February.

Baratov was indicted by the United States Department of Justice earlier this year, along with three other Russian hackers, for his role in a coordinate effort to hack Yahoo. The 2014 attack resulted in more than 500 million Yahoo accounts—including usernames, passwords and other personal information—being stolen from the company.

The 23-year-old was known prior to the indictment as a hacker-for-hire. He was arrested in Canada in March just one day before the U.S. Department of Justice announced its indictment of Baratov and his three accomplices. The hacker waived his right to an extradition hearing earlier this year and initially submitted a not guilty plea but instead decided to plead guilty when he appeared Tuesday in federal court in San Francisco.

Prosecutors have accused the Canadian citizen of hacking at least 80 accounts, including at least 50 that were hosted by Google. His role in the attack is considered minor compared to his alleged cohorts and prosecutors have recommended a sentence of eight to nine years for his actions.

Baratov was indicted along with two members of the Federal Security Service (FSB), the Russian intelligence agency that was once headed by Vladimir Putin. Those agents were identified as Dmitry Dokuchaev, who goes by the alias "Forb," and his superior officer Igor Sushchin. Alexsey Belan, one of the most-wanted cyber criminals in the world, was also indicted as part of the 2014 breach of Yahoo.

According to a statement from the U.S. Department of Justice, the four defendants “ used unauthorized access to Yahoo’s systems to steal information from about at least 500 million Yahoo accounts and then used some of that stolen information to obtain unauthorized access to the contents of accounts at Yahoo, Google and other webmail providers, including accounts of Russian journalists, U.S. and Russian government officials and private-sector employees of financial, transportation and other companies.”

The prosecutors also alleged that one of the defendants “also exploited his access to Yahoo’s network for his personal financial gain, by searching Yahoo user communications for credit card and gift card account numbers, redirecting a subset of Yahoo search engine web traffic so he could make commissions and enabling the theft of the contacts of at least 30 million Yahoo accounts to facilitate a spam campaign.”

Yahoo has claimed the 2014 breach was part of a state-sponsored effort carried out on behalf of the Russian government. At Structure Security in San Francisco in September, former Yahoo chief information security officer Bob Lord called the breach a “real-life spy story” and said, "No one really expects the Spanish inquisition, no one really expects a foreign government will be after you.”

RELATED STORIES
Security Security Russia