The case started like many others: anonymity, stolen credit card data, illegal transactions, and hidden services on the dark web. But this time the criminals were not using high-tech payment methods or sophisticated money laundering schemes. Their weapon of choice was surprisingly simple. Gift cards.
Gift Cards-as-a-Currency, or GaaC, was fueling cybercrime in ways most people would not imagine, reaching far beyond the usual eCommerce fraud. Once just a popular stolen good on dark web marketplaces, gift cards have transformed into the currency of choice for cybercriminals: a stable, anonymous, omnichannel medium of exchange that travels freely between fraud operations, payment rails, and laundering chains.
Gift cards are all over the dark web, typically sold at 20% to 40% of their real value. The shift from stolen good to active currency represents a maturation of the criminal ecosystem, one that fraud teams have been slow to track.
"Gift cards might seem harmless, but in the wrong hands they are as effective and untraceable as any anonymous currency in a fraudster's arsenal."
The Dark Web Gift Card Market
The evidence below was collected from active dark web marketplaces and forums. It shows the breadth and liquidity of the gift card market: cards from major consumer brands sold in bulk at steep discounts, with escrow protection, ratings systems, and seller profiles indistinguishable from legitimate eCommerce stores.
Why Gift Cards Became a Preferred Currency
Four structural properties make gift cards uniquely suited to criminal use, and uniquely difficult for fraud teams to monitor.
The Five Fraud MOs
MO One in Action: Paying for RATs with Gift Cards
The best illustration of GaaC as criminal currency is when gift cards are used to pay for illegal services directly. A dark web RAT developer selling Remote Access Trojans for account takeover and Man-in-the-Browser attacks was asked by one of our researchers whether gift cards would be accepted as payment.
MO Two in Action: Gift Cards to Crypto
The fraud scheme follows a deliberate and disciplined pattern. The actor visits merchant websites in guest mode and purchases low-denomination gift cards, typically valued between $50 and $100. After each transaction, he terminates the session and waits approximately 30 minutes before initiating another purchase to reduce fraud detection triggers.
Approved gift card codes are delivered to a “guerrilla” email account accessed through the dark web. The codes are then sold in exchange for Monero (XMR). The cryptocurrency is subsequently laundered through multiple wallets and mixing services before being converted into cash.
The fraudster is also capable of scaling the operation by running the scheme concurrently across multiple devices, each connected through separate VPN sessions to further compartmentalize activity and mitigate attribution risk.
From an operational security (OPSEC) standpoint, this fraudster demonstrates a high level of sophistication. He reportedly uses a laptop purchased with cash in another state to avoid traceability, operates on Linux, and connects through a Surfshark VPN acquired using a burner phone. He accesses Whonix via VirtualBox and utilizes privacy-focused or anti-detect browsers such as Tor or Brave to further obscure his digital footprint.
MO Three in Action: Apple Pay to Gift Cards
A fraudster with 30 stolen British credit cards loaded into Apple Pay is seeking advice on how to monetise them. Options considered include Apple product purchases, online gaming sites, and payroll systems. A forum member suggests the simplest route: gift cards via G2A, buying with Apple Pay at the point of sale.
MO Four in Action: Hacked Loyalty Accounts
Two compromised frequent flyer accounts being sold on the dark web: a Singapore Airlines KrisFlyer account with 6,762 miles, and a Lufthansa Miles & More account with 4.641 million award miles and 1,860 status miles. These are purchased by fraudsters, taken over using stolen credentials, and their balances converted into gift cards that are then resold or used for direct payments.
MO Five in Action: BOPIS at Best Buy
A fraudster with stolen card data from a wealthy neighborhood is seeking the optimal omnichannel strategy: buy e-gift cards online with the stolen card details, then redeem in-store at Best Buy for electronics. He has photos of three cards front and back, plus the cardholder's ID. This is textbook BOPIS fraud: online purchase, physical redemption, immediate resale.
As I pieced it all together, one thing became clear: gift cards have become a powerful, hard-to-detect currency in the criminal underworld. This is no longer just an eCommerce fraud problem. It has spilled into industries, payment rails, and laundering chains that few teams are monitoring for gift card exposure. The controls built for credit card fraud do not cover a payment instrument that behaves like cash, moves like data, and is treated inside criminal networks with the same trust as Bitcoin.