Stolen gift cards worth $38 million sold on dark web

Amer Owaida, Security Writer at ESET explains that easy to redeem and hard to trace, gift cards remain a hot commodity in the criminal underground

A cybercriminal has sold almost 900,000 gift cards and over 300,000 payment cards on a top-tier cybercrime forum on the dark web. The total value of the cards was claimed to be some US$38 million. The hacker probably gained access to the data by compromising the backend infrastructure of a gift card marketplace.

According to a report by fraud intelligence firm Gemini Advisory, the stolen cards originated from a 2019 breach of an online discount gift card marketplace that has since gone offline. “As the payment cards were stolen from a gift card store and both the payment cards and gift cards were sold by the same actor, Gemini assesses with moderate confidence that the gift cards offered for sale were also stolen during the breach of Cardpool.com,” the company said.

Since they’re easy to redeem and tough to track, gift cards are an increasingly popular target for fraud.

One of the company’s analysts observed offers to sell the cards in bulk on the Russian-language forum in February 2021. While the actors behind the sale didn’t reveal how they obtained the cards or what their origins were, they did disclose that the loot contained more than 3,000 brand-name gift cards from as many companies, including Airbnb, Amazon, Nike, Marriott, Walmart, and others. The threat actors set up an auction with the bidding starting at US$10,000 and a buy now price of double the initial bidding price. The database was sold within a few moments of being posted.

Gemini Advisory pointed out that the gift cards sold for an unusually low amount: “Typically, compromised gift cards sell for 10% of the card value in the dark web; however, the 895,000 cards offered from the breach were priced at roughly 0.05% of the card value.” Although that may be chalked up to the hacker overstating the total value, it is more likely that the price accounts for the fact that a sizeable number of the cards wouldn’t work or have a low balance.

A mere day after selling the gift cards, the same cybercriminal offered to sell 330,000 payment and debit cards on the same online hacking forum. According to the posting, the information included the victims’ billing address and partial payment card data such as the card number, its expiration date, and the issuing bank’s name. However, the Card Verification Value (CVV) and the cardholder’s name were not included.

The initial bidding price was set for US$5,000 but the cards could be purchased outright for triple the amount. Although this database sold slower than the gift cards, it was still purchased by another party within a few days.

While unnamed, the hacker behind the breach is a known entity that has been active since 2010 and has been observed to offer payment card data, compromised databases, and the personally identifiable data of US residents.