Hacker Sells $38 Million in Gift Cards from Thousands of Retailers

According to Gemini Advisory experts, nearly 900,000 gift cards with a total face value of $38 million were recently sold on a hacker forum. The seller did not disclose how the data was obtained but claimed to have 895,000 gift cards from 3,010 companies, including Airbnb, Amazon, American Airlines, Chipotle, Dunkin Donuts, Marriott, Nike, Subway, Target, and Walmart. The database was put up for auction with a starting price of $10,000 and a buy-it-now price of $20,000. The auction ended quickly, indicating that someone purchased the database.

Analysts note that gift cards are typically sold for about 10% of their face value on the black market. In this case, the price was approximately 0.05% of the total value, suggesting that the $38 million figure was likely exaggerated to attract attention. Alternatively, many of the cards may have already expired or had low balances, making them less valuable or inactive.

Interestingly, the day after the gift card sale, the same hacker offered partial data from 330,000 debit cards for sale (starting at $5,000, with a buy-it-now price of $15,000). This dump included payment addresses, card numbers, expiration dates, and issuing bank names. However, it did not contain cardholder names or CVV codes, which are required for card-not-present transactions.

Gemini Advisory suggests that these payment cards may have been obtained as a result of the Cardpool.com website breach, which occurred from February 4 to August 4, 2019. The compromise of the now-defunct Cardpool site could also explain how the hacker acquired such a large number of gift cards.