In a sophisticated cybercrime operation targeting high-demand events, two individuals were arrested this week for allegedly orchestrating a $600,000 ticket theft scheme involving Taylor Swift’s Eras Tour and other major concerts.
Queens District Attorney Melinda Katz revealed that Tyrone Rose, 34, and Shamara P. Simmons, 29, exploited security flaws in an offshore third-party ticket vendor’s systems to intercept and resell over 900 digital tickets through StubHub.
The operation, which ran for nearly a year, leveraged URL session hijacking and automated credential stuffing scripts to bypass vendor protections, marking one of the most technically complex ticket fraud cases in recent memory.
As stated by Deadline, the hackers allegedly targeted a Jamaica-based contractor responsible for managing ticket transfers for StubHub.
Technical Exploitation of Vendor Systems
Forensic analysts identified that the defendants used Python-based scraping tools to exploit insecure API endpoints within the vendor’s platform.
One script utilized the requests library to systematically harvest valid ticket URLs.
The script allegedly extracted direct ticket URLs by impersonating authorized users through compromised OAuth tokens.
The stolen links were then transmitted to co-conspirators in Queens, who used Selenium automation to mass-download PDF tickets and list them on StubHub under fraudulent accounts. Security experts noted the operation combined social engineering and infrastructure vulnerabilities.
The offshore vendor’s lack of IP rate-limiting and multi-factor authentication (MFA) allowed the hackers to brute-force employee credentials.
Once inside, they deployed SQL injection payloads to extract customer transaction records. This data enabled targeted attacks on high-value tickets, with resale prices averaging 300% above face value for Eras Tour seats.
The DA’s cybercrime unit traced $612,000 in illicit profits through cryptocurrency wallets linked to Rose’s Coinbase account.
Rose and Simmons face 15 felony counts, including first-degree computer trespass (NY Penal Law § 156.10) and grand larceny via unauthorized access (§ 155.30).
Prosecutors emphasized the defendants’ use of offshore proxy servers and encrypted Telegram channels to obscure their activities. StubHub has since mandated JWT token validation and reCAPTCHA v3 implementation for third-party integrations.
The Queens DA’s Economic Crimes Bureau is collaborating with INTERPOL to identify additional conspirators in Jamaica. Of the 917 stolen tickets, 68% were tied to Eras Tour dates at MetLife Stadium and SoFi Arena.
Affected fans may file claims under New York’s Cybercrime Victim Restoration Act, though legal experts warn reimbursement could take 18–24 months.
As Swift’s tour continues until 2025, industry leaders encourage fans to buy using verified platforms that use DMARC-certified email validation and blockchain-based NFT tickets.
This case highlights the rising conflict between cyber criminals and live-event cybersecurity professionals in the post-pandemic concert industry.
Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free