A large-scale fraud campaign using more than 700 domains targets Russian-speaking users seeking Paris Olympic tickets with fake listings. The operation, named Ticket Heist, also pushes fake tickets for UEFA EURO 24 and other events, leveraging a single infrastructure to skim money via Stripe.
#TicketHeist #ParisOlympics #UEFA EURO 24 #VIPEventsTeamLLC #QuoIntelligence
Keypoints
- A fraud campaign with 708 fraudulent domains claims to sell tickets for the Paris Olympic Games and other major events.
- The sites imitate legitimate marketplaces and use a consistent UI, with inflated prices to imply “premium” tickets.
- Most domains share a single hosting IP (179[.]43[.]166[.]54) and follow common subdomain patterns like jswidget, widget-frame, or widget-api.
- Transactions reportedly go through the Stripe payment processor, meaning money goes to the operators rather than stealing card data directly.
- Domains first observed in 2022, with an average of about 20 new domains registered per month; a spike to 50 new domains in a recent period.
- Targeting appears aimed at Russian-speaking users, with many sites in Russian and contact details tied to Russian mobile services; lures include the Olympics, UEFA EURO 24, and concerts.
MITRE Techniques
- [T1583] Acquire Infrastructure – The actor registered and hosted a large network of domains on a single IP address to run the fraud operation. “Analyzing the infrastructure behind the Ticket Heist operation, the researchers discovered that all the fraudulent domains were hosted at the same IP address, 179[.]43[.]166[.]54” and “the threat actor kept registering an average of 20 new ones every month.”
Indicators of Compromise
- [Domain] ticket-paris24[.]com – example domain used for fake ticket sales
- [Domain] tickets-paris24[.]com – clone of the first domain
- [Domain] paris24tickets[.]com – another domain cited in discussions
- [IP Address] 179[.]43[.]166[.]54 – hosting all fraudulent domains