Palo Alto Networks Unit 42 researchers Stav Setty and Shachar Roitman said a cybercriminal group known as Jingle Thief has been observed targeting cloud environments tied to organizations in the retail and consumer services sectors to carry out gift card fraud.
According to the researchers, the attackers use phishing and smishing to steal credentials, then pursue the type and level of access needed to issue unauthorized gift cards. The group appears to profit by reselling issued cards on gray markets, exploiting the ease of redeeming gift cards and the difficulty of tracing such transactions.
Unit 42 is tracking the activity under the identifier CL‑CRI‑1032 and links the cluster with criminal groups tracked as Atlas Lion and Storm-0539; Microsoft has described the activity as financially motivated and originating from Morocco, and the activity is believed to have been active since at least late 2021.
The researchers said Jingle Thief maintains long‑running footholds in compromised environments, conducts extensive reconnaissance to map cloud resources, moves laterally across cloud accounts and attempts to minimize detection. Unit 42 reported a wave of coordinated attacks in April and May 2025 in which attackers used phishing to obtain credentials; in one campaign they maintained access for about 10 months and compromised roughly 60 user accounts within a single organization.
Attackers focus on Microsoft 365 environments, harvesting credentials and then searching SharePoint and OneDrive for documentation on gift card issuance workflows, VPN configurations, spreadsheets and other internal systems that would enable fraud. The group has been observed sending internal phishing messages, creating inbox rules to forward emails to attacker-controlled addresses and moving sent items to Deleted Items to cover tracks, and in some cases registering rogue authenticator apps and enrolling devices in Entra ID to persist after password resets.
Unit 42 noted the actors favor identity misuse and abuse of cloud services rather than deploying custom malware, allowing stealthy, scalable fraud operations that leave fewer forensic traces.