A known extortion group briefly relisted old Ticketmaster data over the weekend, falsely suggesting a new breach.
Over the weekend, the Arkana Security extortion gang advertised over 569 GB of allegedly stolen Ticketmaster data for sale, sparking concern of a fresh security incident. However, analysis by BleepingComputer confirmed the data matches samples previously leaked during the 2024 Snowflake data theft attacks.
The post, which has since been taken down, included screenshots and file names that align with earlier breaches. One image captioned “rapeflaked copy 4 quick sale 1 buyer” referenced “RapeFlake,” a custom tool used by the original attackers to extract data from Snowflake-hosted databases.
The 2024 Snowflake attacks, attributed to the ShinyHunters group, targeted numerous high-profile companies, including Santander, Ticketmaster, AT&T, Neiman Marcus, and Advance Auto Parts. Attackers used credentials stolen by infostealer malware to gain access to Snowflake accounts and exfiltrate large volumes of sensitive customer data.
Ticketmaster confirmed its involvement in the breach in May 2025 and began notifying customers affected by the incident. Following the original leak, hackers released what they claimed were printable event tickets, including alleged Taylor Swift tickets, as part of a broader extortion campaign.
Arkana’s recent post did not specify whether the group was reselling previously obtained data, had acquired it from another source, or was collaborating with ShinyHunters. The listing was removed by June 9, and Arkana has not commented further.
While Arkana has remained silent on the data’s origin, indicators such as filenames and tool references strongly suggest that the group was attempting to monetize older breach data rather than promoting newly acquired information.
Mandiant and other cybersecurity firms continue to track ShinyHunters and related actors, noting their involvement in a wide range of attacks, including a recent campaign targeting Salesforce accounts.
RapeFlake is a custom tool developed by hackers to identify and extract data from Snowflake databases. Its mention in Arkana's listing helps link the data to the original Snowflake breach.
Digital forensics teams compare metadata, file structures, and content samples against previously leaked datasets to determine if “new” breaches are actually old data being repackaged.
Even if the breach isn’t new, reselling old data can reignite extortion threats, erode customer trust, and potentially lead to further misuse of the information.
ShinyHunters is a well-known cybercriminal group linked to multiple major breaches over the past few years. Although several members have been arrested, it's unclear if recent activity is from the original group or new actors using the name.
Customers should monitor their accounts for suspicious activity, enable two-factor authentication, and consider credit monitoring services if their personal data was compromised in earlier breaches.