One does not "call the police on someone," one reports a crime to law enforcement. Law enforcement (and prosecutors) sort that out.

Here, it is more than likely that within minutes, hackers sold the number to a ticket broker who purchased the tickets for someone else who likely has no idea that the tickets were purchased with a stolen CC.

I presume that UA did cancel the tickets and that UA security, possibly with law enforcement at SFO, at least interviewed the individual who showed up to fly. Most likely, a clueless third party who purchased what he thought was a cheap ticket.

The hacker got paid by the ticket broker and the ticket broker got paid by the dupe. The dupe is out money.