Jingle Thief Exploits Cloud Systems to Steal and Monetize Gift Cards

Just in time for Christmas, cybersecurity researchers are observing an active cybercriminal group they’re calling “Jingle Thief.” Ravie Lakshmanan reports in The Hacker News that the crooks target Cloud environments used by retail and consumer services companies to perpetrate gift card fraud.

The Jingle Thief group times its activity around peak shopping seasons. It maintains prolonged access to impacted environments to support large-scale resale on the gray market. This creates lightning-fast cash-out opportunities that make recovery problematic.

Gift cards make for a lucrative choice as they can be easily redeemed with minimal personal information and are difficult to trace, making it hard to investigate.

Attribution efforts link the activity cluster to actors tracked as Atlas Lion and Storm-0539. Its tactics exploit weaknesses in cloud identity and workflow controls.

Gift cards are attractive targets because they can be redeemed with limited identity verification and often leave fragmented audit trails, making it more difficult to trace fraud back to the perpetrators or recover the value once issued.

Detailed analysis of the campaign reveals a playbook centered on identity misuse rather than custom malware.

Reported techniques include credential harvesting via phishing and smishing, as well as targeted reconnaissance of Microsoft 365 assets (SharePoint, OneDrive), and searches for issuance workflows and operational documentation.

Attackers have been observed expanding access through internal phishing. They create inbox rules to exfiltrate communications, and register rogue authenticator apps or enroll devices in Entra ID to make post-password resets persistent.

They take steps to minimize logs and forensic evidence, which enables lengthy dwell times and repeated fraudulent issuance actions.

Legal and compliance teams should reassess controls around Cloud-based issuance workflows, access entitlements, and audit retention policies to address these risks.

Incident response readiness should include procedures for rapid preservation of cloud logs, contractual review of third-party issuance platforms, and clear notification protocols tied to regulatory and contractual breach obligations.