Researchers at Palo Alto Networks have uncovered the Jingle Thief hacking group, which targets the cloud infrastructures of retailers and consumer services companies to mass-issue and steal gift cards.
Researchers report that hackers use phishing and smishing (SMS phishing) to steal credentials, infiltrate organizations that issue gift cards, and seek to obtain privileges and access that allow them to issue new unauthorized cards, which can then be sold on gray markets. The fact is that gift cards are easy to monetize, can be used with minimal personal data, and are difficult to trace, which complicates investigations into such schemes.
The group’s name refers to its activity pattern — the attacks coincide with holiday seasons. The company also tracks this activity under the codename CL-CRI-1032 and, with moderate confidence, links this cluster to the hacking groups Atlas Lion and Storm-0539, which have operated out of Morocco since 2021.
It is emphasized that Jingle Thief can maintain a foothold in compromised organizations for months, sometimes retaining access to the victim company’s network for more than a year. During this time, the hackers conduct extensive reconnaissance of the cloud infrastructure, perform lateral movement, and successfully evade detection.
In April–May 2025, researchers observed a wave of coordinated attacks by the group against a number of unnamed international companies. In one case, the attackers maintained access to the victim’s network for about 10 months and compromised 60 employee accounts.
The group’s attacks are highly targeted. First, the hackers conduct reconnaissance, then send their targets links to phishing pages via email or SMS. If an employee falls for the scam, they steal Microsoft 365 credentials and break into the company’s network. The attackers then examine the victim’s SharePoint and OneDrive for information about gift card issuance and tracking processes, business operations, financial processes, VPN configurations, access guides, and other IT processes.
At the next stage of the attack, Jingle Thief sends additional phishing emails within the organization, masquerading as messages from the IT department to expand their access. The hackers create rules to automatically forward emails from compromised accounts to their own addresses and carefully cover their tracks by moving sent emails to Deleted Items.
In some cases, the group registers fake authenticators to bypass multi-factor authentication and even enrolls its own devices in Entra ID to retain access after password resets or the revocation of session tokens.
A distinguishing feature of Jingle Thief campaigns is their focus on cloud services and identity abuse rather than deploying custom malware, which minimizes the risk of the attacks being detected.
“Gift card fraud combines stealth, speed, and scalability, especially when cloud environments are accessible,” the researchers say. “To exploit these systems, attackers need access to internal documentation, which they obtain by stealing credentials and maintaining a covert presence in Microsoft 365 environments.”