Six people were indicted yesterday for allegedly hacking online ticket marketplace StubHub. Prosecutors say the defendants used stolen credit card information to defraud the site of about $1.6 million, as part of a ring that included a Russian national, two men from New York and New Jersey, three individuals in the United Kingdom, and one in Canada.
Manhattan District Attorney Cyrus Vance, Jr. announced the indictment yesterday, noting the defendants faced a litany of charges including money laundering, grand larceny, criminal possession of stolen property and identity theft. StubHub announced earlier this week that over 1,000 customer accounts had been hacked in March 2013. The company claimed the perpetrators were able to obtain password information from data breaches at other websites, then using stored credit card information to purchase thousands of tickets—including tickets to Justin Timberlake and Jay-Z concerts, and Knicks and Jets games— that they then resold at marked-up prices.
Investigators were eventually able to track down the ring through IP addresses, PayPal accounts and bank accounts. Earlier this month, Russian national and suspect Vadim Polyakov, 30, was arrested while vacationing in Spain; suspects Daniel Petryszyn, 28, Laurence Brinkmeyer, 29, and Bryan Caputo, 29, were arrested at their homes in New York and New Jersey, one suspect was arrested in Toronto and three more were arrested in London.
The StubHub breach is just one of many recent data breaches, including a nationwide breach affecting retailers like Target and Neiman Marcus, and the massive Heartbleed Bug allowing attackers to steal information directly from services and users. "Regardless of where the case originates, nearly every cybercrime case begins with similar breaches: a stolen password, unauthorized use of a credit card, or unaccountable charges on a personal statement, for example," Vance said yesterday.