Arrests made after international cyber-ring targets StubHub

Six people have been indicted on charges of running an international ring that resold tickets bought through compromised StubHub accounts for some of New York’s biggest concerts and sporting events.

Four others were arrested in connection with the case, but authorities have not said if they have been charged. The six who were indicted, three of whom have also been arrested, face charges of money laundering, grand larceny and criminal possession of stolen property, said the Manhattan District Attorney’s Office, which announced the indictments Tuesday, hours after search warrants were executed at suspects’ homes. Suspects were arrested or indicted in the U.S., Canada and Europe.

[Online stolen credit card ring busted]

StubHub discovered in March 2013 that around 1,000 accounts had been compromised by individuals who used credit card information stored in the accounts to purchase electronic tickets for major events, according to authorities who were involved in the arrests. Within hours of those purchases, the tickets were distributed to a group of people in New York state and New Jersey and resold.

When it discovered the problem StubHub attempted to prevent the intrusions, but the attackers were able to circumvent those new security measures by using credit card information stolen from additional victims, according to authorities.

In all, roughly 1,600 accounts were illegally accessed and more than 3,500 tickets were purchased to events including concerts by Elton John, Marc Anthony, Justin Timberlake and Jay-Z; sporting events of the New York Yankees, Giants, Jets, Knicks, (Brooklyn) Nets and Rangers; the U.S. Open golf tournament; and Broadway shows.

StubHub confirmed the incident and said the accounts were not compromised as a result of an attack on its systems.

“Legitimate customer accounts were accessed by cyber criminals who had obtained the customers’ valid login and password either through data breaches of other businesses, or through the use of key-loggers and/or other malware on the customers’ PC,” it said in a statement.

The accused head of the ring, Russian national Vadim Polyakov, was arrested by police in Spain while he was on vacation and faces extradition to the U.S. Polyakov and a second person, Nikolay Matveychuk, are accused of accessing the StubHub accounts.

[Raising awareness quickly: The eBay data breach]

Three additional people are accused of selling the tickets and a sixth man was indicted on money laundering charges. City of London Police in the U.K. arrested three additional people and there was an arrest in Canada too, but the Manhattan DA’s office did not say that those individuals have been charged.

StubHub was acquired by eBay in 2007.

Martyn Williams covers mobile telecoms, Silicon Valley and general technology breaking news for The IDG News Service. Follow Martyn on Twitter at @martyn_williams. Martyn’s e-mail address is martyn_williams@idg.com