Do you work in delivery? Check if your account is being stolen right now.
Why stores didn't notice the mass purchase of gift cards worth millions of dollars.
Why stores didn't notice the mass purchase of gift cards worth millions of dollars.
Over 7,500 Instacart and Shipt courier accounts were hacked as part of a major fraud scheme. The damages exceeded $30 million. According to the FBI, eight people are charged with orchestrating the scheme, which was based on social engineering and deceiving couriers.
Starting in 2022, the perpetrators gained access to a database containing the contact information of former and current couriers for these grocery delivery platforms. The fraudsters posed as company employees. They called the couriers and asked them to share the one-time verification codes from their SMS messages. They used various pretexts: account recovery, deactivation, or confirming activity.
After gaining control of the profiles, the fraudsters began placing orders. They acted on behalf of fake customers and then accepted those very orders for delivery themselves. The orders were assigned to the hacked accounts. Money for the purchases was loaded onto bank cards linked to these accounts. But instead of groceries, the fraudsters bought gift cards and then canceled the orders. This triggered a refund of the money. The gift cards were used for online purchases or exchanged for cryptocurrency, which was later converted into cash.
One of the accused described the scheme in correspondence with an undercover agent. He confirmed the existence of black markets where lists of inactive driver accounts are sold. "You call these numbers, get access, and then use the card to buy gift certificates," he wrote.
In addition to phishing via messages, the suspects used another tactic. They placed fake orders and contacted couriers through the official apps. The scammers suggested a phone call, supposedly to add items to the order. This is how they obtained the victim's phone number. Then, during the call, they tricked them into revealing the one-time code, claiming that a customer had complained about a profile photo mismatch.
By mid-2023, Target, which owns Shipt, noticed suspicious activity. Gift cards were being purchased en masse through the platform, which violated the user agreement. Surveillance cameras captured the suspects during the purchases. The case materials include screenshots of the fraudulent messages and video footage from the cameras, which were provided to the U.S. Department of Justice.
Instacart lost $16 million due to the hacking of over 5,500 accounts. Shipt's damages amounted to $14.3 million from 2,215 hacked profiles. A Shipt representative confirmed that the company assisted law enforcement. The firm stated that protecting its employees' and users' data is a priority. Instacart reported that their systems were not breached. The suspicious activity was noticed in time and the information was handed over to the authorities.
This is not the first case of fraud on the Instacart platform. As far back as 2021, the company recorded account hacks. At that time, stolen login and password pairs were used. Following these incidents, the company enhanced its security. It now uses selfie and biometric checks, comparing the data to driver's licenses.
All eight men are charged with conspiracy to commit wire fraud.
