There’s a black market for your frequent flyer miles. Stolen frequent flyer accounts and rewards points are a hot commodity on the Dark Net.
In August 2018, Comparitech sifted through half a dozen illicit goods marketplaces on the dark web to find out just how much frequent flyer miles are worth.
On Dream Market, one of the largest black markets on the dark web, a single vendor sells reward points from over a dozen different airline reward programs, including Emirates Skywards, SkyMiles, and Asia Miles. Going by the handle @UpInTheAir, they sell a minimum of 100,000 points for the reward program of your choice, starting out at $884 as of time of writing (this was probably $1,000 originally, but Bitcoin price fluctuations caused it to go down).
Across all vendors and marketplaces, Delta SkyMiles and British Airways were the most commonly listed. Prices are not consistent across vendors and seem to be based more on the vendor’s preference than supply and demand. To give you a better idea, here are some prices for points on other rewards programs that we dug up on Dream Market, Olympus Market, and Berlusconi Market:
|ANA All Nippon||100,000||$884|
|British Airways Executive Club||100,000||$884|
|El Al Frequent Flyer Club||100,000||$884|
|Virgin Atlantic Flying Club||100,000||$884|
All these prices are based on the price of either Bitcoin or Monero at the time of writing, so they have likely fluctuated somewhat since then.
The real-world value of frequent flyer miles varies widely depending on the rewards program and what you spend them on. Airline points are typically worth between one and two cents each. So if we assume 100,000 miles (valued at $0.015 each) are worth $1,500, you can see the dark net prices come in at a fraction of the cost.
What good are stolen airline miles?
So why would anyone buy stolen airline miles, and how does this all work?
Obviously, stolen airline miles aren’t usually spent on actual airfare or hotel bookings—purchases that require proof of ID.
But many reward programs allow account holders to redeem points at local retailers, often through gift cards. In March last year, for example, Air Miles alerted members that points stolen from members were used to buy products from participating retailers. Members aren’t required to enter a password or PIN number when spending points, and retail staff often don’t ask for an ID. Due to the lack of verification, frequent flyer miles have become a profitable target for hackers and thieves. And because most of us don’t use or check our frequent flyer accounts very often, the theft can go unnoticed for months.
While it’s against the terms of service for most rewards programs, points can also be resold. Grey market mileage brokers abound in Google search results. These brokers typically buy unused points and use them to get business- and first-class upgrades and other bonuses for their clients. Brokers are wary of miles from hacked accounts that might be “tainted”, which is why dark web vendors often mark their miles as “clean”. This means the account hasn’t been flagged or shut down by the airline.
In some cases, hackers will redeem the points immediately after taking over an account, and then sell the rewards themselves. Last year, Russian hackers used stolen air miles to purchase flight upgrades, hotels, and rental cars, which they then flipped on legitimate-looking websites to unsuspecting customers.
How thieves sell stolen airline miles
So how do hackers get all those points in the first place? They start by breaking into personal accounts. They can obtain the credentials—usually a username, password, and PIN—through various means, such as breaching a data server with that information, or phishing individual account holders.
With a working frequent flyer account in hand, the hacker now has two options: sell the hacked account or transfer the miles into another account.
Buying a hacked account is fairly straightforward, more common, and from what we could tell, cheaper. A typical listing on the dark net offers the necessary login information. The buyer is then responsible for transferring the miles to his or her own account, or redeeming the rewards directly.
The other method is for the hacker to put miles into a clean account before selling. Because the buyer doesn’t have to log in to someone else’s legitimate account, they don’t leave a trace, so this option is considered safer. The buyer creates a new account, or the seller creates one on their behalf, and then the seller transfers the purchased miles into that account. The buyer is then free to spend the points without worrying about the original account holder discovering their presence. These listings also have the option to purchase as many miles as you want instead of a fixed amount, although there’s usually a minimum.
While safer and more convenient, we noticed miles sold using this method were more expensive. This may be because airlines charge a fee to transfer points between accounts; AirMiles, for example, charges 15 cents per mile.
Note that while it’s against the terms and conditions for pretty much every airline to sell miles, it’s generally not against the rules to give miles to friends and family. Airlines do have some fraud prevention safeguards in place to detect suspicious activity, but they generally have a hard time distinguishing between selling and giving.
How to protect your frequent flyer miles
Here are some tips to keep your hard-earned points out of the hands of hackers.
- Shred your boarding pass after a flight.
- Never post a photo of your boarding pass online.
- Use a strong and unique password for your frequent flyer account.
- Monitor your account for suspicious activity. If you’re a member of more than one award program, an app like AwardWallet can help you manage all your accounts in one place.
- Don’t put your airline account number on a baggage tag.
- Avoid using public wifi to access your account.
- Use Experian’s Dark Web Scanner to search illicit marketplaces for your phone number, email address, and Social Security Number
In at least one case, hackers breached a lower-security third-party site to get email addresses and passwords, then matched those emails against known frequent flyer accounts. Because many people don’t bother using unique passwords, hackers could use the password from the third-party site to break into frequent flyer accounts. So, it’s important to remember that common sense cyber security practices should apply to all your online accounts, not just your frequent flyer account.
If you get caught with stolen airline miles or selling your own miles, the airline can wipe out your account and leave you with nothing. Airlines can even cancel your bookings if they’ve found you’ve broken the terms of service. On a related note, we don’t recommend selling leftover miles to mileage brokers. This is against the terms of service for most airlines, you usually only get a fraction of what your points are worth, and scams are common.