Converting stolen assets into cash is a complex process. Even if an attacker manages to take over a victim’s bank account, they must go to significant lengths when cashing out, transferring, and laundering the funds to ensure they do not trigger a detective tripwire.
Gift cards are often instrumental in this process. There are two ways an actor can gain possession of large quantities of gift cards. The first is to procure them illegally. Actors can use automated tools to generate valid cards or obtain legitimate cards through a data breach. For example, in February 2021, a threat actor hacked the “cardpool[.] com” site and stole 900,000 gift cards and 300,000 payment cards.
The second way is to purchase cards with illicitly-gained funds as a method of money laundering.
Either way, the next step is for threat actors to convert the cards into cash.
Some legitimate websites (such as ‘cardcash.com’ and ‘giftcash.com’) purchase gift cards for cash for a 10-15% commission. However, these sites note that they work to detect and block potential fraud, so it is risky for a threat actor to attempt to use them, especially in high frequency.
However, the dark web’s sites and users are anonymous by design, providing a more attractive avenue for laundering gift cards. Indeed, we can find dedicated markets and forum sections for gift card activity (see figures 1, 2, 3, and 4).
Selling cards for cash
The most straightforward way to convert gift cards into cash is selling them. On the underground, we see a range of sellers, from those selling small batches (see figure 2) to experienced actors selling a wide variety of cards in bulk (see figures 1 and 3).
Identifying how an actor sourced the gift cards they sell is not always possible. However, there are some clues. For example, if an actor sells physical cards (as opposed to digital only), the actor likely purchased them with dirty cash to launder the funds.
Similarly, if an actor is selling only a single type of card (as opposed to a wide variety), it might mean they successfully used a generator and checker against the card provider to create the codes.
While some actors sell cards for USD or PayPal, others request cryptocurrency, which adds a layer of obfuscation to the transaction (see figure 5).
Gift cards sold on the underground are generally discounted 10-15% from their stored value, resembling the payout for surface websites. However, sometimes actors sell them at a significant discount. For example, in figure 4, a threat actor offers to use paxful[.]com (a bitcoin marketplace) to sell gift cards for bitcoin with a 50%-80% commission (see figure 4). This represents a win-win for the seller, who earns cash, and the buyer, who receives more value than what they paid (albeit assuming that the card is valid).
Purchasing gift cards
Our research also uncovered posts by actors seeking to buy gift cards in bulk. Some actors may have effective methods to flip these for a profit, whether through cashing out in bulk or selling them individually. (see figures 6 and 7).
Others may seek to buy a specific type of gift card for the data stored within, which could be accessible due to laxer security standards. For example, Marriott's gift cards include the user name and password of clients to their official site. Cybercriminals can use this information to take over their accounts (see figure 7).
Finally, in some cases, buyers of underground gift cards will actually use the cards for their intended purpose – to purchase something from a retailer – without spending their own money.
Consumers and retailers enjoy the benefits of gift cards, but their use by cybercriminals casts a shadow over this lucrative payment channel. As long as threat actors can transact gift cards with impunity on the dark web, they will continue to use them for money laundering. This hurts their integrity and enables more complex fraud to take place.
Retailers and gift card issuers should monitor bulk transactions of gift cards on the underground to understand the extent that actors use their cards in money laundering. Furthermore, they should consider preventing the resale of cards (such as associating them with phone numbers/email addresses and using multifactor authentication in a purchase). In this way, they can keep gift cards in the hand of gift recipients and render them useless to cybercriminals.