Detective Mike McCaffrey laughs when I ask if they busted the door down. Maybe I’ve seen too many movies. Normally, he says, they would. But in this instance, it’s not the ticket scam perpetrator’s residence. It’s his mother’s. So, in this high-rise apartment building on 96th Street in Manhattan, he simply knocks. The mother answers, kindly, oblivious to why the NYPD is at her door on this Tuesday morning.

Inside, tucked in a small living room nook, is the man they’ve come for—the son, 28-year-old Nikhil Mahtani—surrounded by cellphones and laptops, tangled in charging cables.

Months earlier, the NFL had tipped off law enforcement about Craigslist ads selling tickets that buyers never received. McCaffrey, who works with the NYPD’s Financial Crimes Task Force, traced the ads back to Mahtani through IP addresses, phone numbers, email accounts—a digital trail leading straight to his mother’s apartment.

From January 2019 to December 2022, Mahtani had run more than 1,000 ads selling nonexistent tickets to NFL games, NBA championships, and concerts, defrauding more than 100 buyers across the United States.

McCaffrey didn’t arrest Mahtani that day. But he seized his devices. Inside, he found enough to build an airtight case: screenshots of the ads Mahtani had posted over the years, bank records showing $120,000 of ticket-buyer money flowing through Venmo and Zelle, and even direct messages with victims. In one text exchange, a concerned buyer wrote: “I’m worried about being duped. Can you give me assurance that you’re a real person?”

Mahtani sent back proof in the form of a selfie and a photo of his driver’s license.

“In the investigative world,” McCaffrey says, “we call that a clue.”

Billions and billions lost to fraud

The sports ticketing industry is worth $65.5 billion globally. Meanwhile, Americans lost more than $12.5 billion to fraud of all types in 2024—a 25% increase from the previous year, according to the Federal Trade Commission—with ticket scams representing a growing slice of that total.

Ticket fraud isn’t limited to sports—it’s also hitting concerts and other live events, with social media platforms serving as the primary hunting ground. According to Better Business Bureau data, fraudulent websites represent the largest share at 38% of reported concert ticket scams, followed by Facebook (28%), Craigslist (9%), and Instagram (8%).

Teresa Murray, consumer watchdog director with the U.S. Public Interest Research Group, a national consumer advocacy organization, hints that the problem isn’t going away, saying, “It’s going to get worse before it gets better.”

The last great American counterfeiter

Before Mahtani—before the social media scammers and the Craigslist con artists—there was Eugene Smith.

Smith ran what federal prosecutors describe as a multistate counterfeiting operation, a sophisticated printing and distribution network spanning multiple cities, targeting the biggest events for the biggest payoffs. From 2016 to 2018, his network produced fake tickets to Super Bowl LI in Houston, Super Bowl LII in Minneapolis, NBA All-Star games, and NCAA championships.

Smith’s operation was simple: He purchased real tickets to major events, sent them to accomplices who replicated them using sophisticated printing equipment, then distributed the counterfeits through a network of sellers—some working street corners outside stadiums and in parking lots, others advertising online.

These weren’t crude photocopies. Smith’s counterfeits featured holograms, along with hidden images visible only under ultraviolet light, and thermochromic ink that disappeared with heat and returned when cooled—a common security feature that allows gate staff to quickly verify authenticity.

“We had all of these covert and overt security features embedded into those tickets,” Michael Buchwald, vice president and legal counsel at the NFL, recalls. “To somebody with a trained eye, you could spot the difference. But to unsuspecting fans—people who are really eager to get into an event and are not being careful—they would fall prey.”

A 51-month federal sentence

According to prosecutors, Smith’s operation had printed scam tickets totaling at least $170,000 in face value, though the actual resale value—particularly for Super Bowl tickets—far exceeded the original prices. The FBI investigation that led to Smith remains partly sealed, but court records show the breakthrough came when one of Smith’s key accomplices, Eric Ferguson, was arrested and cooperated with investigators. Ferguson testified that Smith had recruited him to replicate tickets and provided the originals.

In May 2019, Smith was sentenced to 51 months in federal prison.

Smith’s conviction marked the end of an era. By 2020, the NFL had completed its transition to fully digital ticketing. No more hard stock. No more physical tickets with holograms and thermochromic ink. Everything moved to mobile-based systems with encrypted barcodes that refresh continuously—technology specifically designed to prevent copying and theft.

The impact was immediate. Physical counterfeiting at NFL games dropped dramatically, from large-scale operations producing hundreds of fakes per event to what Buchwald now describes as only “dozens” of scattered ticket-scam incidents.

“We’ve seen a very substantial reduction in instances of ticket counterfeiting,” Buchwald says. “I think that’s a big success in terms of digital ticketing.”

But digital tickets didn’t eliminate fraud. They just changed the face of it—and in the process, blew the doors open for a new generation of scammers.

The evolving faces of fraud

Around the same time McCaffrey worked the Mahtani investigation, he assisted the FBI on another case involving international suspects using stolen credit card numbers to purchase legitimate tickets from venues, then reselling them through online portals at discounted rates. The tickets worked—they were legitimate. The real victims were the credit card holders who wouldn’t discover that their cards had been used until they checked their statements.

As tickets moved further toward digitization, other schemes began to emerge, each exploiting different digital vulnerabilities. Fake websites mirroring Ticketmaster or StubHub, designed to rank high in Google search results when legitimate sites sold out and desperate fans searched for last-minute options. Hacked Facebook accounts where scammers posed as the account owner and sold nonexistent tickets to the victim’s friends—people who trusted the source because they believed they were buying from someone they knew.

There has also been a rise in two-factor authentication scams, in which a criminal poses as a ticket seller and claims to need verification of the buyer’s identity for security. The scammer asks the buyer to message back a verification code being texted to their phone—but the criminal has secretly triggered a password reset on the buyer’s bank account or email, then uses the code to change the password and gain access.

These schemes have become so prevalent that the Better Business Bureau received more than 20,000 complaints about ticket purchases from January 2022 to early 2023.

Targeting Taylor Swift’s Eras Tour

Taylor Swift’s Eras Tour was especially brutal, according to Teresa Murray. In one case, she recalls, a mother and daughter planned an entire trip around seeing the show—booking flights from Oklahoma to Atlanta, reserving a hotel room, buying matching outfits—only to arrive at the arena to find out their tickets didn’t actually exist. They stood alone outside the arena while the concert played inside, having spent thousands of dollars on a trip for an event they’d never see.

For Murray, that’s what made the Eras Tour ticket scams particularly devastating—not the financial loss, but the fact that scammers were stealing once-in-a-lifetime experiences from families who had planned for months. “A mom just wants her teenage daughter to have this very special experience, and it’s taken away from them,” she says. “You had all these crying young women. . . . It was just next-level awful.”

The biggest challenge for law enforcement is scope. Smith’s operation was contained: one printing press, one distribution network, specific cities. But digital fraud is borderless and doesn’t specialize in specific events. It’s nearly universal. A scammer in Manhattan targets fans in Milwaukee. International rings use stolen credit cards in one country to buy tickets in another. And with peer-to-peer payment apps like Zelle and Venmo, once victims send money—especially through friends and family transfers—recovery is nearly impossible.

“Scammers are not exposing themselves to surveillance video footage or eyewitnesses,” McCaffrey says. “They’re able to steal a significant amount of money from behind their desk, from behind their keyboard.”

Even the platforms designed to protect buyers aren’t immune. While consumers are wary of ticket scams on Craigslist or fake websites, they can also fall victim to fraud through the official, verified platforms they’re supposed to trust most.

A $635,000 inside job

From June 2022 to July 2023, two employees at Sutherland Global Services—a third-party contractor in Kingston, Jamaica, handling customer service for StubHub—discovered and exploited a vulnerability in the platform’s system.

StubHub is one of the largest ticket resale marketplaces in the world. It operates as a secondary market where people sell tickets originally purchased from primary sellers like Ticketmaster. At the time, when someone bought a ticket on StubHub, the platform generated a unique URL and queued it to be emailed to the buyer.

Tyrone Rose, 20, and an accomplice discovered they could access the secure area of StubHub’s network where those unique URLs were created—a backdoor into part of the system they weren’t authorized to use. They found a way to redirect the emails, sending ticket URLs not to the people who had just paid for them, but to accomplices in Queens, New York.

Shamara Simmons, 31, was one of those alleged Queens accomplices. According to prosecutors, she and her cohort would download the tickets from the hijacked URLs (the original buyers never received their tickets) and relist them on StubHub as new inventory at inflated prices. Because the tickets were intercepted during delivery and after the sale was complete, then relisted under different seller accounts, the system saw them as separate transactions, not duplicate sales.

Pure profit

The scheme was pure profit—tickets stolen for free, then resold for hundreds or thousands of dollars each.

Rose and Simmons intercepted roughly 350 StubHub orders—993 stolen tickets in all. Most were for Swift’s Eras Tour, though the operation also targeted tickets to Adele and Ed Sheeran concerts, NBA games, and the US Open Tennis Championships. Over the course of one year, they collected more than $635,000.

It’s unclear how StubHub became aware of the ticket scam. But once it did, its internal security team acted swiftly, reporting it to Sutherland Global Services, the Queens district attorney’s office, and Jamaican law enforcement. Rose and his accomplice were immediately terminated, and StubHub ended its contract with Sutherland entirely. StubHub then identified which tickets had been stolen and resold, then reached out to every buyer who’d been defrauded to notify them before their events.

Rose and Simmons were arrested in February 2025. Rose pleaded guilty in October and awaits sentencing. Simmons has pleaded not guilty. If convicted, each faces 3 to 15 years in prison.

How the industry is fighting back

Under StubHub’s FanProtect Guarantee, the company replaced or fully refunded the ticket price for every customer affected by the Rose-Simmons scam and in some cases provided additional compensation. But even with those refunds, many victims still shouldered the costs of flights, hotels, time off work—expenses that often exceeded the ticket price itself.

And no refund policy can restore what Murray says is the true cost: the experience they missed out on. Fans had traveled across the country. They’d saved for months. They stood outside venues while concerts played inside—victims not of poor judgment or carelessness, but of a system they’d been told to trust.

Rob Tomlinson, StubHub’s head of trust and safety, says the company has vastly strengthened its internal security in the wake of Rose-Simmons, restricting access to ticket data to “an extremely small, very tightly controlled group of people” with full monitoring of who accesses what and when.

The company has also overhauled its ticket delivery system. The platform now primarily uses mobile transfers directly through original ticket providers like Ticketmaster and AXS, rather than generating its own URLs. Additionally, every ticket is now screened through proprietary in-house technology.

“We have a machine learning model and we have a bunch of rules-based systems as well,” Tomlinson says. “We’re taking in over 270 signals about the seller, about the ticket, the time to event, the event itself—all of these different signals to really try and build up a profile of what is going on with each ticket.”

An alarming compound annual growth rate

The global ticket fraud detection market, valued at $1.87 billion in 2024, is projected to reach $5.47 billion by 2033, growing at a compound annual growth rate of 16.2% as companies invest heavily in prevention technologies. But like the ticket sellers themselves, the NFL and other sports leagues are also playing defense on multiple fronts.

Buchwald describes partnerships with Homeland Security Investigations and Customs and Border Protection, ticket resolution desks at entry gates to troubleshoot issues in real time, and media campaigns around major events warning fans about fraud. For nearly a decade now, the league has maintained the NFL Ticket Network—a system comprised of multiple ticket resale platforms, including SeatGeek and Sports Illustrated Tickets, that have an integration with Ticketmaster.

“All the tickets that are rendered through those systems result in fully verified barcodes,” Buchwald says. “It enables fans who purchase or sell tickets on any of those platforms to be sure they have a reliable, convenient, and safe way to get fully verified tickets.”

Ticket technology is also evolving. SafeTix, Ticketmaster’s encrypted barcode system, refreshes continuously to prevent screenshots and copying. Dynamic QR codes change every few seconds. These systems are effective, but they’re not a catchall. While major venues and leagues can afford these new technologies, smaller venues cannot. And as long as PDF tickets exist anywhere—as they still do at many small venues—vulnerabilities remain.

“I think we’re still a fairly long way away in terms of the least-sophisticated venues getting on board with this,” Buchwald says. “It’s going to take a fair amount of time to fully adopt.”

How you can avoid being scammed

Beyond sophisticated technology, the industry is confronting a more basic problem: consumer behavior. After a 2024 Ticketmaster data breach reportedly exposed up to 560 million customer records—one of the largest data breaches in ticketing industry history—platforms intensified efforts to promote password hygiene and multifactor authentication. Still, according to Murray, many consumers ignore these safeguards and fail to adhere to even the most basic steps to protect themselves in a world where ticket scams are growing increasingly creative and deceptive.

“Desperate people sometimes make bad decisions,” Murray says. “They suspend their good judgment just long enough to become a victim of fraud.”

Murray’s advice mirrors that of McCaffrey and other experts.

1. Never buy from individuals you don’t personally know (even then, do so with caution).
2. Never use peer-to-peer payment apps like Zelle or Venmo—they offer no fraud protection.
3. Always use credit cards, which provide protection under the Fair Credit Billing Act.
4. Buy only from authorized resellers verified by organizations like the National Association of Ticket Brokers.
5. Never share verification codes with anyone—even someone claiming to verify your identity.
6. Most important: Be willing to not go.

“If all else fails, and you think you’re taking a chance by buying tickets that you’re not sure are legit, just don’t buy them,” Murray writes in her guide for consumers. “If you decide to take a chance, you may spend far more time sorting out the fraud and trying to get your hundreds or thousands of dollars back than you would have spent at the [event].”

Today’s protection against tomorrow’s threats

Detective McCaffrey stands in a luxury suite at Madison Square Garden, where the Rangers hosted a playoff game the night before. He’s been given a tour as part of his Mahtani investigation. He looks out upon the ice, the Zamboni circling below. For a New York sports diehard, these are dream seats—the kind that either wealthy fans or those splurging for a once-in-a-lifetime experience shell out thousands of dollars for.

Tickets that Mahtani sold more than 50 times, and never delivered.

McCaffrey buys Mets tickets on SeatGeek a couple of times a year. He knows the risks better than almost anyone and says he’s willing to bite the bullet in the name of security.

“I have no issue watching a baseball game from the middle to upper deck that saves me a couple bucks,” he says. “But I’ll make sure that I get [my ticket] from a reputable site. I’ll pay $6 in fees, but I walk off the 7 train knowing I’m gonna get into that game. Buying tickets from a third party, you don’t have that assurance.”

Systematic victimization

Mahtani was sentenced to 15 months in federal prison and ordered to pay $88,000 in restitution. At sentencing, the judge rejected Mahtani’s request for probation, calling it not a “crime of impulse” but “systematic victimization” of sports fans. Mahtani was released from federal custody in May 2025, having served the majority of his 15-month sentence with credit for time served and good behavior.

Eugene Smith was released in August 2022 after serving most of his 51-month sentence. Rose still awaits sentencing, facing up to 15 years in prison, while Simmons has pleaded not guilty. Her case remains pending.

But thousands of other fraudsters like them are still hard at work. Over the past five years, the FBI’s Internet Crime Complaint Center has reported cumulative fraud losses exceeding $50.5 billion, with ticket fraud representing one of the fastest-growing categories. In a $65.5 billion global ticketing industry, the criminals are evolving faster than the defenses.

“The thing that keeps you up at night,” Tomlinson says, “is that you’re not sure what’s coming next.”

ODEXCO.COM