One of the defendants is in custody in Canada. Another was briefly in custody in Europe but escaped, and the other two remain at large.
Investigators allege that the four used the stolen information to break into user accounts not only at Yahoo but also at Google and other webmail providers. In some cases, the data theft appeared to have intelligence goals, involving Russian journalists, U.S. and Russian government officials, and prominent business figures.
In others, the goal was simply theft. One of the defendants in particular pursued financial gain, the indictments allege, by searching Yahoo user emails for credit card and gift card account numbers, redirecting a subset of Yahoo search engine web traffic so he could make commissions and enabling the theft of the contacts of at least 30 million Yahoo accounts to facilitate a spam campaign.
The defendants are:
- Dmitry Aleksandrovich Dokuchaev, 33, a Russian national and resident;
- Igor Anatolyevich Sushchin, 43, a Russian national and resident;
- Alexsey Alexseyevich Belan, aka “Magg,” 29, a Russian national and resident; and
- Karim Baratov, aka “Kay,” “Karim Taloverov” and “Karim Akehmet Tokbergenov,” 22, a Canadian and Kazakh national and a resident of Canada.
“Today we continue to pierce the veil of anonymity surrounding cyber crimes,” said FBI Director James Comey. “We are shrinking the world to ensure that cyber criminals think twice before targeting U.S. persons and interests.”
Acting Assistant Attorney General Mary McCord said it was "beyond the pale" that two of the defendants were assigned to the FSB unit that coordinates cyber crime enforcement with the FBI.
Red Notice
According to the indictments, the FSB officer defendants, Dmitry Dokuchaev and Igor Sushchin, enlisted criminal hackers, including Alexsey Belan and Karim Baratov, to obtain access to private email accounts.
At the time, Belan had been publicly indicted and was named one of the FBI’s "Cyber Most Wanted" criminals in November 2013. An Interpol Red Notice seeking his immediate detention has been lodged (including with Russia) since July 26, 2013. Belan was arrested in a European country on a request from the U.S. in June 2013, but he was able to escape to Russia before he could be extradited.
Instead of acting on the U.S. government’s Red Notice and detaining Belan after his return, Dokuchaev and Sushchin used him to gain unauthorized access to Yahoo’s network.
In or around November and December 2014, authorities allege Belan stole a copy of at least a portion of Yahoo’s User Database (UDB), a Yahoo trade secret that contained, among other data, subscriber information including users’ names, recovery email accounts, phone numbers, and certain information required to manually create, or “mint,” account authentication web browser “cookies” for more than 500 million Yahoo accounts.
Belan also obtained unauthorized access on behalf of the FSB conspirators to Yahoo’s Account Management Tool (AMT), which was a proprietary means by which Yahoo made and logged changes to user accounts. Belan, Dokuchaev and Sushchin then used the stolen UDB copy and AMT access to locate Yahoo email accounts of interest and to mint cookies for those accounts, enabling the co-conspirators to access at least 6,500 such accounts without authorization, the indictments allege.
When Dokuchaev and Sushchin learned that a target of interest had accounts at webmail providers other than Yahoo, they tasked their co-conspirator, Baratov, a resident of Canada, with obtaining unauthorized access to more than 80 accounts in exchange for commissions, prosecutors said.
Baratov was arrested in Canada yesterday. The other three remain at large.