An international hacking syndicate is allegedly responsible for stealing millions of customer records in cyber attacks on Pizza Hut, an Indonesian e-commerce site and now, Ticketmaster.
Only one member has ever been prosecuted over the group’s activities.
Sebastien Raoult was a French citizen living in Morocco when he caught the attention of authorities for his involvement with the ShinyHunters hacking group in 2022.
During the course of four years, ShinyHunters stole 200 million customer records from more than a dozen companies when authorities caught up with Raoult.
He was extradited to the US for his involvement with the group, and was ordered to pay $7.5 million in restitution.
ShinyHunters persist
ShinyHunters latest claimed hit in May was on Ticketmaster, and reportedly included names, addresses, credit card numbers (the last four digits and expiry date), phone numbers and payment details.
About two million Australians were potentially impacted, and ShinyHunters threatened to sell the information online for $750,000.
An investigation from Google-owned security firm Mandiant detailed how the attack likely played out.
Loading…
Mandiant said they were first notified through ‘threat intelligence’ that a customer’s credentials had been compromised through the cloud storage facility Snowflake.
“During this investigation, Mandiant determined that the organisation’s Snowflae instance had been compromised by a threat actor using credentials previously stolen via infostealer malware,” the company said.
“The threat actor used these stolen credentials to access the customer’s Snowflake instance and ultimately exfiltrate valuable data.”
Snowflake stores and analyses customer databases and information for businesses around the world — including Ticketmaster.
A month later, only one arrest
ShinyHunters group announced the arrest of one of its administrators shortly after one of its forums were seized by the federal bureau, following an investigation into the hack.
“We regret to inform you that administrator Baphomet (our ‘space cowboy’), has been arrested, leading to the seizure of pretty much all of our infrastructure by the FBI,” the group posted.
“At this point, the future of our forum remains uncertain. No members of ShinyHunters have been arrested. We are currently waiting for further confirmations from our staff, and we will keep you updated with any new announcements in this channel.”
However, the FBI said it could not comment about any potential arrest and declined to say whether anyone had been taken into custody in relation to the hack.
Will anyone be arrested over the Ticketmaster hack?
Australia has recently had some wins on the cybersecurity front in the last two years, making several arrests as part of Operation Nebulae and Operation Hurricane between the AFP and state police forces.
Nebulae resulted in the arrest of five people in Australia in April, and 32 overseas, after an investigation into the platform LabHost, where criminals would trick victims into providing their online banking logins, credit card details and passwords through persistent phishing attacks.
Hurricane was the result of an investigation into a 2022 hack on Optus, where the data of 9.8 million former and current customers were stolen.
Both operations required significant work and collaboration between interstate and international policing agencies, and Dr Nigel Phair from Monash University said these kinds of prosecutions were often few and far between.
He said chances of an arrest over the Ticketmaster hack was “virtually nil”.
“Australian police have arrested and charged a very small proportion of cyber criminals, this is disappointing as there are so few cyber investigations which take place,” he said.
“In reality, all Australia can do is to disrupt the activities of cyber criminals in an effort to drive cyber criminals to commit their exploits against other jurisdictions.”
Dr James Martin from Deakin University agreed.
“I wouldn’t put any money on it,” he said.
“Police are really doing everything they can, but when they’re faced with jurisdictional problems, there’s not much they can do.
“It’s possible, but it would be a very, very outside chance.”
Dr Martin said cybercriminals were often in countries that had fractured relationships with the West, and if they were responsible for an attack it could be difficult getting international cooperation to prosecute them.
He said governments often did use the tools they had at their disposal, but for hackers in countries such as Russia or China, it was difficult to get an arrest.
“I think there really is a crisis going on here,” Dr Martin said.
“We hear about Medibank and Ticketmaster and these really big data breaches, but they are actually the minority.
“When you look at the fastest growing crime and the crimes that inflict the most economic damage in Australia, it’s cyber crime and all the trends are going the wrong way.
“It’s not just Australia that’s impacted … we don’t really have a good response to it because none of our traditional justice systems, arrests or prosecutions – we don’t get any deterrent value out of any of that stuff.
“If you’re in Moscow, you couldn’t care less about what the AFP are doing.”
Dr Phair, who is an analyst in technology and crime, said Australian authorities could do a lot more to address rising rates of cybercrime.
“Firstly we need organisations to undertake a competent risk management exercise with respect to the data they hold, we need individuals to better protect their personal information, and we need our law enforcement agencies to commit much more resources to investigating cyber crimes,” he said.
The federal government is yet to hand down its report into the capability of law enforcement to respond to cybercrime, but it has so far received 38 submissions.
Ticketmaster has been contacted for comment.