Cybersecurity researchers have uncovered a sophisticated cybercriminal operation dubbed “Jingle Thief,” which has been targeting cloud environments linked to retail and consumer service organizations to carry out large-scale gift card fraud.
According to a new analysis by Palo Alto Networks Unit 42 researchers Stav Setty and Shachar Roitman, the attackers use phishing and smishing campaigns to steal employee credentials from companies that issue or manage gift cards. Once inside, they escalate privileges and issue unauthorized cards for financial gain — often reselling them on gray markets.
Gift cards remain a preferred target for cybercriminals due to their ease of redemption, anonymity, and traceability challenges, making such fraud difficult to investigate.
A Seasonal Threat with Long-Term Persistence
The group’s name, Jingle Thief, stems from its pattern of ramping up fraud campaigns around holiday and festive seasons, when gift card transactions surge. Palo Alto Networks tracks the operation internally under the identifier CL-CRI-1032, with “CL” representing cluster and “CRI” indicating criminal motivation.
Researchers have linked Jingle Thief with moderate confidence to financially motivated actors Atlas Lion and Storm-0539, groups previously associated with operations traced back to Morocco. The threat cluster is believed to have been active since late 2021.
One of the most concerning traits of Jingle Thief is its long-term persistence within compromised environments — in some cases, maintaining access for over a year. During this period, attackers conduct extensive reconnaissance, map cloud infrastructures, move laterally, and implement methods to avoid detection.
Recent Global Campaigns
Unit 42 reported a surge in coordinated Jingle Thief campaigns between April and May 2025, targeting multiple global enterprises. In one notable incident, the attackers compromised 60 user accounts within a single organization and maintained access for approximately 10 months.
By exploiting stolen credentials, Jingle Thief operators impersonate legitimate users to infiltrate Microsoft 365 environments, steal sensitive data, and execute high-value gift card fraud at scale. They also modify log settings and forensic trails to conceal unauthorized issuance activities.
Phishing Tactics and Cloud Abuse
The group employs highly tailored phishing pages mimicking Microsoft 365 login portals, distributed via email or SMS, to harvest credentials. Once credentials are obtained, the attackers perform a second round of reconnaissance inside the organization, focusing on SharePoint, OneDrive, and internal documentation.
Targets include:
- Gift card issuance workflows
- VPN configuration guides
- Access credentials for Citrix or cloud systems
- Financial process documentation
Jingle Thief further leverages compromised accounts to send internal phishing emails, often disguised as IT service notifications or ticketing updates, exploiting the trust of corporate communication systems.
To maintain persistence, the group creates malicious inbox rules to forward emails, deletes sent messages, and even registers rogue authenticator apps to bypass multi-factor authentication (MFA). In some cases, attackers enroll their own devices in Entra ID, ensuring continued access even after password resets.
Unlike many threat actors that deploy custom malware, Jingle Thief relies heavily on identity misuse and cloud-native exploitation techniques. This stealthy approach allows them to blend in with legitimate activity and evade detection tools focused on endpoint-based threats.
Leave A Comment