Stolen airline miles and hotel points are trading as commodities in underground Telegram channels, with researchers identifying 3,007 total travel vendor mentions across 322 posts from 35 unique actors in a single fraud-focused group.
The finding comes from Flare, a threat intelligence firm whose researchers analyzed hundreds of posts from cybercrime communities. What appeared at first to be scattered account abuse is, according to the announcement, a structured resale economy — priced, negotiated, and fulfilled like a wholesale trade.
Industry estimates, cited from a Reuters report, put annual losses from fraudulent reward redemptions across travel and retail ecosystems at between $1 billion and $3 billion USD. Loyalty fraud rarely appears as its own category in official crime statistics.
How the Cycle Works
The operation runs in four stages. A technically capable threat actor first compromises loyalty accounts through infostealers, phishing, or brute-force attacks, then sells that access to a separate fraudster. The buyer identifies accounts with the highest balances — email access included, to improve success rates — and advertises them as inventory. A customer is found, the miles are redeemed for flights or hotel stays, and those bookings are resold at a discount, often through social media.
Once travel is completed, recovery becomes difficult. The points have already converted into real-world bookings, making chargebacks by victims largely ineffective.
Telegram channels operating in this space look unremarkable at a glance. Scroll deeper and the commercial structure becomes apparent. Posts follow a recognizable rhythm: “United available,” “High balance Marriott,” “Bulk AA accounts,” “Ready booking service.” Multiple programs appear in single messages — United alongside Marriott, Delta next to Hilton — suggesting actors managing large pools of compromised credentials rather than targeting accounts individually.
More Read
Why the Major Brands Dominate
Activity concentrates around a smaller number of repeat sellers, reinforcing the impression of ongoing inventory management rather than opportunistic fraud.
The researchers point to three factors that explain why the top targeted brands — including United, American Airlines, Delta, Marriott, and Hilton — appear so frequently. Their loyalty programs carry the largest global membership bases, increasing the probability of credential reuse and phishing exposure. Their redemption networks are broad, making stolen miles easier to convert into sellable bookings quickly. And the point value arbitrage is significant: premium cabin redemptions carry high cash equivalents, meaning a relatively small upfront cost can yield a booking worth multiples of that amount on the secondary market.
The pattern, the firm says, reflects a market with professional characteristics — sellers who post regularly, inventory described in consistent formats, and a preference for high-liquidity programs that minimize the gap between theft and cash-out.
Flare says it monitors underground channels for compromised loyalty credentials and travel account activity, positioning the research as a case for threat intelligence tooling aimed at detecting account compromise before reward balances are drained.
Photo by Charly Nguyen on Unsplash
This article is a curated summary based on third-party sources. Source: Read the original article
