A Russian holidaying in Spain and 20 other people in the UK, Canada and the US have been arrested on charges of stealing and reselling e-tickets from eBay-owned StubHub, and laundering the profits.
Vadim Polyakov was detained while on holiday in Spain. He is alleged to be the ringleader of the gang, which used compromised StubHub accounts to buy large volumes of downloadable e-tickets, which were then sold on by a network of resellers.
Unusually, his extradition is being handled by authorities in New York, rather than the US government. US states have a poor reputation for successful extraditions.
The thefts from StubHub were uncovered following the detection of payment-related fraud issues and the inappropriate access of more than 1,000 customer accounts.
It is unclear how the gang gained access to the accounts. Eric Chiu, CEO of HyTrust, suggested that login credentials had originally been stolen via phishing attacks: "Attackers are going after administrator and employee credentials using social engineering and phishing attacks.
"These credentials are the new 'skeleton key' and are being sold and passed around in underground crime rings, creating even greater risk to organisations because they can amplify the potential threat and damage that can be done by enabling attackers with access to escalate attacks from within. That's what's essentially been done here. And every person, business and government is at risk."
Adam Kujawa, head of malware intelligence at Malwarebytes Labs, the research arm of Malwarebytes, added: "If a criminal organisation were only interested in users who utilised StubHub, then they could have tailored their attacks to match something a StubHub user might encounter.
"For example, sending out phishing emails pretending to be StubHub or even setting up fake websites to lure in StubHub users then infect them with drive-by exploits and install password stealing-malware."
However, it does not appear that the StubHub breaches are related to a recent attack on StubHub owner eBay.