The Underground Economy of Travel Rewards: How Loyalty Points Become Digital Currency

Loyalty programs were designed to reward customer loyalty, but in the hands of cybercriminals, they've become a thriving underground commodity. A recent analysis by Flare researchers reveals how travel rewards have transformed into a digital currency within cybercrime markets, with a structured ecosystem that mirrors legitimate commerce.

The Hidden Cost of Loyalty Fraud

While loyalty fraud rarely appears in official crime statistics, industry estimates suggest it costs victims between $1-$3 billion annually in fraudulent reward redemptions across travel and retail ecosystems. This underground economy operates quietly, often going undetected until victims discover their miles have vanished or unauthorized bookings appear on their accounts.

The Four-Stage Monetization Model

The fraud cycle follows a predictable pattern:

1. Account Compromise: Threat actors gain access through malware, phishing, or brute force attacks, often selling this access to specialized fraudsters
2. Inventory Identification: Valid accounts with substantial miles are identified and advertised as available inventory
3. Redemption for Travel: Points are redeemed for flights, hotel stays, or other travel services
4. Resale at Discount: These bookings are resold at discounted rates through social media or private channels

Once travel is completed, victims face significant challenges recovering their losses since the points have already been converted into physical commodities.

The Telegram Marketplace

Flare's analysis of underground Telegram channels reveals a surprisingly organized marketplace. What appears to be casual conversation is actually structured inventory trading, with posts following consistent patterns: "United available," "High balance Marriott," "Bulk AA accounts," and "Ready booking service."

Unlike typical underground markets where stolen data is sold individually, these loyalty accounts are marketed in bulk, suggesting access to large pools of compromised credentials rather than isolated incidents. The concentration of activity among a smaller number of regular sellers indicates ongoing inventory management rather than opportunistic scams.

The Most Targeted Brands

Analysis of 322 posts from 35 unique actors revealed 3,007 total travel vendor mentions, with certain brands dominating the market:

• Airlines: United, American Airlines, Delta, Southwest, British Airways, Air Canada, Alaska Airlines
• Hotels: Marriott, Hilton, Hyatt, IHG, Best Western

The dominance of these brands reflects several factors: massive membership bases that increase compromise opportunities, high liquidity allowing flexible redemption, point value arbitrage potential, alliance integrations that expand redemption options, and strong market recognition that makes sales easier.

The Economics of Stolen Miles

Unlike many underground markets where prices are publicly displayed, loyalty account sellers rarely publish explicit pricing. This suggests negotiations occur privately, with sellers emphasizing availability over cost. When Flare researchers engaged with sellers directly, pricing averaged approximately $1 per 1,000 miles:

• 100,000 miles for $90
• 353,000 miles for $300
• 500,000 miles for $400

Critically, sellers consistently offered "full email access" alongside the loyalty accounts, giving buyers control over the linked email address and reducing the victim's ability to recover their account.

Why Loyalty Programs Are Attractive Targets

Travel rewards present an ideal target for several reasons:

• Stored Value: Points represent real monetary value that can be quickly converted
• Flexible Redemption: Multiple redemption options increase liquidity
• Detection Gaps: Users check financial accounts daily but rarely monitor loyalty balances
• Lower Security Priority: Loyalty programs often receive less security attention than banking credentials

A Structured Underground Economy

The analysis reveals more than opportunistic crime—it demonstrates a structured resale environment with repeated sellers, inventory-style advertisements, and volume-based offers. In these markets, airline miles and hotel points function as digital commodities: measurable, tradable, and convertible into real-world value.

The breadth of affected brands, rather than concentration around a single breach, strongly suggests large-scale credential harvesting through methods like credential stuffing or stealer logs, rather than isolated compromise events.

As travel rewards continue to grow in value and popularity, this underground economy will likely expand, creating new challenges for both loyalty program operators and consumers who may not realize their unused miles represent a significant financial asset at risk.