Luxury Car Buff `Mr. Karim' at Center of Russia Yahoo Hack
When Karim Baratov said on Facebook he’d paid off a mortgage and drove a BMW 7 series at high school, classmates thought he had rich parents. The money may have come, instead, from a secret life as a cyber hacker, including work for Russia’s top spy agency.
The U.S. government indicted four people Wednesday for allegedly hacking Yahoo! Inc. accounts for the Russian government. Baratov, a Canadian born in Kazakhstan who is 22 years old now, is the only one likely to see trial.
He was arrested Tuesday and appeared in court in Hamilton, Ontario, a steel town an hour’s drive west of Toronto. After a couple of preliminary court appearances, a Canadian judge will decide whether to extradite him to the U.S. to face a trial that will have ramifications for U.S.-Russian relations and shed light on how well Yahoo! Inc. dealt with security threats to its popular email service.
“Absolutely crazy. Wouldn’t have imagined this happening,” said Dillon Kovljenic, who became friends with Baratov while doing work on some of his cars over the last two years.
In the indictment, Baratov’s jet-black Mercedes Benz C54 and Aston Martin DBS (complete with “Mr. Karim” vanity plate) are listed as assets that the U.S. is seeking to seize, arguing they were obtained through illegal activity.
Baratov was quiet and soft-spoken as he answered a judge’s questions in court on Wednesday. He wore a black winter coat buttoned up to his throat, black pants and brown-rimmed glasses. His bail hearing was pushed back to Mar. 17 because his legal counsel wasn’t present.
It’s unclear whether he knew he was working for the FSB, though the indictment said Dokuchaev and a colleague Igor Sushchin told him to hack into private accounts owned by Russian politicians and bureaucrats. Baratov was asked to hack into at least 80 email accounts, including 50 Google accounts, the indictment said.
Text messages sent to Baratov’s cell phone and a call to his home weren’t answered. Amedeo DiCarlo, a criminal defense lawyer, said he had been retained by Baratov’s family to defend him. He declined to comment on the case.
Friends and acquaintances of Baratov said he was a quiet, polite person who rarely spoke about his work.
“Extremely nice, polite and smart kid,” Kovljenic said. Baratov paid on time for work on his cars and Kovljenic never asked what this young customer did for a living, he added.
Those same cars are what set Baratov apart from other kids, said another friend who attended high school with Baratov but declined to be identified for this story. Pictures on his Facebook account show a two-story suburban home with Audis and a Porsche out front.
At first, classmates thought his parents were wealthy, but then Baratov bought a luxury car for this father, said one of his friends. When he did talk about work, he would say he built websites for clients he found online, the friend said.
In a Feb. 14 Facebook post, Baratov said he was expelled during his last year of high school, four years ago. That allowed him to focus on his “online projects” and increase the amount of money he was making. He’d already paid off his first mortgage and drove a BMW 7 Series in high school, he wrote in the post.
Baratov’s Instagram account shows him posing with friends at a club, flexing his tattooed biceps at the gym and cuddling a grey cat. He drew pencil drawings of cars, friends and a portrait of Arnold Schwarzenegger, which he also posted to Instagram and Facebook.
“Karim’s one of my closest friends; he’s a great guy. Wouldn’t even hurt a fly,” said Jeff Josiph, who worked out with Baratov at the gym. “I didn’t pay attention to his work life. I hung out with him because he treated everyone fairly and always had nice things to say about everyone else.”
In the Feb. 14 post, Baratov said his expulsion from school helped spur him onto success.
“Get the most out of your life,” he wrote. “Taking shortcuts doesn’t mean shortcutting the end result.”
Baratov is charged with working for Dmitry Dokuchaev, a hacker for hire who was pressed into working with Russia’s FSB security service to avoid prosecution for bank-card fraud. The Canadian used fake emails to lure targets to give up sensitive information that allowed him to get passwords, which he then sold to Dokuchaev for $100 each, according to the U.S. Department of Justice.