Travel Rewards Turn into Underground Currency.

Airline miles were designed as rewards, however, in cybercrime markets, they are inventory. In many cases, the theft begins with credential compromise and ends with miles quietly converted into flights and hotel stays.

Flare researchers analyzed hundreds of posts from underground communities, which at first glance appear to be scattered account abuse but instead resemble a steady commercial trade in travel rewards – priced, negotiated, and monetized like commodities.

Loyalty fraud rarely appears in official crime dashboards as its own category. However, according to a Reuters article, industry estimates suggest that fraudulent reward redemptions across travel and retail ecosystems annually cost between $1-$3 billion USD in monetary losses to victims. 

The Full Fraud Cycle – Turning Rewards into Revenue

The monetization model is straightforward and follows four stages:

1. Gain control over a loyalty account: In many cases this is achieved by another threat actor, usually a more technical one who deploys malware such as infostealers or phishing or brute force into these accounts. This access is usually sold to a fraudster.

2. Identifying valid miles and travel accounts: In this stage, the threat actor identifies valid accounts, usually with email access to increase the chances the fraud succeeds and advertises this as inventory in Telegram groups.

3. Redeem miles for legitimate travel: After finding a potential customer, the fraudster will redeem the points or miles into a saleable commodity, usually a flight ticket or hotel accommodation.

4. Resell the booking at a discount: In some cases, this commodity is resold in social media as a discounted airline ticket or accommodation.

Threat actors redeem miles for legitimate flights or hotel stays and resell those bookings at discounted rates.

Once the travel is completed, chargeback by the victim becomes difficult because the points or miles were already converted into real-world commodities.

A Sales Channel Disguised as a Chat Group

At first glance, the group looks like any other messaging channel. Scroll through the feed, however, and a pattern becomes clear. This is not discussion, it is inventory.

Posts follow a rhythm: “United available”, “High balance Marriott”, “Bulk AA accounts”, “Ready booking service”.

What stands out in the group is not how accounts are stolen, but how they are sold. Posts are structured like advertisements, often listing several airline and hotel programs in the same message – for example, United alongside Marriott or Delta next to Hilton.

The repetition suggests access to large pools of compromised accounts rather than isolated incidents, which often target the bigger players on the market (as Flare researchers illustrate below).

Activity is also concentrated among a smaller number of sellers who post regularly, giving the impression of actors managing ongoing inventory rather than opportunistic scammers.

Brands in Circulation 

Flare researchers analyzed322 posts published by 35 unique actors in a fraud-focused chat group revealing a structured resale economy built around compromised airline and hotel loyalty accounts, with 3,007 total travel vendor mentions.

Several factors likely explain the dominance of the top 20 targeted brands:

• Scale of membership bases – these airlines and hotel chains operate some of the largest loyalty programs globally. Larger user bases increase the probability of credential reuse, phishing exposure, and infostealer capture.

• High liquidity – programs like United, American, Delta, Marriott, and Hilton allow flexible redemption and broad route or property networks. That makes stolen miles easier to convert into sellable bookings.

• Point value arbitrage – frequent flyer programs often allow premium cabin redemptions with high cash value equivalents. The resale potential is attractive when a $90 purchase can produce a ticket worth thousands.

• Integration with alliances – airlines in global alliances (Star Alliance, Oneworld, SkyTeam) allow cross-carrier redemption. That increases liquidity and resale flexibility.

• Market recognition – buyers recognize major brands. Selling “United 100K” is easier than selling smaller or regional carriers.

Notably, the dataset shows breadth rather than concentration around a single breach. The presence of over 20 airline and hotel brands strongly suggests credential harvesting at scale — likely through credential stuffing or stealer logs – rather than a one-off compromise event.

The Pricing Behind the Trade

Unlike many underground markets, explicit pricing was rarely displayed publicly. Posts emphasized availability rather than cost, suggesting negotiations were pushed into private conversations.

Flare researchers conducted additional investigations engaging with several sellers. Their offerings included United, American Airlines, and Delta accounts. Pricing was relatively consistent averaging roughly $1 per 1,000 miles:

• 100,000 miles for $90

• 353,000 miles for $300

• 500,000 miles for $400

Each seller emphasized that the account included “full email access,” meaning the buyer also receives control of the email address linked to the loyalty account – reducing the chance that the legitimate owner can quickly recover it.

Why Loyalty Fraud Is Attractive

Travel rewards hold stored value, can be redeemed flexibly, and are often monitored less aggressively than bank accounts. Many users check financial balances daily, but loyalty balances only occasionally, creating a detection gap that fraudsters exploit.

A Quiet but Profitable Ecosystem

The posts analyzed reveal a structured resale environment with repeated sellers, inventory-style advertisements, and volume-based offers. In underground markets, airline miles and hotel points function much like digital commodities — measurable, tradable, and convertible.

Learn more by signing up for our free trial.

Sponsored and written by Flare.