NYC officials say that a Russian-led international crime ring is behind the breach into the popular ticketing website's operations
Some of the hottest tickets in town -- to Broadway hits, Jay-Z and Justin Timberlake concerts -- went to an international ring of cyber thieves who took over more than 1,000 StubHub users' accounts to fraudulently buy tickets and resell them.
Ten people around the world have been indicted or arrested in connection with the case, which involved more than 3,500 tickets and at least $1.6 million in unauthorized purchases of sought-after seats, Manhattan District Attorney Cyrus R. Vance Jr. said.
The scheme spooled from Russia to London to Toronto to the New York area and to Barcelona, Spain, where accused Russian ringleader Vadim Polyakov was arrested while vacationing earlier this month.
Polyakov, 30, was awaiting extradition, and it wasn't immediately clear whether he had a lawyer. Three other men indicted in the case hadn't yet been arrested; two are in Russia. Meanwhile, authorities have arrested three suspected money-launderers in London and one in Toronto on local charges there.
The case comes amid growing concern about data thieves targeting consumer giants. StubHub said it was alerted to "a small number of accounts that had been illegally taken over by fraudsters" last year.
While prosecutors said they weren't certain how the alleged thieves got access, San Francisco-based StubHub said they got account holders' login and password information from key-loggers or other malware on the customers' computers or from data breaches at other businesses. StubHub, owned by eBay Inc., said there had been "no intrusions into StubHub technical or financial systems."
In the last few years, such major companies as Target, LinkedIn, eBay and Neiman Marcus have been hacked. Since many customers use the same email and password on multiple websites, thieves can use a combination from one site that works in many others, data security experts say.
It's like re-using "the same key for every lock in your life -- especially if you're giving that key out to everyone you meet," says Joe Siegrist, the CEO of LastPass, which makes password-management software.
In the StubHub case, members of the ring re-sold the tickets and routed the money to others who laundered it, and the group split the profits, Vance said.
Daniel Petryszyn, 28, and Bryan Caputo, 29, pleaded not guilty Wednesday to money laundering and stolen property possession charges. Petryszyn "has every intention of challenging these charges," said his lawyer, Liam Malanaphy.
Caputo simply re-sold some tickets, said his lawyer, Reginald Sharpe. "If they were stolen, he didn't know that they were," Sharpe said.