Balance-checking bots crack 1.7M gift card numbers per hour via store APIs

Attackers deploy bots like GiftGhostBot that brute-force gift card numbers by hitting retailer balance-check APIs at rates of up to 1.7 million attempts per hour. These bots systematically enumerate card number ranges, test PINs, and identify cards with positive balances. Once a funded card is found, the balance is drained instantly -- often to purchase goods for resale or to convert to cryptocurrency. The legitimate cardholder discovers a zero balance days or weeks later. Retailers struggle to distinguish bot traffic from legitimate balance checks because they deliberately make their balance-check pages easy to use (no login required, no CAPTCHA). Adding friction to the balance-check flow hurts real customers who want to verify their balance before shopping. This creates a direct conflict: security measures that stop bots also degrade the customer experience. The problem persists because most gift card systems were designed in the early 2000s with short, predictable number formats (often 16 digits with limited ranges) and 4-digit PINs, making enumeration feasible. 'Fraud-as-a-service' providers now sell bot toolkits with dashboards and SLAs on the dark web, commoditizing the attack.