How we Detected a Coordinated Loyalty Program Fraud Tool in Under 24 Hours

On May 23rd, 2026, a threat actor published two linked GitHub repositories containing a fully functional fraud tool targeting a major regional telecoms loyalty program. By May 24th, CybelAngel had detected both repositories. By May 25th, we had filed a full report with the client, including a confirmed malicious domain, a live deployment link, and 23 abuse flags across 13 independent threat intelligence sources. The client had no prior visibility into any of it.

This post walks through what we found, how we found it, and what it tells us about the state of loyalty program security in 2026.

What loyalty program fraud looks like now

Loyalty accounts face four to five times higher attack rates than standard accounts, largely because the security controls around them have not kept pace with the value they hold. Points, airtime credits, data packages, and redemption vouchers are all liquid assets from an attacker’s perspective, and they are often easier to extract than cash from a bank account.

The case we detected in May fits this pattern exactly, but with one additional layer: the attacker did not just target end users. They targeted the program’s internal API infrastructure directly.

What we found: a two-component fraud system

CybelAngel detected two public GitHub repositories published by the same threat actor on May 23rd, 2026. Together, they formed a coordinated two-component system built specifically to automate exploitation of a regional telecoms loyalty program.

Component one: the frontend interface. The first repository contained a live, Arabic-language web application deployed via Vercel. It presented users with an OTP-based login screen that appeared to authenticate against the loyalty platform, displaying coin balances, managing multiple user sessions simultaneously, and offering redemption packages that converted loyalty coins into mobile data and airtime credits. User authentication tokens and session data for multiple accounts were stored directly in browser localStorage, meaning the tool was designed to hold and manage compromised sessions across many victims at once.

Component two: the backend proxy. The second repository contained a Python and Flask backend proxy that mapped and called non-public internal API endpoints belonging to the loyalty platform. These were not documented public APIs. How the actor obtained knowledge of those endpoints is not confirmed in our report, but the proxy mapped and called them directly, giving the tool access to backend functions that standard users and most security tools would never reach. Both repositories were public, both were live, and both had been online for less than 24 hours before CybelAngel flagged them.

How the detection happened

Our analyst identified the two repositories through CybelAngel’s external monitoring of developer platforms and open source repositories. The detection did not originate from a direct domain scan. The malicious domain was found inside the GitHub repository itself, embedded in the frontend deployment configuration.

That distinction matters. Traditional security monitoring focuses on network perimeters and known attack surfaces. A fraud tool published to a public GitHub repository, with a live Vercel deployment linked inside the code, sits entirely outside the visibility of most internal security teams. The client had no alerts, no flags, and no awareness that this tool existed until we reported it.

From the repositories, our analyst built a full report from scratch, including a threat intelligence cross-check on the deployment infrastructure. The domain’s associated IP address had been flagged as malicious 23 times across 13 distinct sources. That level of prior abuse history confirmed this was not an isolated or experimental build.

What made this tool more dangerous than a standard phishing kit?

Most loyalty program phishing attacks follow a familiar pattern: a fake login page captures credentials, the attacker logs into the real platform manually, and points are redeemed or transferred before the victim notices. That approach is manual, slow, and limited in scale.

This tool was different in three ways.

First, the backend proxy gave the attacker direct access to internal API endpoints, bypassing the standard login flow entirely and enabling programmatic manipulation of accounts at a speed no manual attacker could match.

Second, the session management layer in the frontend meant the tool could hold authenticated sessions for multiple accounts simultaneously, running parallel fraud operations rather than working through victims one at a time.

Third, the entire system was deployed on legitimate cloud infrastructure via Vercel, which makes it harder to detect and block through conventional domain reputation tools. The domain itself looked unremarkable until the abuse history was pulled.

Cybercriminals increasingly exploit API vulnerabilities in loyalty platforms as a faster and more scalable route than targeting individual accounts, and this case is a clear example of that shift in practice.

What this means for brands running loyalty programs

The risk here is not just financial. A successful loyalty fraud attack erodes customer trust and can inflict lasting reputational damage on the program itself, particularly when users discover their accounts have been accessed or their session data has been harvested without their knowledge.

For security and brand protection teams, this case highlights a monitoring gap that most organisations have not yet closed. Fraud tooling targeting your platform can be built, deployed, and actively used before your internal systems generate a single alert. The repository was public. The deployment was live. The infrastructure had a documented abuse history. None of that was visible from inside the organisation.

CybelAngel’s approach to Markenschutz monitors external developer platforms, open repositories, and deployment infrastructure as part of standard coverage, not as an add-on. That is what allowed us to detect this tool within 24 hours of it going live, before any user had been confirmed as a victim, and before the client was aware anything was happening at all.

Key takeaways for security teams

Loyalty program fraud is no longer limited to credential stuffing and manual account takeover. Attackers are now building custom tooling that targets internal APIs directly, manages multiple compromised sessions in parallel, and deploys on legitimate cloud infrastructure to avoid detection. The exposure window between a tool going live and an organisation becoming aware of it can be measured in weeks, or longer, without external monitoring in place.

The gap is not in your firewall. It is in what you cannot see from inside your own network.

If you want to know what fraud infrastructure might already exist targeting your brand, talk to an analyst.