Cyber Threat Actor: U-Admin
| Actor Type | Location | Known Incidents |
Criminal
|
—
|
0 incidents |
|---|
Profile
The threat actor using the alias "Jamescarter" engaged in the theft and sale of customer credentials from a UK-based live event ticketing provider in July 2020. This individual offered a database of 4.8 million email addresses and login credentials for $2,500 on dark web markets, using a .ru contact email address for communications. While claiming the data originated from a "shopping and forex trading site," cybersecurity firm KELA confirmed the records belonged to customers of a specific UK ticketing service. The actor's operational security practices included filtering duplicate records, with only 3% duplicates found in a 10,000-record sample analyzed by researchers.
Jamescarter's targeting focused exclusively on the entertainment ticketing sector, compromising a single high-profile UK-based organization. The stolen data primarily affected customers in the United Kingdom, with additional victims located in the United States, New Zealand, Australia, South Africa, Germany, and France. The presence of government email domains within the dataset increased risks for high-value accounts. The actor's strategic objective centered on financial gain through dark web sales of authentication credentials, enabling downstream attacks including credential stuffing and phishing campaigns against both individual consumers and organizations. Security analysts warned that compromised accounts could facilitate follow-on fraud against both the ticketing platform and other services where customers reused passwords.
The breach methodology remains unspecified, though historical vulnerabilities provided context for potential attack vectors. KELA had previously identified the same ticketing provider on a Pastebin list of websites vulnerable to SQL injection attacks and documented prior website defacement incidents affecting the organization. While no direct connection was established between these vulnerabilities and the 2020 credential theft, the pattern suggested possible exploitation of web application weaknesses. Jamescarter employed direct dark web marketplace listings for data monetization rather than ransomware or extortion tactics. The actor's operational impact extended beyond immediate sales, potentially enabling widespread credential reuse attacks across multiple industries given the volume of exposed authentication data. Akamai research cited in contemporaneous reporting estimated credential stuffing costs for EMEA organizations at approximately $4 million annually through application downtime, customer attrition, and fraud-related expenses.
