HydraWatch All articles
Cyber Threat Intelligence

Points Don't Lie, But Criminals Do: The Underground Economy Built on Stolen Loyalty Rewards

HydraWatch
Points Don't Lie, But Criminals Do: The Underground Economy Built on Stolen Loyalty Rewards

Points Don't Lie, But Criminals Do: The Underground Economy Built on Stolen Loyalty Rewards

There is an irony embedded in the design of loyalty programs: the very features engineered to reward customer devotion — easy redemption, flexible transfer options, minimal friction — are precisely the properties that make them attractive to cybercriminals. While most Americans are vaguely aware that their credit card numbers can be stolen, far fewer consider the accumulated value sitting dormant in their airline, hotel, and retail rewards accounts. Criminals are well aware of that blind spot, and they have built a thriving underground market around it.

Industry estimates have placed annual losses from loyalty fraud in the billions of dollars globally, though the true figure is difficult to pin down because many victims never discover the theft at all. The crime tends to be quiet, the victims slow to notice, and the reporting inconsistent. That opacity has allowed an entire criminal subeconomy to flourish largely outside public view.

Why Loyalty Accounts Are a Softer Target Than Your Bank

To understand the appeal of loyalty fraud, it helps to consider the structural differences between a bank account and, say, a frequent-flyer account. Banks are regulated entities subject to federal oversight, mandatory fraud detection systems, and customer notification requirements. Loyalty programs are not. They are proprietary marketing tools operated by airlines, hotel chains, and retailers — entities whose core competency is hospitality or retail, not financial security.

The consequences of this gap are measurable. Many loyalty platforms still rely on relatively weak authentication standards: a username and password, sometimes augmented by a security question whose answer can be researched on social media in minutes. Two-factor authentication, where it exists, is frequently optional rather than mandatory. Account recovery flows are often designed for convenience rather than security, meaning a determined attacker can sometimes bypass controls entirely by calling customer service with enough personally identifiable information harvested from prior data breaches.

There is also the matter of monitoring. Banks deploy sophisticated transaction-monitoring systems that flag unusual activity in real time. Most loyalty programs do not have equivalent infrastructure. A fraudster who drains a checking account will typically trigger an alert within hours. One who transfers 80,000 hotel points to a new redemption address may go undetected for weeks — or indefinitely, if the legitimate account holder never logs back in.

The Harvest: Credential Stuffing and Targeted Phishing

Attackers acquire loyalty credentials through two primary channels. The first is credential stuffing: the automated injection of username-and-password combinations — sourced from the vast repositories of breached credentials available on dark web forums — into loyalty program login portals. Because a significant portion of the American public reuses passwords across multiple accounts, a breach at one unrelated service can become an entry point into a Delta SkyMiles account, a Hilton Honors profile, or an Amazon rewards wallet.

Automated stuffing tools can test thousands of credential pairs per hour against a single target. When a match is found, the tool logs the successful combination and moves on. Criminals then sort successful logins by account balance, prioritizing high-value targets for manual follow-up.

The second channel is purpose-built phishing. Security researchers have documented convincing email campaigns that impersonate American Airlines, Marriott Bonvoy, Starbucks Rewards, and other major programs, warning recipients of imminent point expiration or offering bonus miles in exchange for account verification. The landing pages replicate the legitimate programs' branding with high fidelity, collecting credentials that are then used directly or sold in bulk.

The Liquidation Problem — Solved

Stolen loyalty points present a challenge that stolen credit card numbers do not: they must be converted into something tangible before they have real-world value. The dark web has developed efficient solutions.

The most common method is the purchase of transferable goods. Gift cards are a favored vehicle — many loyalty programs allow members to redeem points for third-party gift cards, which can then be sold for cash on secondary markets. Airline miles are frequently used to book flights or upgrades that are then resold at a discount through informal channels. Hotel points fund stays that are either personally enjoyed by the fraudster or listed as short-term rentals.

Dedicated dark web marketplaces and Telegram channels have emerged specifically to facilitate this trade. Sellers post listings for loyalty account credentials or pre-redeemed gift card codes; buyers pay in cryptocurrency. The transaction leaves minimal traceable evidence, and the spread between the criminal's acquisition cost — often near zero — and the liquidation value can be substantial. Researchers monitoring these channels have observed airline miles selling for fractions of a cent each, meaning a 100,000-mile account might fetch $300 to $500 in underground markets, still representing pure profit for the attacker.

The Consumer's Exposure Is Larger Than It Appears

The average American household participates in more than a dozen loyalty programs, according to industry research, yet actively engages with only a fraction of them. Dormant accounts — those opened years ago, rarely checked, and never mentally categorized as financial assets — represent ideal targets. The account holder is unlikely to notice a theft, and the program is unlikely to proactively alert them.

This dynamic is compounded by the tendency to use older, potentially compromised passwords for accounts perceived as low-stakes. A consumer who has diligently updated their banking credentials may not have changed the password on their Marriott Bonvoy account since 2017 — well before several major hospitality-sector breaches that put those exact credentials into criminal circulation.

Locking Down What You Forgot You Had

Protecting loyalty accounts requires treating them with the same seriousness applied to financial accounts. Security practitioners recommend the following baseline measures.

Conduct a loyalty account audit. Compile a complete list of every program in which you hold membership. Check each account's current balance and review recent activity for unfamiliar transactions or redemptions.

Enable the strongest available authentication. Where two-factor authentication is offered — via authenticator app rather than SMS where possible — activate it without exception. If a program does not offer MFA, consider that a risk factor and monitor the account more frequently.

Use unique, complex passwords. No loyalty account should share a password with any other service. A reputable password manager makes this practical at scale.

Set up account alerts. Most major programs offer email or push notifications for redemptions and balance changes. Enabling these transforms what is otherwise an invisible threat into something detectable.

Be skeptical of loyalty-themed email. Expiration warnings and bonus-mile offers are among the most commonly spoofed pretexts in loyalty phishing campaigns. Navigate to program websites directly rather than clicking links in unsolicited messages.

The Bigger Picture

Loyalty fraud sits at the intersection of several trends that HydraWatch tracks closely: the ongoing monetization of breached credential databases, the professionalization of dark web commerce, and the persistent gap between consumer awareness and the actual surface area of their digital financial exposure. The points and miles accumulating in forgotten accounts are not abstract — they represent real value that criminals have learned to extract with impressive efficiency.

For investigators and program operators, the challenge is calibrating security controls without destroying the frictionless experience that makes loyalty programs commercially viable. For consumers, the challenge is simpler: remember that every account with a balance is an account worth protecting.

All articles

Related Articles

Scatter and Regroup: The Stubborn Resilience of Cybercriminal Communities After Law Enforcement Strikes

Scatter and Regroup: The Stubborn Resilience of Cybercriminal Communities After Law Enforcement Strikes

Zero Hour: A Minute-by-Minute Account of What Ransomware Does to an Organization in Its First Three Days

Zero Hour: A Minute-by-Minute Account of What Ransomware Does to an Organization in Its First Three Days

The Unraveling: How Federal Investigators Strip Away Dark Web Anonymity One Mistake at a Time

The Unraveling: How Federal Investigators Strip Away Dark Web Anonymity One Mistake at a Time