Two Arrested in $650K+ Scheme Targeting StubHub Vulnerability

Two individuals were arrested and arraigned in Queens, NY for allegedly stealing more than 900 concert tickets—primarily for Taylor Swift’s Eras Tour—through a cyber scheme targeting StubHub, according to Queens District Attorney Melinda Katz.

Authorities say the ticket URLs were intercepted by two workers at a third-party StubHub contractor, Sutherland, located in Kingston, Jamaica. The stolen links were then emailed to co-conspirators in Queens, who allegedly downloaded and resold the tickets for a profit exceeding $600,000 over the course of a year.

“This takedown highlights the vigilance of my office’s Cybercrime and Cryptocurrency Unit as well as the importance of working with our industry partners to combat fraudulent activities and ensure the protection of consumers,” said District Attorney Katz, who thanked StubHub for alerting her office. “According to the charges, these defendants tried to use the popularity of Taylor Swift’s concert tour and other high-profile events to profit at the expense of others.”

The defendants—identified as 20-year-old Kingston, Jamaica, resident Tyrone Rose and 31-year-old Queens resident Shamara P. Simmons—were arrested and arraigned Thursday on charges including grand larceny, computer tampering, and conspiracy. They were ordered to return to court on March 7. If convicted of the top charge, they each face a potential sentence of three to 15 years in prison.

Investigators allege that, between June 2022 and July 2023, approximately 350 StubHub orders were intercepted, yielding roughly 993 stolen tickets. Once the URLs were accessed, Rose and an accomplice allegedly redirected the links to Simmons and another co-conspirator in Queens, who downloaded and reposted the tickets on StubHub. Many of the stolen tickets were for in-demand events, including Swift’s Eras Tour, Adele concerts, Ed Sheeran shows, NBA games, and the U.S. Open Tennis Championships.

StubHub identified the scheme internally, then referred the matter to the District Attorney’s office, which conducted the investigation leading to the arrests. The company says it has terminated its relationship with Sunderland, and that an employee who exploited the system vulnerability was “swiftly identified and terminated.”

StubHub says it has refunded or provided alternative tickets for all orders impacted by the scheme.

The case is being prosecuted by the District Attorney’s Major Economic Crimes Bureau, under the supervision of the office’s Cybercrime and Cryptocurrency Unit. The investigation remains ongoing.