A sprawling fraud campaign has emerged that targets large enterprises issuing gift cards, and researchers say the attackers are neither unsophisticated nor small-time. Instead, one group operating out of Morocco has quietly infiltrated corporate cloud systems, exploited identity tools, and issued high-value gift cards for resale. The campaign has been dubbed “Jingle Thief” by the security team at Unit 42, the cyber threat research arm of Palo Alto Networks.
The scam begins with relatively simple means. Phishing and smishing (SMS-based phishing) lures are sent to employees of global retail and consumer-service companies. The attackers impersonate familiar, trusted entities (e.g., non-profits, internal IT notices, or ticketing system updates) to trick victims into handing over credentials. Once inside a company’s cloud environment, they proceed with reconnaissance, lateral movement, and persistence.
What is notable is how little malware is used. The attackers rely overwhelmingly on cloud identity abuse rather than dropping malicious code on endpoints. They enroll rogue devices, register malicious authenticator apps, set inbox rules that forward sensitive approval emails to attacker-controlled accounts, and quietly access document shares that track gift card workflows and issuance systems.
In one incident, the threat actors maintained access in a single enterprise environment for approximately ten months and compromised over sixty user accounts.
The sequence typically follows three phases:
Initial compromise: A phishing email leads to credential extraction. The URL may appear legitimate, but in fact directs the user to a hostile site.
Cloud reconnaissance and lateral movement: After login, the attackers explore SharePoint, OneDrive, Exchange, and other resources, searching for gift card issuance workflows, approval chains, ticketing exports, VPN access guides, and internal spreadsheets.
Fraud execution: Once the right application or workflow is identified, the attackers issue gift cards, often high-value ones, using the compromised credentials. They then convert those cards into cash or move them through gray market channels. All this is done with minimal log traces and without malware.
One of the major advantages for the fraudsters is how gift cards are treated internally by many companies. Because these systems often sit outside core financial controls, they are less frequently monitored and logged than banking systems. That gives attackers both opportunity and cover.
Gift cards make ideal targets
Several factors make gift cards a particularly tempting target for cyberfraud operations. First, they require minimal personal data to redeem and can be converted into cash or used anonymously, making them hard to trace. Second, issuance systems often sit with broad internal permissions and weaker monitoring than payment card systems. Third, fraud via gift cards often escapes the immediate notice of financial risk teams because the amounts can appear as legitimate operations until they escalate.
Seasonal timing plays a role as well. The “Jingle Thief” campaign is named for the heightened activity during holiday periods when gift card issuance is high and staff may be less vigilant. Attackers time their incursions for when defenses are stretched.
The Moroccan hacking group and its tactics
Researchers at Unit 42 attribute this campaign, with moderate confidence, to a threat actor cluster tracked as CL-CRI-1032. This cluster is believed to overlap with groups known as Atlas Lion and Storm-0539, both based in Morocco and active since at least late 2021.
What’s unusual is how they behave similarly to state-sponsored groups: long dwell times, heavy reconnaissance, and cloud-native operations. But they are financially motivated rather than politically. They deliberately avoid malware and endpoint attacks because these increase noise and detection risk. They prefer to operate entirely inside the identity layer.
Another example of their stealth is how they abuse device registration. After gaining credentials, they enroll their own virtual machines or devices under the target organization’s domain, often leveraging cloud infrastructure to blend in. Once the malicious device is part of the environment, it behaves like a legitimate corporate endpoint.
What companies need to do to defend themselves
For organizations in retail, consumer services, or any company issuing gift cards, the risk model has shifted. Identity and cloud workflows are now the front line. Defenders should focus on malware prevention and identity use, device registration, internal workflow visibility, and domain-wide detection.
What began as a relatively low-risk fraud domain (stealing gift card codes) has matured into a sophisticated cloud-based crime. The Jingle Thief campaign demonstrates how attackers now exploit identity systems, cloud workloads, and internal workflows to steal assets monetized like cash. Businesses that issue gift cards must now view those systems as major financial risk areas.
If you’re part of an organization that handles gift card issuance, the message is clear: the enemy may already be inside your identity infrastructure, patiently mapping your cloud and corporate workflows. What you thought was an administrative convenience may now be a gateway for fraud.