Hackers sell $38 million in gift cards on Russian marketplace
Amazon, Nike, Walmart, and Target among the brands targeted by Russian hacking dark web forum


Hackers have sold more than $38 million in gift cards from US retailers on an underground Russian hacking marketplace.
According to Gemini Advisory’s investigation, hackers were observed offering to sell 895,000 stolen gift cards from 3,010 companies in early February.
The hackers claimed they had a database of over 3,000 brand-name gift cards. Affected companies included Airbnb, Amazon, American Airlines, Chipotle, Dunkin Donuts, Marriott, Nike, Subway, Target, and Walmart. The database may have originated from an older breach at online discount gift card shop Cardpool.com.
Before closing in early 2021, Cardpool.com operated as a gift card marketplace where individuals could sell unwanted gift cards to the shop. Cardpool.com would then resell those cards to others for less than their face value.
The hackers started the auction at $10,000 with a $20,000 buy-now price. According to security researchers, the gift cards were bought by another actor soon after they were posted for sale.
RELATED RESOURCE
The business guide to ransomware
Everything you need to know to keep your company afloat
The original hacker listed data from another 330,000 payment cards on the same forum the next day. This data included payment card number, expiration date, and bank name but not the CVV or cardholder name. Bidding for these details started at $5,000, but there was a $15,000 buy-now price. The payment cards sold within days of the hacker listing them for sale, but not as quickly as the gift cards.
Gemini Advisory’s analysis concluded that the 330,000 payment cards likely came from a Cardpool.com breach between February 4, 2019 and August 4, 2019.
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
Researchers said the lack of CVV data indicates that the actor likely acquired the cards by gaining backend access to Cardpool.com, which would have enabled them to steal the gift card data and previous shoppers’ payment card data directly from the site’s databases.
“Attackers can acquire backend access to online shops through a variety of methods, including exploiting vulnerabilities in sites’ content management systems (CMS) and brute-forcing admin login credentials,” said researchers.
According to the researchers, the Cardpool.com case “offers a valuable glimpse into the ecosystem of carding.”
“The trick is not in acquiring stolen cards but in devising the most efficient way to cash out the funds on the cards before financial institutions can flag them as compromised,” they said.
Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.
-
OpenAI's new GPT-4.1 models miss the mark on coding tasks
News OpenAI says its GPT-4.1 model family offers sizable improvements for coding, but tests show competitors still outperform it in key areas.
By Ross Kelly
-
Meta just revived plans to train AI models using European user data
News Meta has confirmed plans to train AI models using European users’ public content and conversations with its Meta AI chatbot.
By Nicole Kobie
-
Capita tells pension provider to 'assume' nearly 500,000 customers' data stolen
Capita told the pension provider to “work on the assumption” that data had been stolen
By Ross Kelly
-
Gumtree site code made personal data of users and sellers publicly accessible
News Anyone could scan the website's HTML code to reveal personal information belonging to users of the popular second-hand classified adverts website
By Connor Jones
-
Pizza chain exposed 100,000 employees' Social Security numbers
News Former and current staff at California Pizza Kitchen potentially burned by hackers
By Danny Bradbury
-
83% of critical infrastructure companies have experienced breaches in the last three years
News Survey finds security practices are weak if not non-existent in critical firms
By Rene Millman
-
Identity Automation launches credential breach monitoring service
News New monitoring solution adds to the firm’s flagship RapidIdentity platform
By Praharsha Anand
-
Neiman Marcus data breach hits 4.6 million customers
News The breach took place last year, but details have only now come to light
By Rene Millman
-
Indiana notifies 750,000 after COVID-19 tracing data accessed
News The state is following up to ensure no information was transferred to bad actors
By Rene Millman
-
Pearson fined $1 million for downplaying severity of 2018 breach
News The SEC found the London-based firm made “misleading statements and omissions” about the intrusion
By Rene Millman