A Russian ringleader of a group that fraudulently bought some of the hottest tickets in music, sports and theater by sneaking into StubHub users’ accounts pleaded guilty Monday in a scheme involving over $1 million worth of tickets. Vadim Polyakov is expected to get a 4-to-12-year prison term after his plea to money laundering and possessing stolen property. He admitted coordinating an international operation that took over StubHub accounts, used the unsuspecting account-holders’ credit card information to buy sought-after seats and resold them to pocket the money.
His “global network of hackers, identity thieves and money launderers” trafficked in tickets to Broadway shows, concerts by such artists as Justin Timberlake and Jay-Z and seats behind the Yankee Stadium dugout, Manhattan District Attorney Cyrus R. Vance Jr. said in unveiling the case in 2014. Prosecutors said the scheme involved more than 1,000 StubHub accounts and 3,500 tickets worth at least $1.6 million, including some tickets that went for nearly $1,000 apiece.
Polyakov’s lawyer didn’t immediately return a call. Nor did San Francisco-based StubHub, owned by eBay Inc. StubHub has said it was alerted to the problem by customers, contacted authorities and gave refunds to the affected account-holders.
Nine other people around the world also were indicted in the case, though some have yet to be arrested. Others have pleaded not guilty. Polyakov, 32, was arrested while vacationing in Spain in 2014. He was extradited to the U.S. last year over the Russian government’s objections. “Many foreign cybercriminals believe they can operate overseas with total impunity, but this case proves they can be held criminally responsible for their actions, which can have devastating consequences on thousands of victims at a time,” Vance said in a statement Monday.
In an era of concern about consumer data breaches, the case showed how the ramifications can spread from one company to another. StubHub said the cyber criminals got in by using login and password information harvested partly from data breaches at other businesses, as well as from key-loggers or other malware on customers’ own computers. Experts said the case highlighted the risks of using a single login and password combination for multiple websites, as many consumers do.