A sophisticated fraud operation, dubbed “Ticket Heist,” has been uncovered, targeting primarily Russian-speaking individuals with fake tickets for the upcoming Paris Summer Olympics and other major events. This large-scale scam involves over 700 domain names, with researchers at QuoIntelligence detecting the first instances in 2022.
The fraudsters have created a network of convincing websites, including ticket-paris24[.]com and tickets-paris24[.]com, offering counterfeit Olympic tickets and accommodation options. These sites feature a professional user interface and engage visitors with seemingly legitimate ticket selection processes.
A key characteristic of the scam is the inflated pricing, with fake tickets often priced 3-10 times higher than official rates. This could be a tactic to create an illusion of “premium” offerings or to mimic scalping operations.
UEFA EURO 24 Championship Ticket Heist Website
Image Source: QuoIntelligence
The operation extends beyond the Olympics, encompassing other high-profile events like the UEFA European Championship and various music concerts. While primarily targeting Russian speakers, some English-language sites have also been identified.
QuoIntelligence‘s investigation revealed that transactions are processed through Stripe, suggesting the primary goal is direct financial theft rather than data collection. The researchers also uncovered a suspicious company, VIP Events Team LLC, registered in New York but with contact information in Tbilisi, Georgia.
“The domain was registered on the same day the company was formed. There are no mentions of VIP Events Team LLC on Google, social media, TrustPilot, or any other available OSINT sources”
QuoIntelligence
All fraudulent domains are hosted on a single IP address with a history of malicious activities. The scam’s infrastructure shows a pattern of consistent growth, with an average of 20 new domains registered monthly, spiking to 50 in November 2023.
This ongoing operation highlights the persistent threat of ticket fraud surrounding major events, emphasizing the need for consumer vigilance and cybersecurity awareness.
QuoIntelligence was unable to confirm the exact transaction process due to the website’s inactivity. However, Moldovan notes that archived data reveals significant differences in the site’s hosting infrastructure, network setup, and user interface compared to the Ticket Heist operation.
“a random event and seat location on the official website could cost less than EUR 100, whereas the same tickets and locations on the fraudulent websites were priced at a minimum of EUR 300, often reaching EUR 1,000”
QuoIntelligence
Despite these separate instances, QuoIntelligence reports that the Ticket Heist scheme remains active and has not been previously documented in public research. This suggests that various fraudulent actors are attempting to exploit the upcoming Olympic Games for financial gain.
To aid in combating this threat, QuoIntelligence has released a set of indicators of compromise (IoCs) specific to the Ticket Heist operation. These IoCs are intended for use by the cybersecurity community to enhance protection for their clients against this ongoing fraudulent activity.
