The Arkana Security extortion gang caused a brief stir over the weekend when they advertised what appeared to be newly stolen Ticketmaster data for sale, but cybersecurity investigators have determined the 569 GB of data being offered is actually recycled from the massive 2024 Snowflake data theft attacks. The group posted screenshots of the allegedly stolen information on social media, leading to initial speculation that Ticketmaster had suffered a new security breach.
However, analysis by BleepingComputer revealed that the files shown in Arkana’s listing matched samples from the original Snowflake attacks that targeted multiple major organizations last year. A key indicator was one image caption reading “rapeflaked copy 4 quick sale 1 buyer,” referencing RapeFlake, a custom reconnaissance and data exfiltration tool specifically created by the original threat actors to target Snowflake databases. This connection strongly suggests Arkana was attempting to resell previously stolen data rather than offering fresh breach material.
The original Snowflake attacks, claimed by the extortion group ShinyHunters, compromised numerous high-profile organizations including Santander, AT&T, Advance Auto Parts, Neiman Marcus, and Ticketmaster through stolen credentials obtained via infostealers. Ticketmaster became one of the most extensively extorted victims, with threat actors stealing personal and ticketing information before escalating their demands by releasing alleged print-at-home tickets and purported Taylor Swift concert tickets on hacking forums.
The Arkana listing has since been removed from their data leak site as of June 9, though it remains unclear whether the group previously purchased the data, consists of former threat actors involved in the original breach, or is working in partnership with ShinyHunters.