A recent discovery made by a technology research company showed that frequent flyer miles — loyalty points offered by airlines which can be redeemed for tickets or other bookings on a later date — were being sold by cyber criminals on online black markets hosted on the infamous dark web. 

Comparitech's research showed that the hackers broke into personal accounts of several users on airline websites and obtained credentials like username, password, and PIN through several means — breaching a data server with that information, or phishing individual account holders. Once the credentials were obtained, the hackers would "sell the hacked account or transfer the miles into another account."

It was discovered that on Dream Market, which researchers said was the largest online black market, a single vendor sold loyalty points from "over a dozen different airline reward programs" — including Emirates Skywards (Alaska Airlines and JetBlue), SkyMiles (Delta Air Lines), and Asia Miles (Alaska Airlines and American Airlines). The other illegal marketplaces that were selling frequent flyer miles were Olympus and Berlusconi Market. 

The vendors on these marketplaces were selling frequent flyer miles in exchange for cryptocurrencies, specifically asking for bitcoin and monero.

“Across all vendors and marketplaces, Delta SkyMiles and British Airways were the most commonly listed. Prices are not consistent across vendors and seem to be based more on the vendor’s preference than supply and demand,” the Comparitech blog post read. "The average minimum rate of a single batch of stolen flyers points is $31," the researchers noted.

The value of frequent flyer miles varies depending on the rewards program and what they are spent on. Talking about trading them on the dark web, the blog said, "Airline points are typically worth between one and two cents each. So if we assume 100,000 miles (valued at $0.015 each) are worth $1,500, you can see the dark web prices come in at a fraction of the cost."

Frequent flyer miles could also be resold, but it’s against the terms of service for most rewards programs.

"Brokers typically buy unused points and use them to get business- and first-class upgrades and other bonuses for their clients. Brokers are wary of miles from hacked accounts that might be “tainted”, which is why dark web vendors often mark their miles as “clean”. This means the account hasn’t been flagged or shut down by the airline," the blog mentioned.

So why would anybody buy stolen frequent flyer miles? To redeem frequent flyer miles for hotel booking or for air tickets, users need to produce ID proof, but there are places where identification is not required. Many reward programs let users redeem points at local retailers, often through gift cards. Canada's Air Miles program alerted its users in March 2017 that stolen points were used to buy products from participating retailers.

At the time, rewards expert and CEO of Frequent Flyer Bonuses Group, Patrick Sojka said, "Shoppers aren't required to enter a password or PIN number when using their miles towards store purchases. Instead, they could opt for automatic check-out, input someone else's account number and buy products."

Hackers sometimes also redeem points shortly after taking over an account and then sell the rewards themselves. In 2017, Russian hackers used stolen British air miles to purchase flight upgrades, hotels, and rental cars, which they then flipped on legitimate-looking websites to unsuspecting customers.

Liv Rowley, a cyber intelligence analyst, said, "One advantage for criminals of using reward points is that the legitimate owner might not notice for months that their points have gone. They’re confident enough to travel in their own names using the stolen points.”