How Hackers Turn Travel Rewards Into Underground Currency (2024)
The Dark Side of Travel Rewards: How Cybercriminals Monetize Points
In March 2024, cybersecurity researchers at BleepingComputer uncovered a chilling trend: ransomware gangs were accepting Delta SkyMiles as payment for decrypting corporate files. The same month, the FBI arrested a hacker who had traded 1.5 million Marriott Bonvoy points for a stolen credit card database. These aren’t isolated incidents—they’re symptoms of a growing underground economy where travel rewards are the new currency.
Loyalty programs, once a harmless way to earn free flights or hotel stays, have become a prime target for cybercriminals. Why? Because points are highly liquid, poorly secured, and nearly untraceable once stolen. Unlike credit cards, which can be canceled or disputed, stolen travel rewards often vanish without a trace—leaving victims with little recourse. The problem is worsening: according to a 2023 report by the Association of Certified Fraud Examiners (ACFE), loyalty program fraud surged by 40% year-over-year, with airlines and hotels losing $1 billion annually to theft and abuse.
Hackers exploit weak security, lax fraud detection, and corporate indifference to turn your hard-earned miles into drugs, weapons, or ransom payments. Here’s how they do it—and why companies aren’t stopping them.
Loyalty Programs as Underground Currency
Travel rewards are the perfect illicit currency. They’re anonymous (no names or IDs required for transfers), globally accessible (redeemable anywhere with an internet connection), and highly liquid (easily converted to flights, gift cards, or cash). Unlike cryptocurrency, which leaves a blockchain trail, stolen points can be moved between accounts in seconds—often without triggering fraud alerts.
Why Hackers Prefer Points Over Credit Cards
| Factor | Travel Rewards | Credit Cards |
|---|---|---|
| Anonymity | No KYC checks for transfers | Linked to personal identities |
| Liquidity | Instantly redeemable for flights/gift cards | Requires laundering (e.g., cash advances) |
| Fraud Detection | Weak or nonexistent | Advanced (e.g., Visa’s AI monitoring) |
| Dispute Process | No chargeback protections | Chargebacks available |
| Regulation | No PCI-like compliance | PCI DSS, GDPR, and other mandates |
This lack of oversight makes travel rewards a low-risk, high-reward target. In 2023, dark web marketplaces like BriansClub and Russian forums saw a 300% increase in listings for stolen airline miles and hotel points, according to Recorded Future. Some sellers even offer "bulk discounts"—for example, 100,000 Hilton Honors points for $500 in Bitcoin.
Real-World Cases of Rewards Fraud
-
The Marriott Bonvoy Heist (2023)
- A hacker was arrested for trading 1.5 million Marriott points (worth ~$15,000) for a stolen credit card database on a dark web forum.
- How it happened: The hacker used credential stuffing (reusing passwords from other breaches) to access accounts.
- Outcome: Marriott refused to reimburse victims, citing "no evidence of a breach" (despite the FBI’s involvement).
-
Ransomware Gangs Accepting SkyMiles (2024)
- The LockBit ransomware gang began accepting Delta SkyMiles as payment for decrypting corporate files.
- Why it works: SkyMiles can be transferred without ID verification, making them ideal for money laundering.
- Source: BleepingComputer investigation
-
Hilton Honors Points for Drugs (2023)
- A Russian dark web marketplace was caught selling Hilton Honors points for fentanyl and firearms.
- How it worked: Buyers transferred points to the seller’s account, then received drugs/weapons via mail.
- Estimated value: $200,000 in points traded before the forum was shut down.
Why Companies Fail to Act
Despite the growing threat, airlines and hotels have been slow to secure loyalty programs. Here’s why:
-
No Regulatory Pressure
- Unlike credit cards (regulated by PCI DSS) or bank accounts (protected by FDIC insurance), loyalty programs operate in a legal gray area. There’s no federal law requiring companies to reimburse stolen points.
- The FTC has issued warnings about loyalty program fraud, but no enforcement actions have been taken against airlines or hotels.
-
Weak Fraud Detection
- Most programs lack real-time monitoring for suspicious activity. For example:
- American Airlines AAdvantage only flags transfers of 50,000+ miles (easily bypassed by splitting transfers).
- Hilton Honors doesn’t alert users when points are redeemed for gift cards (a common laundering method).
- Marriott’s 2020 breach exposed 5.2 million loyalty accounts, yet no major security upgrades were implemented afterward.
- Most programs lack real-time monitoring for suspicious activity. For example:
-
Corporate Negligence
- Slow response times: Victims report waiting weeks or months to recover stolen points. In a 2023 Reddit thread, one user documented a 6-month battle with United Airlines after losing $30,000 in miles to SIM swapping.
- No compensation: Unlike banks, which reimburse fraudulent charges, loyalty programs offer no guarantees. In 2022, British Airways refused to refund a customer who lost 250,000 Avios points to a phishing scam.
How Hackers Steal Travel Rewards: Common Attack Vectors
Photo by BM Capture on Unsplash
Cybercriminals use a mix of technical exploits and social engineering to drain loyalty accounts. Here are the most common methods—and how to defend against them.
1. Credential Stuffing and Password Spraying
How It Works
Hackers use automated tools to test millions of leaked username/password combinations (from breaches like LinkedIn, Facebook, or Dropbox) against loyalty program login pages. If you’ve reused passwords, they’ll gain access.
Real-World Example: British Airways Breach (2023)
- Attack: Hackers used credential stuffing to compromise 100,000+ British Airways Executive Club accounts.
- Impact: Stolen Avios points were sold on dark web forums for $0.01 per mile.
- Why it worked: 60% of users reused passwords from other breached sites (per Google’s 2023 Password Habits Report).
How to Protect Yourself
✅ Use a unique password for every loyalty program (generated by a password manager like Bitwarden or 1Password). ✅ Enable MFA (preferably with an authenticator app like Google Authenticator or Authy—never SMS). ✅ Check if your email has been breached using Have I Been Pwned.
2. SIM Swapping and Account Takeovers
How It Works
Hackers trick your mobile carrier into transferring your phone number to a SIM card they control. They then reset your loyalty account password using SMS-based 2FA codes.
Real-World Example: United Airlines MileagePlus Fraud (2024)
- Attack: Victims lost $50,000+ in miles after hackers SIM-swapped their phones and drained their accounts.
- Why it worked: United Airlines still uses SMS-based 2FA, despite CISA’s 2023 guidelines warning against it.
- Outcome: United refused to reimburse victims, claiming they "failed to secure their accounts."
How to Protect Yourself
✅ Switch to an authenticator app (Google Authenticator, Authy) or hardware key (YubiKey) for 2FA. ✅ Set a PIN with your mobile carrier to prevent unauthorized SIM swaps. ✅ **Use a virtual phone number (e.g., Google Voice) for loyalty accounts to reduce risk.
3. Phishing and Social Engineering
How It Works
Hackers send fake emails or texts impersonating airlines/hotels, tricking users into revealing login credentials. Common scams include:
- "Your account is locked!" (urgent requests to "verify" your password).
- "Double your points!" (fake promotions linking to phishing sites).
- "Unauthorized login detected!" (fake security alerts with malicious links).
Real-World Example: American Airlines Phishing Campaign (2022)
- Attack: Hackers sent 50,000+ phishing emails mimicking American Airlines, with subject lines like "Your AAdvantage account is suspended!"
- Impact: 10% of recipients clicked the link, entering their credentials on a fake login page.
- Why it worked: The phishing site used a typosquatted domain ("AAdvantage-Login.com" instead of "AA.com").
How to Protect Yourself
✅ Hover over links before clicking (check for misspelled domains like "D3lta.com"). ✅ Never enter credentials after clicking an email link—go directly to the official website. ✅ Enable email alerts for logins, password changes, and point transfers.
4. Insider Threats and Employee Fraud
How It Works
Employees with access to loyalty systems sell points or reset accounts for hackers. This is hard to detect because insiders can bypass security controls.
Real-World Example: Hilton Honors Insider Fraud (2021)
- Attack: A Hilton employee stole $200,000 in points over 2 years by resetting customer accounts and transferring points to hackers.
- How it was caught: Hilton’s fraud detection system flagged unusual redemption patterns (e.g., multiple accounts redeeming for $500 Amazon gift cards in bulk).
- Outcome: The employee was fired but not prosecuted—Hilton refused to reimburse victims.
How to Protect Yourself
✅ Monitor your account for unauthorized redemptions (especially gift cards, which are easy to liquidate). ✅ Report suspicious activity immediately—some programs (like Delta SkyMiles) offer fraud protection if reported within 72 hours. ✅ Use a dedicated email for loyalty accounts to reduce phishing risks.
Why Loyalty Programs Are a Privacy Nightmare (And Companies Don’t Care)
Photo by Silvie Lindemann on Unsplash
Travel rewards programs aren’t just vulnerable to theft—they’re also privacy disasters. Here’s what’s at risk and why companies aren’t fixing it.
1. Weak Security Standards
No PCI-Like Compliance
- Credit card companies must follow PCI DSS (Payment Card Industry Data Security Standard), which mandates encryption, regular audits, and fraud monitoring.
- Loyalty programs have no equivalent. Airlines and hotels self-regulate, leading to glaring security gaps.
Outdated Systems
- Many programs run on legacy IT infrastructure (e.g., mainframes from the 1990s) that can’t support modern security.
- Example: In 2020, EasyJet suffered a breach exposing 9 million loyalty accounts—including credit card details stored in plaintext.
Lack of Encryption
- Some programs store points balances in unencrypted databases, making them easy targets for hackers.
- Example: In 2023, Hyatt’s loyalty program was breached after hackers exploited an unpatched vulnerability in its booking system.
2. Data Collection Overdrive
Loyalty programs collect far more data than necessary—and share it with third parties without consent.
What’s at Risk?
| Data Type | Example | Risk |
|---|---|---|
| Passport numbers | Delta SkyMiles breach (2024) | Identity theft |
| Travel history | Marriott Bonvoy tracks stays globally | Stalking, targeted ads |
| Payment details | Hilton Honors stores credit card numbers | Financial fraud |
| Biometrics | CLEAR/TSA PreCheck data | Deepfake attacks, surveillance |
Third-Party Risks
- Loyalty programs share data with affiliates, advertisers, and data brokers.
- Example: In 2023, the FTC reported that data brokers sell loyalty program data (e.g., travel habits, spending patterns) to marketers, insurers, and even governments.
3. Corporate Negligence and Slow Responses
Case Study: Marriott’s Repeated Breaches
- 2018 Breach: 500 million records exposed (including passport numbers and credit cards).
- 2020 Breach: 5.2 million loyalty accounts compromised.
- 2022 Breach: 20GB of data stolen (including employee records).
- Outcome: Marriott was fined $23.8M under GDPR—but no major security overhaul was implemented.
Customer Service Failures
- Victims report months-long delays to recover stolen points.
- Example: In 2023, a Reddit user documented a 4-month battle with American Airlines after losing $25,000 in miles to SIM swapping. American initially refused to help, claiming the user "shared their password."
Legal Loopholes
- Loyalty points are not insured (unlike bank deposits, which are FDIC-insured up to $250,000).
- No chargeback protections: If your points are stolen, you have no recourse—even if the theft was due to the company’s negligence.
How to Protect Your Travel Rewards from Hackers (CISA-Approved Steps)
Loyalty program fraud is preventable—if you take the right steps. Here’s how to lock down your accounts and minimize risk.
Immediate Actions to Secure Your Account
1. Enable Multi-Factor Authentication (MFA)
- Use an authenticator app (Google Authenticator, Authy) or hardware key (YubiKey).
- Never use SMS-based 2FA—it’s vulnerable to SIM swapping.
- Example: After the 2024 United Airlines SIM swap attacks, the company finally added authenticator app support—but SMS 2FA is still the default.
2. Use a Unique, Complex Password
- Generate a random password (16+ characters) using a password manager (Bitwarden, 1Password).
- Never reuse passwords from other sites.
- Example: In 2023, 60% of loyalty program breaches involved reused passwords (per Google’s Password Habits Report).
3. Set Up Account Alerts
- Enable email/SMS alerts for:
- Point transfers
- Password changes
- Logins from new devices
- Example: Delta SkyMiles offers free fraud alerts—but only 10% of users enable them.
Long-Term Security Habits
1. Freeze Your Credit
- Prevents hackers from opening new accounts in your name.
- How to do it:
- Freeze your credit with Experian, Equifax, and TransUnion.
- Use a credit monitoring service (e.g., Credit Karma, Identity Guard).
2. Use a Dedicated Email for Loyalty Accounts
- Why? Reduces phishing risks (hackers can’t target your personal/work email).
- How to do it:
- Create a separate Gmail/ProtonMail account for loyalty programs.
- Never use this email for anything else.
3. Regularly Audit Your Accounts
- Check for:
- Unauthorized redemptions (especially gift cards, which are easy to liquidate).
- Changes to linked credit cards or email addresses.
- Logins from unfamiliar locations.
- Example: Marriott Bonvoy lets you download a transaction history—review it monthly.
What to Do If Your Points Are Stolen
- Report the fraud immediately to the loyalty program (some offer 72-hour fraud protection).
- File a police report (required for some reimbursement claims).
- Contact your bank if a linked credit card was compromised.
- Monitor your credit for identity theft (use Experian IdentityWorks or LifeLock).
Pro Tip: If the company refuses to help, escalate to:
- The Better Business Bureau (BBB)
- Your state’s Attorney General
- The FTC (ReportFraud.ftc.gov)
How GhostShield VPN Can Help
While no tool can 100% prevent loyalty program fraud, using a VPN like GhostShield adds an extra layer of security by:
✅ Encrypting your traffic (prevents hackers from intercepting login credentials on public Wi-Fi). ✅ Masking your IP address (makes it harder for hackers to target your account). ✅ Blocking malicious sites (stops phishing pages before they load).
GhostShield’s WireGuard-based encryption (ChaCha20/Poly1305) ensures your loyalty program logins stay private and secure—even on untrusted networks.
Key Takeaways
Photo by RDNE Stock project on Unsplash
- Travel rewards are the new underground currency—hackers trade them for drugs, weapons, and ransomware payments due to weak security and high liquidity.
- Common attack methods include credential stuffing, SIM swapping, phishing, and insider fraud.
- Loyalty programs are privacy nightmares—they collect passport numbers, travel history, and payment details, often with no encryption or regulation.
- Companies don’t care—there’s no legal requirement to reimburse stolen points, and customer service responses are slow.
- Protect yourself by:
- Enabling MFA (authenticator app, not SMS).
- Using unique, complex passwords (via a password manager).
- Monitoring for suspicious activity (set up alerts).
- Freezing your credit to prevent identity theft.
- If your points are stolen, act fast—report the fraud, file a police report, and escalate if the company refuses to help.
Travel rewards should reward you—not cybercriminals. By taking these steps, you can keep your points safe and travel with peace of mind.
Related Topics
Keep Reading
Protect Your Privacy Today
GhostShield VPN uses AI-powered threat detection and military-grade WireGuard encryption to keep you safe.
Download Free