Cybersecurity experts have recently uncovered a cybercriminal organization known as ‘Jingle Thief,’ which has been actively infiltrating cloud infrastructures of companies in the retail and consumer services sectors to commit large-scale gift card fraud.
According to researchers from Palo Alto Networks’ Unit 42, ‘Jingle Thief’ employs sophisticated phishing and smishing techniques to obtain credentials from employees of organizations that issue gift cards. Once inside, they escalate their access to generate unauthorized gift cards. These fraudulent cards are then likely sold on secondary markets for profit. Gift cards are particularly attractive to cybercriminals due to their ease of redemption with minimal personal information and the difficulty in tracing transactions, complicating efforts to investigate and mitigate such fraud.
The moniker ‘Jingle Thief’ reflects the group’s tendency to intensify their fraudulent activities during festive seasons and holidays. Palo Alto Networks tracks this group under the identifier CL‑CRI‑1032, where ‘CL’ denotes a cluster and ‘CRI’ indicates criminal intent.
With moderate confidence, the group has been linked to other criminal entities known as Atlas Lion and Storm-0539. Microsoft has characterized Storm-0539 as a financially motivated group originating from Morocco, believed to be active since at least late 2021.
One of the alarming aspects of ‘Jingle Thief’ is their ability to maintain prolonged access within compromised organizations, sometimes exceeding a year. During this period, they conduct thorough reconnaissance to map out the cloud environment, move laterally within the cloud infrastructure, and implement measures to evade detection.
In April and May 2025, Unit 42 observed a series of coordinated attacks by ‘Jingle Thief’ targeting multiple global enterprises. The attackers utilized phishing campaigns to acquire credentials, enabling them to breach the victims’ cloud infrastructures. In one notable instance, they maintained access for approximately ten months and compromised 60 user accounts within a single organization.
The group’s modus operandi involves exploiting cloud-based systems to impersonate legitimate users, gain unauthorized access to sensitive data, and execute large-scale gift card fraud. They often target applications responsible for issuing gift cards, generating high-value cards across various programs while minimizing logs and forensic evidence to avoid detection.
Their attacks are highly customized for each target. After initial reconnaissance, they send convincing phishing emails or SMS messages containing fake login pages designed to deceive victims into entering their Microsoft 365 credentials. Once they obtain these credentials, the attackers promptly access the environment and conduct further reconnaissance, focusing on SharePoint and OneDrive to gather information about business operations, financial processes, and IT workflows.
This includes searching for details on gift card issuance workflows, VPN configurations, access guides, spreadsheets, internal systems used for issuing or tracking gift cards, and information related to virtual machines and Citrix environments.
Subsequently, the attackers use the compromised accounts to send internal phishing emails within the organization, expanding their access. These emails often mimic IT service notifications or ticketing updates, leveraging information obtained from internal documentation or previous communications.
Additionally, ‘Jingle Thief’ is known to create inbox rules that automatically forward emails from compromised accounts to addresses under their control, covering their tracks by moving sent emails directly to the Deleted Items folder.
In some cases, the group has registered rogue authenticator apps to bypass multi-factor authentication (MFA) protections and even enrolled their devices in Entra ID to maintain access, even after victims reset passwords or revoke session tokens.
Unlike many cybercriminal groups that deploy custom malware, ‘Jingle Thief’ focuses on identity misuse, which reduces the likelihood of detection. Their approach combines stealth, speed, and scalability, especially when exploiting cloud environments where gift card issuance workflows reside.
To carry out these operations, the attackers need access to internal documentation and communications. They achieve this by stealing credentials and maintaining a quiet, persistent presence within the Microsoft 365 environments of targeted organizations that provide gift card services.
