Carding via airline loyalty systems (miles, bonuses)

[Good Carder]

From carder to carders. Airline miles and rewards are a huge and often underestimated target. When you steal a credit card, you're dealing with a vigilant bank. When you steal miles, you're dealing with an airline, whose security systems often limit themselves to a basic password. Millions of people accumulate points for years, then don't notice they're missing until they try to redeem them. This security blind spot makes loyalty programs an ideal target.

In this article, I'll explain where to get logs and access credentials, how to redeem miles through gift cards and airline tickets, where to sell completed bookings, and what risks to consider.

Part 1: Why Miles Are the Ideal Goal for a Carder​

By 2026, airline loyalty programs had become a veritable currency. The combined value of unused miles from United, American, and Delta is estimated at nearly $74 billion. Fraudsters convert stolen miles into cash by selling gift cards or airline tickets on dark web forums. The problem is so serious that the global cost of loyalty program fraud is estimated at $1–3 billion per year.

1.1 Why are miles so easy to steal and hard to get back?​

Most airlines don't require two-factor authentication to log in to your account. Your password is the only barrier. According to the NJCCIC, fraudsters use phishing campaigns, infostealers (RedLine, Vidar), and data breaches to harvest credentials en masse. In the most notable case, hackers stole miles from thousands of United and American customers simply by knowing the passwords the victims used on other compromised websites.

Another advantage: victims rarely check their mileage balances. Stolen 50,000 miles can remain undetected for months until the owner tries to redeem them for a ticket. Even if the theft is discovered, the airline often returns the miles, but by then you've already received the cash.

1.2. Market size: from $0.75 per darknet account​

The shadow market for loyalty program accounts is thriving. Prices range from $0.75 to $200 per account, depending on the number of miles accumulated. Some accounts are sold with hundreds of thousands of miles, making them extremely valuable to fraudsters. Accounts for American Airlines, Southwest, United, Alaska, and Delta are actively traded on darknet forums, accounting for 54% of all mentions.

Most sellers guarantee "safe flights" and even offer payment after successful use of the tickets. This creates the illusion of reliability, attracting more and more buyers.

Fraudsters, with access to the account, gain access to a whole universe of benefits: from free flights to gift cards and car rentals. The main advantage of miles over stolen credit cards is that they are not linked to an individual, making them much easier to cash out without the risk of being caught.

Part 2. Methods of gaining access​

Your path to other people's miles begins not with hacking an airline, but with stealing credentials. Fraudsters operate according to a well-established scheme: first, they gain access, and then they monetize it.

2.1. Leaked Databases and Combo Lists​

The easiest way is to buy ready-made accounts on darknet forums. North American airlines (American, United, Delta) are the most frequently mentioned, indicating that fraudsters are active in this region. Prices for ready-made accounts range from $1–5 for a low-balance account to $20–50 for a premium account.

2.2. Infostealers and phishing​

If you prefer to act independently, use infostealers (RedLine, Vidar) to collect saved passwords from victims' browsers. Infostealer logs often contain access to loyalty programs, which are automatically saved in the browser. Phishing pages imitating airline websites are also effective — fraudsters create fake portals to harvest login credentials.

2.3. Attacks on weak passwords​

Many users reuse the same passwords for different services. If you have an emailpassword database from another leak (for example, a forum or a delivery service), simply check these combinations against airline websites. A great way to automate this check is to use OpenBullet 2 with a special configuration. The success rate can reach 1-5% when using fresh combinations.

2.4. Session Cookie Theft and RDP Access​

If the victim is logged into their airline account in a browser, you can steal session cookies and log in without a password. This method often works even with 2FA enabled. This involves using infostealers that steal cookies or RDP access to the victim's computer, from where you simply log in to the already logged-in account through a browser.

Part 3. The "Login → Transfer Miles → Exchange for Gift Cards" Scheme​

The easiest and most reliable way to cash out miles is to convert them into gift cards from popular networks and resell them. The main advantage of this method is that it doesn't require the passenger's name, doesn't require additional verification, and doesn't leave any traces of potentially cancelled airline tickets.

Here's the process:

1. Find a victim account with a sufficient mileage balance (at least 10,000 miles). Delta SkyMiles and British Airways loyalty programs are the most popular for resale.
2. Log in to your account using the stolen credentials. The best time to do this is on weekends, when airline fraud monitoring departments may be closed or operating with limited availability.
3. Redeem miles for gift cards. NJCCIC reports have documented cases of thefts of 12,000 to 500,000 miles exchanged for Google Play, Sephora, and DoorDash gift cards. Some fraudsters perform multiple transactions over several days to avoid attracting attention.
4. Sell gift cards on P2P platforms (NoOnes, LocalMonero) or through Telegram channels. Revenue can range from $120 to $5,000, depending on the number of stolen miles and the exchange rate.

Why this method is better than buying plane tickets: Gift cards don't need to be presented anywhere; they can be sold instantly, leaving no trace. The buyer doesn't need to provide identification, and if the card is cancelled, the buyer will contact you, not the police.

3.1. Alternative scheme: air tickets through fake passengers​

If you want to earn more, redeem your miles for airline tickets. This method is more complex, but also more profitable (the exchange rate is higher — up to 2-3 cents per mile instead of 1-2). Here's how:

1. Find a buyer on a darknet forum or Telegram channel.
2. Find out his name, date of birth and flight preferences (route, dates).
3. Log in to the victim's account and book a ticket in the buyer's name. This is possible because many airlines allow you to specify any passenger when booking flights using miles. Some airlines don't require the name on the account and the ticket to match.
4. Receive payment from the buyer (usually 50–70% of the ticket's market value). Cryptocurrency is the best choice.
5. The buyer flies using stolen miles. If the airline later discovers the theft and cancels the tickets, they could be stranded at the airport.

Part 4. Where to sell miles and ready-made reservations​

In 2026, miles and ready-made airline tickets are actively sold on specialized Telegram channels and darknet forums. The trade is open: sellers offer "discounted air tickets" and "hotel reservations at the best prices" using stolen miles.

Telegram channels are the main platform for urgent sales. Sellers post specific offers: "Moscow to New York, business class, departure tomorrow, price $600 instead of $2,500." Buyers pay in cryptocurrency and receive a booking reference.

Darknet forums (Exploit, XSS, Carder.su, carder sections) are more suitable for wholesale sales. Here you can find ads like "Selling 500,000 United Airlines miles, price $5,000 in BTC."

Specialized mileage-buying services legally allow you to exchange miles for cash (the average rate is 1-2 cents per mile). To use them, you need access to the victim's account to confirm the transfer. The easiest option is to trade directly with buyers on dark marketplaces, but this requires a good reputation to avoid being scammed.

Craigslist and local classifieds boards — airfare purchased with miles can be resold on legitimate platforms as well. The downside is the high risk that the buyer will report the fraud to the police. Only work through encrypted channels and use cryptocurrency.

Part 5. Blocking Risks and How to Minimize Them​

5.1 Account Blocking and Investigation​

Major airlines (United, American, Delta) actively monitor suspicious activity and may freeze an account if they see:

• Login from an unusual IP address (another country, data center);
• Multiple password reset attempts;
• Quickly exchange large amounts of miles for gift cards;
• Booking tickets under unknown names.

Solution: Use residential proxies that match the victim's region. Don't exchange all your miles at once; split them into multiple transactions. After the exchange, withdraw your funds immediately and never log in to your account again.

5.2. Ticket Cancellation​

If the account owner notices the theft and reports it to the airline, tickets purchased with the stolen miles may be cancelled. The buyer will be left without a ticket and without money. Your reputation as a seller will be damaged.

Solution: Sell tickets with a short notice (1-2 days) before departure so the victim doesn't have time to notice the theft. Indicate in your ads that you don't guarantee tickets — only the fact that you've booked them now.

5.3. Commercial use of miles​

Many airlines explicitly prohibit the sale of miles in their loyalty program rules. If they discover that miles have been sold, the account may be blocked and any remaining miles forfeited. In Russia, Aeroflot blocked a customer's account for "commercial use of miles," citing program rules. The customer contested the decision in court but was left without miles for a long time.

Solution: Don't use one account for multiple sales. Each account is consumable. After 2-3 transactions, "burn" it.

5.4. Legal risks for the buyer​

A buyer who purchases an airline ticket using stolen miles may be held liable for knowingly using illegally obtained services. In the worst-case scenario, the airline may call the police right at the airport.

Solution: Warn buyers of the risks and sell tickets only to those willing to take the risk. Use cryptocurrency to prevent buyers from initiating a chargeback.

Part 6. Checklist for carding via miles​

• Gaining access. Buy an account with miles on the darknet ($0.75–200) or use infostealer logs/combo sheets for verification.
• Account verification. Make sure you have enough miles to redeem.
• Redeem your miles for gift cards. Redeem your miles for Google Play, Sephora, and DoorDash gift cards (fast, secure, no verification required).
• Sell. Sell gift cards on NoOnes, LocalMonero, or in Telegram channels.
• An alternative is airline tickets. Find a buyer, book the ticket in their name, and receive payment in cryptocurrency.
• Block protection. Use clean proxies, don't redeem all your miles at once, and don't reuse your account.
• Cover your tracks. After withdrawing funds, delete your session data, change your proxy, and close the Telegram account used for the sale.

Summary​

Stealing airline miles is a highly profitable and low-risk scheme for carders. Account access is sold for pennies ($0.75–$200), and miles can be redeemed for gift cards or airline tickets. The safest method is to exchange miles for Google Play, Sephora, or DoorDash gift cards and resell them through P2P platforms. The most profitable method is to book airline tickets and then sell them at a 30–50% discount. The main risks are account blocking by the airline and ticket cancellations. Use clean proxies, don't store miles in one account, and don't be greedy. With proper OPSEC, stolen miles can generate a steady income.

A quick one-liner:
"Buy a United account with 100k miles for $50, redeem for Google Play gift cards, and sell on NoOnes for $1,000. Or book a business class ticket for 50k miles and sell for $600. Just don't use the same account twice."