It all started with an investigation of a young man in Louisiana suspected of small-level drug dealing on the dark web. It ended with the conviction of the largest gift card fraudster in the world in a case called “Operation Bad Bot.”

While executing a search warrant on the young man in Louisiana, authorities realized he was in possession of a large amount of cryptocurrency and involved in a large-scale gift card fraud scheme. The young man, facing significant criminal charges, wanted to cooperate with authorities.

They said, “What can you do to help yourself?” The young man said, “I can give you the largest gift card fraudster in the United States.”

Dariush Vollenweider, federal agent with the U.S. Department of Homeland Security, recounted the story in his presentation, “Shutting Down America’s Largest Illicit Online Gift Card Marketplace.” He co-presented with Alan Stevens, assistant U.S. attorney at the Department of Justice, at the 35th Annual ACFE Global Fraud Conference.

“Our ears perked, right away,” said Vollenweider. “OK, we can work with that.”

After seizing the cryptocurrency, the investigation into the gift card fraud began. The young man, who will be referred to as “the helper,” showed authorities a website that sold gift cards to different retailers for cheap. For example, $1,000 gift cards from Ashley HomeStore were being sold for $250. The man running the gift card website (known as “the target”) had large quantities of different types of cards. Customers paid for the cards with PayPal but then switched to Bitcoin for payments. Customers would receive an email or text file with the gift card number and other details, instructed to use the gift cards immediately.

Investigators found that the target had cards from more than 500 stores available for purchase, had at least 560,000 gift card account numbers with $22 million in stolen value and claimed to be making at least $6,000 every week on the scheme. Authorities said, to avoid suspicion, he was using several aliases, financial accounts, domains and more, and they learned he was working in IT. He was also getting some technical help from the helper, so authorities set up a Telegram account takeover on the helper to communicate with the target, who began to explain over chat his process of buying IDs and using them to open accounts.

Identifying the Target

At this point, authorities only knew the target by his screen names, “Miami” and “Lux,” and they believed he lived in Canada. But the target continued to share information, including details about a trip to the U.S. and planned trips to certain businesses. Authorities contacted these businesses for surveillance video, and they were able to get an image of the target. Authorities also connected the target’s shared trip details with U.S. Customs and Border Protection records. The information allowed authorities to identify the target as Richard Verret of Quebec.

However, there was a problem. Investigators were unclear on where Verret could be prosecuted since there were traces of his business spread across in various locations. Investigators were unsure where the crimes were occurring. So, investigators made some undercover purchases from Verret, who also expanded his business to physical gift cards. Agents, posing as the helper, purchased some of these physical gift cards that were then sent to Louisiana (with an incriminating return address attached).

The Takedown

Even though COVID lockdowns hindered the investigation, investigators determined the gift cards Verret was selling had a total stored value of $22 million. In 2022, he was finally charged with unauthorized solicitation of access devices, trafficking counterfeit access devices and notice of forfeiture. Federal law enforcement agents arrested Verret following a flight to Orlando, Florida.

Verret pled guilty and was sentenced to close to five years (57 months) in prison. He had to forfeit $812,000. Upon his release from prison, he will be deported and barred from the U.S.

Lessons from the Fraudster and Investigators

Vollenweider presented a video of an interview federal investigators conducted with Verret following his arrest. Verret said he was inspired to start the scheme after learning about a gift card sending program in an online forum. He said he acquired “a couple hundred thousand” gift card numbers in his first year of the scheme, and when he was caught, he believes he had approximately 1 million gift card numbers. He generated the numbers by finding images of gift cards online and then figuring out patterns. With the help of bots, he could acquire 10,000 gift card numbers quickly, but he said larger retailers were harder to crack.

When asked what he thought were the biggest loopholes that helped him commit gift card fraud, Verret said, “easy ways to check balance, PIN not required to check the balance and the card algorithm that they are using.”

For more security, Verret recommended retailers require consumers to use a PIN at every transaction and to use PINs with more than four digits for every gift card. He said he did not try to crack any retailers’ card numbers with PINs longer than six digits. Verret also recommended retailers use controls to prevent bulk balance checking.

The presenters said retailers should be establishing longer gift card numbers to prevent the predictability of numbers, thus thwarting fraud.