Admiralty Code Part 2: Ticketmaster Data Breach Claims

Introduction

In this three-part blog series, co-authored by Sean O’Connor and Will Thomas, co-authors of SANS FOR589: Cybercrime Intelligence, and by Freddy Murstad, PhD candidate specializing in traditional intelligence methodologies within cyber threat intelligence (CTI), we explore how the Admiralty System can be applied to assess unstructured and unverified data sources.

In Part 1, we introduced the Admiralty System as a structured framework for evaluating the reliability and credibility of these various types of data sources, which helps analysts cut through the noise of sometimes deceptive cybercrime claims to produce structured intelligence assessments, and is a key focus of the FOR589 course.

In Part 2, we will demonstrate practical application of the Admiralty System by analyzing cybercriminal claims related to the Ticketmaster data breach and its cloud-based data warehousing platform, Snowflake.

The Problem

In a rush to be the first to break news on a cyber incident, some analysts fall into the trap of prioritizing speed over accuracy. They often screenshot and share raw data from underground forums or social media posts without conducting proper verification, leading to misleading narratives that later require correction.

Instead, analysts should use structured approaches, applying frameworks like the Admiralty System to assess both the reliability of sources and the credibility of claims. If urgency demands rapid reporting, it should be accompanied by clear disclaimers:

• What has been identified and when it was found
• What we are unable to confirm yet
• What we plan to investigate
• When we expect to be able to provide answers

These types of statements help ensure transparency and prevent unverified claims from becoming accepted as fact.

How to Apply the Admiralty System

In this blog post, we will demonstrate how to apply the Admiralty System via the following:

• Examining a series of posts by cybercriminals across various underground forums, assessing their claims about the Ticketmaster data breach.
• Mapping these activities to a Timeline to draw connections between cybercriminals and their claims.
• Pivoting on available data points, such as usernames, communication identifiers, and forum reputations, to identify related intelligence.
• Evaluating the reliability of the sources and the credibility of their claims.

Mapping the Snowflake Incident to a Timeline

We elected to use a Structured Analytic Technique (SAT) called Timeline, because it helped visualize what we “knew” as the incident unfolded and then expanded on it as we continued our assessment and analysis.

The Timeline technique is a great way to “counter the impact of cognitive biases and heuristics, including accepting data as true without assessing its credibility because it helps ‘make the case’ (Evidence Acceptance Bias), seeing patterns in random events as systematic and part of a coherent story (Desire for Coherence and Uncertainty Reduction), and providing quick and easy answers to difficult problems (Mental Shotgun).” (Pherson & Heuer)

• The Timeline SAT helps us to externalize our thinking and plot these posts and their claims as they occurred over time.
• Below we provide the reported information available to us at the time as the situation developed, comment on any issues or clarifications needed, and then assess each post.
• In the sections to come, we will use the Admiralty Scale for each claim, and you will see how our analysis, trust, and confidence changes as we move along the timeline.

Why This Matters

In the flurry of reporting following a major data breach, the first entity to make a claim can hijack the early narrative, regardless of whether their claim is true. Many cybercriminals use these high-profile moments to boost their reputation, gain credibility within underground communities, or simply drive attention to their services.

In these uncertain scenarios, unverified claims spread rapidly, amplified by the media and social media posts eager to break news before conducting thorough verification. This can lead to an unproductive cycle where speculation turns into accepted fact, making it harder to separate legitimate intelligence from opportunistic noise.

Instead of blindly accepting or amplifying claims made by various online personas, analysts must take a structured approach to scrutinize sources, cross-reference claims, and apply frameworks like the Admiralty System to assess credibility before drawing conclusions. By doing so, we move beyond the race to be first and focus on producing intelligence that is both actionable and accurate.

May 20, 2024: Ticketmaster Data Breach

Ticketmaster confirms unauthorized access to data within a third-party cloud environment, attributed to Snowflake’s compromised systems

• Live Nation Entertainment, Inc., the parent company of Ticketmaster, confirmed a data breach on May 20, 2024, involving unauthorized access to Ticketmaster’s database hosted on Snowflake.
• The breach, linked to a compromise in Snowflake's environment, potentially exposed up to 560 million user records.

May 26, 2024, at 22:38 UTC: SpidermanData

"SpidermanData" offers data from Ticketmaster for $500,000

On May 26, 2024, a threat actor using the persona "SpidermanData" advertised purported data of 560 million users from Live Nation and Ticketmaster for sale on the Russian-language cybercrime forum Exploit[.]in, with an asking price of $500,000 USD.

Available data, comments, and analysis of the post

• To apply the Admiralty System to forum posts, we must assess both source reliability and information credibility.
• First, we need to extract the data from the forum post to better understand the actor, their claim, and their history within the cybercrime underground (Table 1).
• Doing this preliminary analysis will make it easier to later map their claim to the Admiralty System.
• Note that the table below is not an exhaustive list and is only meant to provide an example of how analysts can take data from unstructured data sources to better distill the information for deeper analysis.

May 28, 2024, at 14:41 UTC: ShinyHunters

“ShinyHunters” mirrors Ticketmaster data breach post on BreachForums

• On May 28, 2024, “ShinyHunters” began advertising the 560 million users’ data from Ticketmaster on BreachForums.
• The advertisement, illustrated in Figure 3, nearly mirrors the content and data shared by “SpidermanData” on Exploit.

Available data, comments, and analysis of the post

• As we did before, we need to first extract the data from this forum post to better understand the actor, their claim, and their history within the cybercrime underground (Table 2).

June 20, 2024: Sp1d3r

Sp1d3r leaks data of 1 million Ticketmaster users for free

• On June 20, 2024, the persona “Sp1d3r” posted an advertisement for a leak of 1 million Ticketmaster user records for free on BreachForums.
• In the advertisement, illustrated in Figure 6, Sp1d3r claimed that this free sample was part of a larger dataset containing information on 680 million Ticketmaster customers.

Initial Analysis of the post

• Let’s first take relevant information from the unstructured forum post and provide some level of structure to it to aid us in deeper analysis (Table 3).

July 8, 2024: Sp1d3rHunters

Sp1d3rHunters leaks over 30,000 Ticketmaster TicketFast barcodes

• On July 8, 2024, the persona “Sp1d3rHunters” (previously using the alias Sp1d3r) leaked over 30,000 Ticketmaster TicketFast event barcodes on BreachForums (see Figure 5).
• At this point in the timeline, we can assess with moderate confidence that Sp1d3rHunters and ShinyHunters are either controlled by the same entity or are working together due to the timing, data advertised, and lack of calling each other out.
• The companies that confirmed having had data stolen from their Snowflake accounts included Neiman Marcus, Los Angeles Unified School District, Advance Auto Parts, Pure Storage, and Santander Bank, further aligning with the victims that Sp1d3rHunters and ShinyHunters have advertised on BreachForums.
• Additionally, Sp1d3rHunters began extorting Ticketmaster, demanding a $2 million ransom to prevent the release of even more barcodes, highlighting that their attempt to sell the data was likely not working as intended.

Initial Analysis of the post

• Now let’s extract the relevant data from this forum post to better understand the actor, their claim, and their history within the cybercrime underground (Table 4).

Unmasking the Snowflake Data Extortionist

In late 2024, Alexander “Connor” Moucka, known online under multiple aliases such as “Judische” or “Waifu,” was named responsible by the US Department of Justice (DOJ) for targeting customers of Snowflake.

Beginning in late 2023, Moucka and his associates exploited stolen credentials obtained via infostealer malware to infiltrate Snowflake customers’ systems. Over 165 companies were targeted, including major corporations like Ticketmaster, AT&T, and Santander Bank.

Moucka and his associates from “The Com” used underground forums to advertise stolen data for sale and extorted the companies by demanding ransom payments in exchange for not leaking their sensitive information. His actions, which exposed millions of individuals’ personal data, underscored the vulnerabilities of single-factor authentication.

Despite his operational security (OPSEC) attempts, Moucka’s erratic online behavior and occasional slip-ups allowed law enforcement to arrest him in October 2024.

Conclusion

In conclusion, applying the Admiralty System to analyze claims surrounding the Ticketmaster data breach highlights the system’s value for assessing the reliability of sources and credibility of information within the cybercrime underground.

From SpidermanData’s initial offer to ShinyHunters’ corroborating posts and Sp1d3rHunters’ escalating leaks, the system provides a structured approach for cybercrime investigators to sift through noise and evaluate potential threats.

While each post varied in its reliability and credibility ratings, the methodical evaluation we demonstrate here shows how analysts can use structured frameworks to prioritize intelligence and validate cybercriminal claims.

As data breaches and underground activities become more sophisticated, incorporating systems like the Admiralty Code into CTI workflows can help organizations navigate the complexities of digital threat landscapes with greater confidence.

What we haven’t covered so far is how to apply this knowledge when we write our assessment. Stay tuned for a future blog post covering this.