The Potential Surfacing of Cardpool’s Gift Cards

Cyberint discovered in the ‘wild’ what could possibly be associated with the ‘Cardpool’ gift card breach, a file named ‘cardpool leak’. It was collected by our platform, Argos.

‘Cardpool’ was an online business where customers exchanged or sold their unwanted or partially used gift cards. It was shut down in early 2021, but it’s been discovered that in late April 2021, a Russian Threat Actor allegedly sold $38 million worth of gift cards there. These gift cards had been harvested during a breach that occurred between February 4th and August 4th in 2019 that targeted ‘Cardpool’.

The Threat Actor also sold a database including 330,00 debit cards separately, assumingly sourced from the aforementioned breach. The gift card database supposedly included 895,000 gift cards from 3,010 companies.

The file ‘cardpool leak’ compared to the 2019 database supposedly has different data; it only includes 840 domains (less than the expected 3,010 companies), although it comprises more than 5,489,900 gift cards. It ‘s important to note that this is not necessarily the original database that was sold, and it could have been circulated and modified, from a different source, or the Russian Threat Actor’s claims weren’t genuine to begin with.

It is currently unknown whether this database of gift cards is the original database that was sold, a different breach source, or if it’s still relevant, but it does include a substantial amount of data. Over 5.4 million gift cards with their pins, data seemingly worth in total more than initial database that was valued approximately at $38 million USD.

Cyberint Recommendations

Cyberint recommends companies that receive alerts associated with this gift card database, examine them, and verify if they’re still relevant and if they’ve expired. This will also allow further analysis of the compromised gift card activity and related IOCs in case it was involved in fraudulent transactions.