— le Court File No. 2% BY (17 SUPERIOR COURT OF JUSTICE (TORONTO REGION) IN THE MATTER OF an Application pursuant to section 13 of the Extradition Act for 2 eywant ‘or the provisional arrest of KARIM BARATOV aka, KAY aka. KARIM TALOVEROV a.k.a. KARIM AKEHMET TOKBERGENOV BETWEEN! ‘THE ATTORNEY GENERAL OF CANADA ON BEHALF OF THE UNITED STATES OF ANERICA Applicant ~and KARIM BARATOV a.k.a. KAY a.k.a, KARIM TALOVEROV a.k.a. KARIM AKEHMET TOKBERGENOV Person Sought APPLICATION RECORD FOR PROVISIONAL ARREST WARRANT ATTORNEY GENERAL OF CANADA Department of Justice Canada Ontario Regional Office ‘The Exchange Tower 130 King St. W. Suite 3400, Box 36 Toronto, Ontario Per: Adrienne RiceCourt FileNo.EX 17 ‘SUPERIOR COURT OF JUSTICE (TORONTO REGION) IN THE MATTER OF en Application pursuant to section 13 of the Extradition Act for a warrant for the provisional arrest of KARIM BARATOV alk.a, KAY a.k.a. KARIM TALOVEROY a.k.a. KARIM AKEHMET TOKBERGENOV BETWEEN: ‘THE ATTORNEY GENEKAL UF CANADA ON BEHALF OF THE UNITED STATES OF AMERICA Applicant -and- KARIM BARATOV a.k.a. KAY a.k2. KARIM TALOVEROV a.k.a, KARIM AKEHMET TOKBERGENOV Person Sought ia Notice of Application Affidavit of Detective Constable Burak Inal Draft Sealing OrderTAB /Court File No.EX 17 SUPERIOR COURT OF JUSTICE (TORONTO REGION) IN THE MATTER OF an Application pursuant to section 13 of the Extradition Act for a warrant for the provisional arrest of KARIM BARATOV a.k.a. KAY aka, KARIM TALOVEROY a.k.a. KARIM AKEHMET TOKBERGENOV BETWEEN: ‘THE ATTORNEY GENEKAL OF CANADA, ON BEHALF OF THE UNITED STATES OF AMERICA Applicant and - KARIM BARATOV a.k.a. KAY a.k.a. KARIM TALOVEROV a.k.a. KARIM AKEHMET TOKBERGENOV Person Sought JOTICE OF APPLICATION ‘An Application is hereby made, ex parte, and in writing on behalf of the Attorney General of Canada through her counsel, under Section 13(1) ofthe Extradition Actforthe issuance of a warrant ‘or the provisional arrest for KARIM BARATOV a.k.a. KAY a.k.a. KARIM TALOVEROY a.k.a. KARIM AKEHMET TOKBERGENOV (‘BARATOV’), and for ans ‘order sealing the application for a provisional arrest warrant. BARATOV is a person tho United States of America for prosecution, ‘THE GROUNDS FOR THE APPLICATION ARE: 4. The Extradition Partner, the United States of America, has requested the prcvisional arrest of BARATOV for prosecution end the Minister of Justice has authorized the Attorney General to apply for a provisional warrant, pursuant to 8.12 of the Extradition Act1 “= 2B, Itis necessary in the public interest to arrest BARATOV. BARATOV is in Ontario ‘A warrant for arrest was issued against BARATOV in the United States District Cou't for the Northem District of California on February 28, 2017; and ‘The ends of justice would be subverted by the disclosure ofthe application for the provisional arrést warrant. DOCUMENTARY EVIDENCE IN SUPPORT OF THE APPLICATION, ‘The application herein; t 2, The Minister's authorization to apply for a provisional arest warrant wth respect lo BARATOV pursuant io Section 12 ofthe Extradition Act; 3. Thosffidavt of Detective Constable Burak Inal and attached exhibits; 4. draft sealing order, and 5. Such futher documents as Counsel may advise and this Court permit ‘ORDER SOUGHT: 4 ‘The Applicant requests the issuance of a warrant for the provisional arrest of BARATOV pursuant to Section 13(1) of the Extradition Act; and= =— = = oo 2. An ordar sealing the application for a provisional arrest warrant. DATED atthe City of Toronto, inthe Province of Ontario, this "day of March, 2017 Rarienne Rice Counsel for the Attorney General of CanadaTABCourt File No.EX —/17 SUPERIOR COURT OF JUSTICE (TORONTO REGION) IN THE MATTER OF an Application pursuant to section 13 of the Extradition Act for a Warrant for the provisional arrest of KARIM BARATOV aka. KAY aka. KARIM TALOVEROV a.k.a. KARIM AKEHMET TOKBERGENOV BETWEEN; ‘THE ATTORNEY GENERAL OF CANADA, ON BEHALF OF THE UNITED STATES OF AMERICA Applicant sand KARIM BARATOV a.k.a. KAY a.k.a. KARIM TALOVEROV a.k.a. KARIM AKEHMET TOKBERGENOV Person Sought, AFFIDAVIT IN SUPPORT OF AN APPLICATION FOR A PROVISIONAL WARRANT OF ARREST | Detective Constable Burak Inal, of the Toronto Fugitive Squad, MAKE OATH AND SAY AS FOLLOWS: 1 | am currently assigned to the Toronto Police Services, Toronto Fughive Squad, | have been assigned to.work on a request fom the United States of America for the provisional arest of KARIM BARATOV aikaa. KAY a.k.a, KARIM TALOVEROV 2.k., KARIM AKEHMET TOKBERGENOV (‘BARATOV") and have been involved inthe investigation related to this matter. | have obtained the information contained in this «affidavit from my review of the documents attached hereto, from my own investigation,: from other law enforcement officers, and from the Department of Justice. | belle the information in this affidavit is true. |. The Minister of Justice Canada has authorized the Atorney Ge Conada to apply for awerrant of provisional arrest attached to this affidavit as ExhibitA™ |. Conditions under which a judge may Issue a provisional warrant 3 | understand that the requirements for issuing a provisional arrest warrant are set out in s. 13 of the Act. The Applicant must establish that there are reasonable {grounds to balfove that (2) it Is necossary in the public interest fo arrest the person, including to prevent the ny person from escaping or committing an offence; (b) the person is ordinarily resident in Canada, is in Canada, or is on the way to Canada; and (0) @ warrant for the person's arrest or an order of a similer nature has been issued cr the person has been convicted. a. The arrest is in the public interest 1... Seriousness of the offence 4 {true copy ofthe provisional arest request is altached to ths affidavit as Exhibit “B", BARATOY is wanted in the United States District Court for the Norern District of California for prosecution for offences related to conspiring with others o gain3 unauthorized access to computers and to email accounts, and through this access, stealing confdential email account information and trade secrets, The allegations are described in the provisional arrest request and are summarized in the following paragraphs. 5 Between 2014 and December 2018, BARATOV, acted as a hacker-for-hie He conspired with others, including Alexsey Belan, who is included in the FBI's most wanted hackers list, and Dmitry Dokuchaev and igor Sushchin, both current offers of the Russian Federal Securty Service (*FSB'), to gain unauthorized access to computers used by Yahoo and to the email accounts of individuals with Yahoo, Google and other webmail accounts, With such access, the conspirators stole confidential email account information ftom the account users: and, in eeltion to the intrusion activities on Yahoo's network, proprietary Yahoo trade secrets. 6 In 2014, Yahoo's network was hacked and non-content information, tke names, email addresses, telephone numbers, dates of birth, hashed passwords and encrypted or unencrypted security questions and answers, was stolen for more than 600 milion Yahoo user accounts. The contents of another approximately 32 millon accounts were accessad in the attack, Yahoo's internal investigation revealed that a copy of atleast fa portion of the Yahoo User Database was stolen from Yahoo's network. This database contains proztietary and confidential Yahoo technology and information. Belan is alleged to have provided Dokuchaev and Sushchin with the unauthorized access to Yahoo's network while Dokuichaav has haen idenfiad as involved in the attack through an email address,1 mall wecords, eblaied In the ULS., show that slang in lato 2014, Dokuchaev communicated with BARATOV, using various emall accounts nthe email commuricaiens Dokucheev tasked BARATOV wih oblaring login credentials for approximately 80 email webmail scours, some of wich the conspirators had ented 1 belonging o targets rom the Yahoo nruslon. Google records show that BARATOV sent “epear phishing’ melages, he messages wre dslgrd ores tua om trustworthy senders so that recipients were lured into opening attached files or licking “on hypetiinksin the messages and into providing valid login credentials for their accounts, Many of the intended victims were in Russia, When successful, BARATOV provided the passwords to Dokuchaev in exchange for payment 8. Specifically, in October 2014, November 2015, and March 2016, Dokuchaav sent BARATOV, via email, requests for unauthorized access to # number of identified emai accounts. Between December 2014 ahd March 2016, BARATOV sent Dokuchaev via email sereenshots of some of his successfully hacked email accounts. ‘Once BARATOV provided proof of the hacked account, he demanded payment before passing on the login credentials to Dokuchaev. 8 Payment was to be made via BARATOV's various WebMoney accounts or 8 PayPal azcount, karim@talovérav.com, This PayPal account, based on PayPal redords, is registered to Karim Beratov, date of birth January 22, 1995. The addresses linked to the PayPal account include 56 Chambers Drive, Ancaster, Onterio, Canada and 47 Moorland Crescent, Ancaster, Ontario, Canada.10, ‘The PayPal account was registered an February 25, 2013 from an internet protocol add-ess that, according to records provided by the internet service provider, was registered using BARATOV's home address of 47 Moorland Crescent, Ancaster, Ontario. " ‘According to PayPal, the PayPal account Is linked to active Royal Bank of Canada checking and visa credit card uecuunts in the name of "Karim Baratev." PayPal records corfim that Dokuchaev paid BARATOV for the above-described account accesses beginning in November 2015. Although the amounts paid by Dokuchaey to BARATOV are much lower, PayPal records indicate that, between the account's creation in February 2013 and October 22, 2016, BARATOV earned $211,996.42 in that PayPal ‘aceaunt, i, —_Urgeney/Prevention of EscapelFlight Risk 12, ‘According to the Request, BARATOV is adangerto the community because he has & denonstratéd history of hacking into numerous vietins' email aecaunts and his hacker-forchie activities continue fo the present time. The Request includes the following © BARATOV has allegedly been engaged in criminal conduct, in addition to the foregcing allegations, for a number of years. Current websites advertise BARATOV's hacking services. Some of these sites have been have been used by BARATOV in connection with hacking activities since at least 2012; © BARATOV has hacked thousands of additional accounts beyond those that he is confined’ to have successfully hacked as part of the conduct described above. His PayPal activity shows many more deposits than those attributable to his co- conspirators in this case and as indicated above just one of his multiple onfine paymant accounts received more than $211,000 from 2013 until 2016) © BARKTOV also shared images of other people's passport photos, suggesting thet BARATOV may be trafficking in personally identifiable information harvested from his hack of the vilims’ email accounts;CRS eT EE EE EE © Much of his hacking infrastructure, such as web-based accounts and remotely. ‘accessible computing services, can be accessed from any computer in the world ‘This accessibility would enable im to continue with his crimes and quickly destroy evidence while on the run; and © BARATOV to date has not revealed any legtimate employment. 13, American authorities believe that BARATOV has assets to fund fight, tke the $211,500 received in his PayPal account, that would be available to him worldwide through accounts he possesses at WebMoney, an online payment service. A review of his publiey-available social media accounts indicates that BARATOV maintains a lavish IMestyle,. Including luxury vehicles. | have confirmed through Ontario Ministry of ‘Transportation records that a 2009 Aston Martin and @ 2013 Mercedes are registered to BARATOY, 14 BARATOV, is @ citizen of Canada, and a citizen of Kazakhstan. 15, According to the Request, BARATOV has ties to foreign government officials uho may offer sanctuary should he decide to flee extradition. In 2013, Belen, BARATOY's co-conspirator in this case, was arrested in Groce on a U.S, provisional arrest request related to computer hacking sctiviies separate from the present matter. While extiadtion proceedings were pending, Belan was granted bail by the Greek court ‘and then fled to Russia, The American authortos allege that Belan benofted from the iment officials, and fram U.S. law enforcement’s protection afforded by Russian go! inabilty te reach him in Russia, and continues to engage in profitable computer hacking activities in Russia.= a a =a Ss = 7 iii, Co-ordinated arrest and search / request for a Sealing order 16. On March 9, 2017, | spoke with Sgt, Alexandre Beaullou from the ROMP, Cyber Crimes Unit, He is the case agent for the Canadian investigation into BARATOV. It is anticipated that a search warrant will be executed on BARATOV's residence at 56 CChatnbers Di, in Aneasler on March 14, 2017, Sgt, Deauliou advised thet the ROMP has BARATOV under survellance and that he has been seen residing at $8 Chambers Dr. BARATOV wes observed at this residence on March B and 9, 2017, 17, in order to reduce the risk of BARATOVs flight, American authorities have requested that we coordinate BARATOV's arrest to coincide with the execution of the ‘search warrant on March 14, | believe that itis necessary to coordinate because of the ‘aforementioned reasons, 18. have been advised by counsel in thé Intornational Assistance Group, within the Department of Justice that the American Indictment and warrant are currently sealed, They will be unsealed upon BARATOV's arrest. To ensure the confidentiality of this information until that time, |_understand that a sealing order is being requested for this application for a provisional arrest warrant. b. BARATOVis in Ontario 19, ‘As noted above, RCMP surveillance confirms that BARATOV is living at 56 Chambers Dr, Ancaster, Ontario. 20. | have reviewed the pictures of BARATOV included in the provisional arrest request at Exhibit ‘B", and compared it to the pictures | received from the Ministry ofTransportation Ontario, (attached as Exhibit "C"), and confirmed that itis the same person, ©. AWarrant for BARATOV's arrest has been issued. 2 Included in the request at Exhibit "B" Is a copy of the U.S. arrest warrant ‘issued by the United States District Court for the Northern District of California on February 28, 2017. Ee Toronto, Ontario, wi Serta af CA Un et YO FH ormiponein ark rte Bromnen ef Onan ma earTAB AForm Scion 12- Autry apply fora provisonal ares warrant “TO; The Attorney General of Canada In the matter of an extradition request pursuant to the provisions of the Extradition Act, SC. 1999, 18 SUPERIOR COURT OF JUSTICE BETWEEN: ‘THE ATTORNEY GENERAL OF CANADA (on behalf of the United States of America) sand KARIM BARATOY, [ALSO KNOWN AS "KAY," "KARIM TALOVEROY,” "AND "KARIM AKERMET TOKBERGENOV” AUTHORIZATION TO APPLY. FORA PROVISIONAL ARREST WARRANT {Section 12 Extradition Act) “The United States of America has requested that Canada seek the provisional arrest of Karim Baratoy, also known as "Kay," “Karim Taloverov," and "Karim Aketmet Tokoergenov’. tm arrest warrant, “Attorney General of Canada is authorized to apply for a provisional f by — a i i i i i ‘ 4 a 4 a a 4 a a a a a aTAGREQUEST FOR PROVISIONAL ARREST TO CANADA IDENTIFICATION OF FUGITIVE: Name (include A/K/As): Karim Baratoy, also known as “Kay,” “Karim Taloverov.” and “Karim Akehmet Tokbergenov' Country(ies) fCitizenship: Kazakhstan and Canac Date(s) of Birt: __January 22,199 Place of Binth:_Kazakiston Proof of Citizeaship atached (FU.S. citizen): ___ (eg, passport, naturalization or birth oer) Race:_W. Sex:mele _X__ female __ Height:____Weight:_Hair Color:___Black___Bye Color.__Brown__ Scars/Oter Characteristics: as Photograph Attached: _X Fingerprints Attached: Driver's License No, State issued Social SecurityNo. Passport No. Date & Place Issued: Natl ID Card No ___ Date & Place Issued: Specific Address/xact Locstion in Canade: $6 Chambers Drive, Ancaster, Ontario, Canada This is Eshiot_© 2 raiazeetoin the ate of Ese SeeIf in custody in Cenada, Charges & Anticipated Date of Release: Canadian law enforcement contact in Canada (NOT U.S. contact in Canada) with knowledge of facts, fugitive’ location, Name & Title:_“effcy Veilleux ‘Agency. _Roval Canadian Mounted Police Gendarmerie Royale da Canada ‘Technological Crime Unit / Groupe de Ja criminalitéteshaologigue Cybercrime Investigative Team / Equipe d’enquete sur les evbereimes. Telephene:__ a Law enforcement contact in U.S. with knowledge of fcts, fugitive’ location: Name & Tite: Special Agent JeffGrabam Agency Federal Bureau of Investigation a ‘Telephone US. CHARGING OR COMMITMENT DOCUMENT (atech <2py) Check One: X_ Indictment Superseding Indictment Complaint Sudgment/cénviction order ter DESCRIBE) Namber, Case Number CR 17-103 Date Filsd:” __Februsry 28,2017 Name end Location of Court: United States Distist Court Notthem Distict of California 2 450 Golden Gate Avenue, San Francisoo CA (Offenses for which extradition is requested ste punishable by a least one yes in psison YES _X NO Does stitute of imitations preclude prosecution or incarceration? YES Nox US. ARREST WARRANT (tach copy) Fugitive is wanted to (check one): _X__ Stand Trial Be Sentenced Serve a Sentence 2=e ee eee ee ee a Serve Remaining Sentence (indicate how much, Tetto serve) Number (Case Number. CR 17-103 Date Filed: __ Februsry 28, 2017 Filed By: ~The Honorable Laurel Beeler, United States Magistrate Ju Name end Location of Court: United States Distrot Court ‘The United States commits that a request for extradition will be submitted to Canada within 60 days after the provisional arrest. Reavesting Authority Federal Distia: Northern Dissit of California or State/County ae Brosecutor Authorization Provide the name ofthe prosecutor authorizing this PA request: Neme: __Jchn fem _____ Title: ___Assistant United States Artomey __ ‘Addiess: __450 Golden Gate Avenue, San Francisco CA sEuEESETES Phone: _~ Fax Email 3FACTS AND URGENCY Summary: Between 2014 and December 2016, Karim BARATOV, acting asa hacker-for-hire, conspired with others, including Dmitry Dokuchaev and Igor Sushchin, both current officers of the Russian Federal Security Service (“FSB”), to gain unauthorized access to computers used by “Yahoo and the email accounts of individuals with Yahoo, Inc. (“Yahoo”), Google, In. Google”) and other webmail accounts. With such access, conspirators stole confidential email ccouit Infrmation from the aecowt users and, in selaton tothe intrusion activities on Yahoo's network, proprietary Yahoo trade secrets. BARATOV's role in the conspiracy was to obtain leit acves to non-Yahoo webmail accounts of interest tothe co-conspirators, primarily trough, ‘spear phisking” messages', in exchange for money. As part of the conspiracy, BARATOV. exchanged e-mails with his co-conspirators about which email accounts to target. Furthermore, BARATOV e-mailed Dokuchaev with proof that he hed hacked the terget secounts and ‘requested payment forthe webmail account access credentials (i, the usemames and passwords) that he had acquired. Upon receiving payment, he would provide such credentials fo Dokuchaey. Given the serious nature of his conduct, the public impact of his hacking-for- hire conduc, hie substantial earsings as a result ofthe unlawful hacking, and his ties to foreign intelligence officers with nation state resources at their disposal, he shouldbe artested on an “urgent basis and detained. BARATOV’s co-defendants, slong with Dokuchaev end Sushchin, include Alexsey Belan, who has been the subject of aa Interpol “Red Notice” and listed as one ofthe Fedecal Bureau of lavestigaion's “Mast Wented” hackers since 2012.” Belan is also wanted for prosecutionby the State of Nevada and was arested in 2013 in e Furopesn country on a U.S. provisional arest warrant. He was released on bail and fled the country. Belan resides in Rosia, within FSB's jurisdition to arvest and prosecute. Rather than arrest him, however, the PSB offices used him and it was Belan, who provided Dokucheev and Sushehio, with the ‘uanuthorized access to Yahoo’s network, Historical Background: ‘The 2014 Yahoo Hack: In 2914, base on their malicious intrusion, the conspirators stole noa-content information regsrding more then 500 million Yahoo user accounts and accessed the contents of ‘another spproximately 32 million accounts. Yahoo's internal investigation revealed that a copy of a least aportion of the Yahoo User Database (“UDB”) had been stolen from! Yahoo's network? According to Yahoo, the non-content account information included names, email ‘Spear isting" mestages are desigoed to ck nwiting recipies into providing acest their omer and account inthis eae i epete pishing mesg typically were signet resemble ene rom trstwothy ‘eves, ad encourage the opin to open sached eso ick on fyperinsin the messages, BARATOV Sar spear phishing en tht ned repens no provclag val login creel to he account, hereby Allowing ite eneprtos to bypass nena eubestieation proce, 2 The UDB vas, end contained propery an oafdental Yahoo ecology and infomation inclaing, anos 4Trrr rrr eee EB. Bo. Bw. B addresses telephone numbers, dates of birth, hashed passwords and, in some instances, encrypted or unencrypted security questions and answers, Doleahney, using the email nares p*******4og@yaloa com, wa identified as ‘involved in he Yahoo back Aftermath of the 2014 Yahoo Hack: Email ecord, obtained in the United State, show that tarting in nt 2014, Dolschaey (osing the email address p**™+***a¢ yahoo.com) communicated with BARATOY (using ‘email accounts m******rk@eml.ce; c***@eml.cc; kay@taloverav.com and ‘mailpass*®***@bigmiinet and sighing the emails "Kay" Inthe email commsnications Dokichsev tasked BARATOV with obtaining log-in credentials for approximately 0 email, ‘webmail accounts, some of which the conspirators identified as belonging otheir age as result ofthe Yahoo intrsion As futher deseribed below, PayPal records for karin@taloverov.com, the account to which BARATOY told Dokuchaev to send payment for hacks, state that the account is registered to Karim Bamtoy, date of bith Fanuary 22, 1995. The addresses linked tothe PayPal account include 56 Chambers Drive, Ancaster, Ontario, Canada and 47 Moorland Crescent, Ancasts, Ontario, Canada. The PayPal account was registered on February 25, 2013, ffom internet protocol ("IP") address 2*.°¢4**.211. According to records provided by the intemet service provider thathosted IP address 2*.***.**.211, and provided tothe United States pursuant o a ‘mutual legal assistance request, in August 2012, thet IP address was registered using BARATOV's home address of 47 Mootland Crescent, Ancaster, Ontario, one of the same addresses used for registration ofthe PayPal accourt, Email addreses listed for the PayPal account include: karim@taloverou.com, m*@karim.ts, ky@end.cc, and w2****m(@bigmir.net, The contac telephone number forthe account is 905-518-2046. ‘According to PayPal, the PeyPal account is linked to active Royal Bank of Canada checking and visa credit card accounts inthe name of “Karim Baratov.” PayPal records confirm that Dokuchaev paid BARATOY for the above-described account accesses beginning in November 2015. Although the amounts paid by Dokuchaev to BARATOV are much lover, PayPal records indicate that, between the accounts creation in February 25,2013, and October 22, 2016, BARATOV earned $211,996.42 in that PayPal account, BARATOV’s Action: Google records show that BARATOV, once tasked by Dokuchaew, would attemot to gain unauthorized access to Google and other webmail provider accounts by “spear phishing. ‘oer di, suberberifommtion, such a teount wes" panes recovery eal accounts aad phone numbers, ch users reve webmal provi, sch as Yahoo, as alert mena of communication vith the provide, Dussword challenge quesons and answer: and cela security Infomation asocated with th account Some of {he inriation athe UDB nas stored nan encrypted fxm, 5mae ee eae a ae ee es BATRATOV's intended victims included Russian government officials, such as senior political leaders and thes counselors, a law enforcement official, and a sporting official; prominent corporate and university officials in and around Russia, suca asa prominent Kazakh banker and the owner of anatural resouree holding company; and Russian cyber security company officers. When successful, BARATOV would then provide those illicitly obteined passwords to Dolcuchaev. Doicuchaev then paid BARATOV for providing the information, thereby eusbing the co-conspirstors unauthorized access to the requested email accounts. Specifizally, in October 2014, November 2015, and March 2016, Dokuchaev sent BARATOV, a: one ofthe above four email addresses (m***** *rh@eml.ce; c¥**@eml cc; kay@taloverov.com and mailpass*****@bigmir.ne), requests for unauthorized access to & ‘number of identified email accounts, Between December 2014 and March 2016, BARATOY, using one ofthe above four email addresses, seat Dokchaey screenshots of some of his successfully hacked email accounts. BARATOV then sent Dokuchaev passwords forthe requested accounts Further, inthe emali communications, BARATOV told Dokuchacy that he could be paid via his various WebMoney accounts and the PayPal account karim@saloverov. com, which, a8 described above, is registered to BARATOV. Urgen: BARATOV isa danger to the community because, as futher described below, he has @ ‘demonstrated history of hacking into numerous victims" email accounts, and his hacker-for-hire activites continue tothe present time. Much of his hecking infrastructure (such as web-based accounts and remotely-sccessible computing services) cen be accessed fiom any computer inthe world, That scessibility would enable him to continue with his crimes and quickly destroy evidence while on the run, BARATOV is en extemely high flight risk because he has substantial liquid assets, many ‘of which are accessible intemationslly. For example, as mentioned above, BARATOV's PayPal accaust received more than $211,000 from 2013 until 2016, In addition to PayPal, BARATOV possesses accounts at WebMoney, an online payment service. The mein adress for WebMoney isin Russia but it slso maintains an administrative office in London, United Kingdom. WebMoney maintains funding and withdrawal points in 90 countries. These various accounts throxghout the world enable BARATOV to maintain a lavish lifestyle tht previously incuded a Lamborghini sportscar and curently includes an Aston Martin and 2 ‘Mescedes, This information about hs lifestyle was established by review of hs publicly available social media accounts and confirmed by Canadian law enforeement. BARATOV, slthough believed tobe a citizen of Canada, is also citizen of Kazakhstan. BARATOV elso has ties to foreign government officals who, as discussed below, have demnonstrsted their ‘willingness to offer sanctuary to atleast one of BARATOV’s co-conspirators after he fled = ‘Wester nation where he was a subject of extradition proceedings, BARATOV has been engaged in criminal conduct, even outside the conduct described 6rrmrrrrT ror r es 22S 2. 2: = above, for anumber of years. The fits of tht activity are vas, including financial assets and victims’ personal information. PayPal records indicate that BARATOV has hacked thousands ff eddlitional cecounts beyond those that he is confirmed to have successfully hacked as part of the conduct deseribed above. For example, his PayPal activity shéws many more deposits than thoae atrnbutable to his co-conspirators in this case and as indicated above, received more than $211,000 frem 2013 wil 2016, in just one of is multiple online payment accounts. |The cherges against BARATOV only embrace 18 hacked email accounts, however, BARATOV's PayPal account records show that he earned $38,941.12 from March 2016 through October 2016. ‘The deposit amouats for all ofthe PayPal records appear consistent with what he charged for hacking into each account to which he provided hls “liemls” with access, Records from the Accounts he used for spear phishing campaigns agaist Gmail accounts shows tens of thousands ‘Of spear phishing emails beyond those described above. | Review of these spear phishing aceounts sevens that BARATOV also shated images of other people's (likely victims”) passport photos, whick triggers the FBI's acer that BARATOV may be trafficking in personally dentifiable iefozmation harvested from his hack ofthe victims’ email accounts in addition to his steaightforward hacker-for-hie fees. Further, based on FBI's review af his publicty available website, he continues to maintain websites that advertise criminal hacking services, As ofthe date of tis request, the following websites are still curently advertising BARATOV’s hacking services: ht: ww.xs?***L com; httpliwet***p.net, and htp:iv***m.ce, Two ofthese ‘websites, 23°" com and v?**m.ce have been used by BARATOV in connection with hacking activities since atleast 2012. ‘Additionally, there exists historical and related precedent fora genuine concern thatthe nature of BA2ATOV’s relationship swith Russian intelligence officials will lead to his fight. Tn 2013, BARATOV's co-conspirator in this case, Alexsey Belan, was arrested in Greece on = ‘United States provisional ervest request related fo computer hacking activities in the United ‘States (not the precent matte). While extradition proceedings were pending, Belan was granted bail by the Greek court end then promptly fled to Russia. Belan benefited from the protection afforded by Russian government officials, and from US. law enforcement’s inability to reach him in Russia. Specifically, Belan hes been able to continue his crimes ~ namely, providing hacking serves to the Russian goverament and victimizing hundveds of millions of innocent ‘hire-psties for, in sore instances, private financial gain. Given this precedent and the significant financial and intelligence resources of BARATOV's known and unknown Russi fgoveranzent conspirators, the threst of BARATOV flesing or otherwise becoming unavailable for extraditien to the United States is rel Eyenassiming that BARATOV does not receive assistance from his knows and ‘unknown Russian government conspirators, ke possesses the skills and financial resources to flee justice, Additonal, the investigation to date has not revealed any legitimate employment for BARATOV. According to Canadian law enforcement, tuere is no business registered under the name Elite Space Corporation. BARATOV’s selfemployment asa hacker-for-hire is not fBeowsaphies ly limited to Canad, He could continue to conduct and receive payment for such fefivites from anywhere inthe world, Indeed, Googles recotds end BARATOV’s own social ‘media accounts state that he has conducted his hacking business throughout the world, not just in Canada, Fee exemple in July 2015, BARATOY travelled to Jamaica, which was confirmed by his publicly viewable social media accounts and slso the use of Jamaican IP addresses to access 1BARATOV's operational spear phishing email accounts ond victim email accounts BARATOV's skills aze especially concerning. Given the vast scope of his hacking, BARATOV has access to the contents of an enormous number of email accounts, not just his own. ‘Accordingly, gvea his international ties, the international locus of his assets andthe portability of is business, BARATOY presents a significant flight risk—— ese ee ee ee ee es ee ss a Lun Artie UNITED STATES DISTRICT COURT ge, uy Satin BY COURT ORDER NosheraDiistoCltania Untied tates of Amercn oupemoutiecromen SCRA tog "ALEXSEY GELAN, KARIN BARATOY Ye ARREST WARRANT To: Any suo ia enforcement ofr ‘YOU ARH COMMANDED roses sd tring before Unio Sts agit without uae delay lime spree be ares) _ Kain Bertoy es E ESSE SS SES IEE seseaasaseuaraaaes oo iccusod of thc vionton bse on to wg doce ed wi te cout indioment — Superseding Indictment Lfoeaton 0) Suparstdag laferatin Cl Complat 1 Probation VihinPttion © Supra Raeae Viton Paton Violation Non) Ona ofte Cou Tso trity abd a ln 19US6.§ soo 18US-c. § 181015) 18 US..§t82{04H; BUS. § 83%(eK): ISLS. § taste 18 US. 146: 1eUlsc. §10s0a)240) 18USC§bI|SYAr BUC. § 1029 IZ} USS prose 13US.0.9 Joie: BULS.C tote: 12US..§§ eazaleya) A TORO) and); 18 US. gf (8h a 2325 $BUS.C.§ gntiaytYc}, S82(He}e) and 129[eKiNe) ana 8 Uc 5 24813) Dates __o2na017 Tapas (cy snd ste: _ San Frac, cA Hen, autl Sener U.S. Magtts Je Ree ‘Ths warant recive os) nd the peson wes eared 0 en) _ : oases) ar Ti PTTee ee ee ee a ee ee a Photograph of Karim Baratov taken from his Facebook pagety t RromngbssTAB 3Court FileNo.EX 17 SUPERIOR COURT OF JUSTICE (TORONTO REGION) The Honourable _Justice ) ____sthe_day ) T2017 ) ) BETWEEN: THE ATTORNEY GENERAL OF CANADA ON BEHALF OF THE UNITED STATES OF AMERICA Applicant sand KARIM BARATOV ack.a. KAY a.k.a. KARIM TALOVEROV a.k.a, KARIM AKEHMET TOKBERGENOV Person Sought SEALING ORDER UPON THE EX PARTE APPLICATION made on the 10" day of March, 2017 by Counsel for the Attorney General of Canada for an order sealing the application for a provisional arrest warrant, with a Court fle number io be issued by the Registrar, and all ofits conterts and prohibiting access to and disclosure of any information relating to the application;[AND UPON BEING SATISFIED that itis desirable to seal the application for a provisional arrest warrant THIS COURT ORDERS THAT the application fora provisional arrest warrant, with a Cout fle number to be issued by the Registrar, be placed in a packet and sealed by the Register ofthis Cout and that packet shall be Kept i the custody ofthis Cour at 45 Mala Street East, Hamiton, Ontario ina secure place to which the public has no access and shall not be disclosed or otherwise dealt with subject to any subsequent order of 2 Judge of the Superior Court of Justice THIS COURT FURTHER ORDERS THAT a copy of this Order be affixed to the front ofthe sealed packet. THIS COURT FURTHER ORDERS THAT the application for a provisional arrast warrant shall be unsealed upon KARIM BARATOV aka, KAY aka KARIM TALOVEROV a.k.a. KARIN AKEHMET TOKBERGENOV's arrest under the Extradition Acct. DATED at the City of Toronto, Province of Ontario this day of March, 2017, WUDGE OF THE SUPERIOR COURT OF JUSTICECourt File No. SUPERIOR COURT OF JUSTICE {Toronto Region) BETWEEN: THE ATTORNEY GENERAL OF CANADA ON BEHALF OF (HE UNITED ‘STATES OF ANERICA Applicant Requesting State and KARIM BARATOV a.k.a. KAY aka, KARIM TALOVEROY a.k.a. KARIM ‘AKEHMET TOKBERGENOY Respondent! Person Sought