Baked Alaska

Section 0The Three Questions

In August 2025, the author saw a LinkedIn post. An Alaska Airlines loyalty member had logged in to find his account drained. 185,000 miles gone. Used to book business class flights for a stranger. Alaska had refunded the points. Others responded to the post to announce the same experience.

LinkedIn post by Ahmed Bhuiyan reporting 185,000 miles stolen from his Alaska Mileage account. Source: LinkedIn (archive.ph/Fe0iB).

Three things about the story did not make sense.

1. Why did Alaska not block this booking? A last minute, one way, international business class flight, booked for a passenger with no connection to the account holder. How does a transaction this conspicuous pass without a single flag?
2. After a theft, surely a password change secures the account. Is the victim no longer trusted? What purpose does the telephone PIN serve?
3. Why would the fraudulent traveller, Mr Xie, take the staggering risk of passing through secure airport environments under his real identity, for an apparently modest reward?

Mileage activity showing Qatar Airways bookings by Yuxi Xie, subsequently rolled back. Source: LinkedIn (archive.ph/Fe0iB).

The questions were perplexing enough for this rather idle author to launch an investigation.

Some months later, the reasoning that answers all three is clear. Answering them unearthed a remarkable set of findings:

• 425 documented victims in 2025 alone following an identical script (Section 2)
• a session authentication architecture so broken that full account access can be obtained in seconds with no password (Section 3)
• 6 criminal sellers operating in broad daylight on public forums (Section 4)
• seller crypto wallets connecting thefts to billion dollar transaction flows all the way to regulated cryptocurrency exchanges (Section 4)
• a 10+ sigma accounting discontinuity in Q2 2025 that Alaska's public filings do not specifically reconcile or disaggregate (Section 5)
• a cyber weakness left unpatched for at least 4 years, with the earliest documented victim report dating to April 2022 (Section 2)
• a loyalty programme with remarkable disregard for its leading members (Section 6)

All three questions are answered by the close of this document. The discoveries made in answering them present a mosaic that may undermine the valuation fundamentals of Alaska Air Group.

Section 1The Asset Investors Think They Own

Alaska Air Group December 2024 Investor Day: loyalty programme valued at over $12 billion. Source: news.alaskaair.com/wp-content/uploads/2024/12/Investor-Day-2024-Slide-Deck.pdf

Alaska Air Group is the holding company for Alaska Airlines, the fifth largest US carrier by revenue. In September 2024, it closed a $1.9 billion acquisition of Hawaiian Airlines. The combined entity reported $14.2 billion in revenue and $100 million in net profit for 2025. At the time of publication, market capitalisation stands at $4.4 billion. Enterprise value is approximately $9.1 billion.

At its December 2024 Investor Day, management valued the loyalty programme at over $12 billion. The programme generates over $2 billion in annual cash remuneration from co brand credit card partnerships, predominantly with Bank of America. The programme is the stable, high-margin engine upon which the airline is built, and it is pledged as security against $2 billion of secured notes held by a special purpose lender. If Alaska ever breaches its covenants, that lender can claim the cash flows directly from Bank of America.

The implied value of everything else, the aircraft, the routes, the gates, the employees, the entire Hawaiian integration, is negative $2.9 billion.

The loyalty programme is not a feature of the business. It is the business. It is the asset underwriting the equity, the debt, and the company's future.

This report presents evidence that the programme's front door has been open for at least 4 years.

Section 2Why Does Alaska Permanently Remove Theft Victims from Online Booking?

Section 1 described the asset. This section presents the first evidence that its custodian has known, for years, that it is not secure.

The Policy

Every documented victim of an Alaska loyalty account theft receives the same treatment. The victim is told the compromise was their fault, a consequence of poor password hygiene. Points are then restored as a "one-time courtesy." The victim is warned that any future theft will receive no refund. And the victim's account is permanently restricted: online award booking is disabled behind a 4 digit PIN. To book, the victim must telephone Alaska, recite the PIN, and wait for a 1 hour window during which online award booking is temporarily re-enabled. Once the window closes, the restriction reapplies.

This protocol appears universal. It has been applied to every victim the investigation has documented, across hundreds of cases and at least 4 years. Commentators on public forums have cited the restriction as far back as 2017. The earliest directly documented instance is April 2022. It is not a reaction to individual incidents. It is a standing policy.

The Question

Why would Alaska permanently restrict a victim's account after the compromised password has been changed?

If the vulnerability were passwords, a new password would resolve it. Alaska could require a longer password, mandate rotation, add security questions, or implement MFA. American Airlines, Delta, and United already require MFA. Any of these measures would address a password based attack while preserving online access.

Instead, Alaska disables online award booking entirely. Permanently.

The Answer

If the vulnerability were the password, a new password would fix it. Alaska does not fix it with a new password. Alaska disables the online channel entirely. The only rational explanation is that Alaska knows the attacker's access does not depend on the password.

The mechanism, confirmed forensically in Section 3, is the session cookie. A session cookie is a small file stored in the browser that proves to a website the user is already logged in. It can be acquired without ever knowing the victim's password. It persists after a password change. It cannot be revoked from the server. A password change updates a credential the attacker is not using.

The PIN restriction is Alaska's only available defence: remove the account from the system the attacker can reach. Force award bookings through a telephone channel that bypasses the vulnerable web infrastructure.

Members report the restriction as indefinite. If the restriction were a precaution against a compromised password, it would last weeks, not years. The duration implies that Alaska has modelled the persistence window of the session vulnerability and set the restriction to match.

The logical inference, before any forensic evidence is considered, is that the vulnerability has persisted for at least as long as the restriction. The restriction is not a security enhancement. It is an operational acknowledgement that the underlying problem has not been fixed.

The Cost

The victims subjected to this protocol are not casual travellers. The documented cases had an average of 218,262 miles in their accounts at the time of theft. These are Alaska's most loyal and highest value customers. Many hold the co brand Bank of America credit card that generates the $2 billion annual cash flow described in Section 1. They chose Alaska over competitors with larger networks precisely because of the programme's perceived value.

There are only 2 ways to secure an account against this vulnerability. Fix the underlying cybersecurity weakness. Or make the customer suffer.

Alaska chose the second. A member who previously booked award travel with a few clicks must now telephone Alaska, recite a PIN, and wait for a temporary unlock. Multi hour hold times are common, with some exceeding 5 hours. Award availability that appeared at 2am is gone by the time Customer Care opens. The restriction is not temporary. It is a permanent handicap imposed on blameless customers because Alaska will not repair the system that exposed them.

Who Knows

On 7 October 2025, Alaska VP of Loyalty Brett Catlin was asked on a Reddit AMA whether there were "any plans to introduce two factor authentication to better protect user accounts." He responded:

This is the head of the loyalty programme, on the public record, confirming 3 things: the fraud is known, it is accelerating, and the CEO has direct knowledge.

No corresponding disclosure appears in customer communications or public investor materials.

Section 3425 Documented Victims and the Open Door

Section 2 established that Alaska knows a password change does not secure an account. This section presents the forensic proof of why and documents the scale of the resulting harm.

The Fast Access Test

On 16 March 2026, the author logged into his own Atmos account, extracted 2 session cookies from his authenticated browser, and pasted them into a clean browser on a separate device. From that second browser, with no password entry and no login prompt, the author changed the password, email, phone number, postal address, passport number, and nationality on his account. None required re-authentication. The only notification, that the email had changed, arrived approximately 10 minutes later. No notification was sent for the password change. By the time the alert arrived, every piece of identifying information had been replaced and every self service recovery path closed.

What This Means

3 properties combine into a single systemic failure. Session tokens are not revoked on password change: an attacker with a valid session continues receiving fresh tokens regardless. No MFA exists at login; Alaska's recent limited mobile rollout does not address session persistence, since an attacker holding a stolen cookie bypasses the login flow entirely. No anomaly detection flags high risk redemptions: a last minute international business class flight booked for a stranger proceeds without review.

14 Companies Can Read Your Login Token

The previous subsections show what a stolen token does. This one addresses how easily it can be stolen.

Alaska stores the login token in a cookie called "guestsession" without the HttpOnly flag, a single configuration setting, standard for over a decade, that prevents other code on the page from reading it. Delta, United, American, and every major bank set it. Alaska does not.

On 16 March 2026, 14 separate companies were running code on Alaska's authenticated pages: Google, Facebook, Adobe (3 products), The Trade Desk, Microsoft/Bing, Tealium, FullStory, Quantum Metric, Optimizely, AppDynamics, Airtrfx, and Everest Technologies. Every 1 can read the login token. If any were compromised, a rogue employee, a hacked server, a supply chain attack, a single added line of code would send every visitor's token to any server the attacker chooses. 1 compromised script, served for 1 day, harvests the tokens of every single customer who logs in that day.

The industry deploys 3 standard defences. HttpOnly prevents scripts from reading the cookie. A Content Security Policy restricts where scripts can send data. Subresource Integrity verifies scripts have not been tampered with. Alaska has deployed none of them. Its entire Content Security Policy is a single directive that upgrades HTTP to HTTPS. It restricts nothing.

This is not theoretical. In 2018, Magecart compromised a third-party script on British Airways' site. It ran for 15 days, stole 500,000 customers' payment details. The mechanism is identical to what is possible on Alaska's site today. In June 2025, Scattered Spider breached Hawaiian Airlines, Alaska's own subsidiary. The FBI warned the group was "expanding its targeting to include the airline sector." If Scattered Spider accessed Alaska's codebase directly, they would not need a third party: they could inject exfiltration into Alaska's own files, served from Alaska's own servers, with no Content Security Policy to block the outbound transmission.

The Translation Proxy Escalation

Alaska's Spanish language site (alaskaair.convertlanguage.com) is operated by a third party, ConvertLanguage. On 16 March 2026, the investigator discovered that the proxy issues tokens with "offline_access" scope, a permission absent from the main site. In plain terms: the main site's token works when visiting the website; the proxy's token works from any computer, at any time, without a browser, indefinitely.

This more powerful token does not stay on the proxy. Both domains write to .alaskaair.com, so visiting the Spanish site overwrites the main site's token with the escalated version. Any customer redirected there, by a search engine, an ad, or a link, returns carrying a token readable by all 14 third-party scripts that now grants programmatic, indefinite access. The proxy also bypasses Alaska's cookie consent framework entirely: tracking scripts execute with no consent mechanism configured.

The full technical analysis, JWT comparisons, cookie inventory, third-party script audit, proxy token decode, and complete takeover sequence, is in Appendix C.

425 Documented Victims Tell the Same Story

The investigation documented 425 unique account compromises reported across public internet forums during calendar year 2025. Every case was individually verified, deduplicated, and archived. The full dataset is published in Workbook B.

These are small, obscure corners of the internet. The Reddit cases come overwhelmingly from a single subreddit. The Facebook cases come from a single private frequent flyer group. Alaska's own social media monitoring team will have member accounts on every one of these platforms. None of this was hidden. Fox13 Seattle and KIRO 7 ran stories on the hacked accounts in July 2025. The Seattle Times followed in November. These are Seattle's local newsrooms covering a Seattle headquartered company. No corrective action followed. No public statement. No direct communication to affected members.

30 day rolling count of publicly documented Alaska loyalty account thefts in 2025.

The distribution through the year is uneven. Reports fell to near zero in late April and May before a sharp inflection in late June, coinciding with the Hawaiian Airlines cyberattack disclosure. A second surge in December exceeded the summer peak. If this were credential stuffing, one would expect a roughly even distribution as compromised credentials circulate through databases at a steady rate. The wave pattern is more consistent with coordinated criminal campaigns that scale up and subside. The methodology is not scientific; we are catching only a fraction of what is occurring. But the shape of the data gives an observer reason to pause.

The thefts followed an identical script, unchanged since 2022. Accounts were compromised to book flights within a day or 2 of travel, invariably on partner airlines in premium cabins. The member's notification email was changed to prevent discovery. In 96% of documented cases, the theft was discovered by the victim, not by Alaska.

Dozens of victims reported strong, unique, randomly generated passwords and were compromised regardless. 4 were compromised either side of a password change. Credential stuffing cannot explain either pattern.

What the Call Centre Staff Say

Customer service representatives, speaking without the filter of corporate communications, provide their own corroboration.

The 14 May 2025 statement warrants attention. A single representative handling 3 to 5 reinstatement calls per day implies a problem far larger than the 425 publicly documented cases. The precise scale cannot be determined from these observations alone, but the call centre staff describe volumes consistent with a systemic failure affecting thousands of accounts, not hundreds. The point is that no one outside Alaska can know the true figure, and, as discussed below, neither can Alaska.

The Peer Comparison

Is this an industry problem, or an Alaska problem?

Theft reports on Reddit per 10,000 subreddit members. Source: Reddit, 2025. See Appendix B.

Adjusted for subreddit community size, Alaska's theft report rate on Reddit is 14.0 per 10,000 members. American Airlines stands at 1.0, Delta at 0.4, United at 0.0, and Southwest at 1.9. The peer average, weighted by subreddit size, is 0.55. Alaska is 25.5 times the peer average.

The investigation also checked the comparison against reported deferred revenue liabilities: Alaska at $3.4 billion, American at $10.6 billion, Delta at $9.3 billion, United at $7.8 billion, and Southwest at $4.3 billion. Against that measure, the multiple is 20.3 times Alaska versus the peer group. The disparity is not an artefact of Reddit usage patterns. The methodology does not profess scientific exactitude, but the delta is a chasm. Alaska is not suffering from a problem common to the airline industry. Alaska is suffering uniquely. Full methodology is set out in Appendix B.

The Visible Edge

The 425 documented cases were drawn exclusively from public internet forums. That methodology captures only victims who satisfy every condition in a narrow funnel:

• They noticed the theft.
• They chose to post about it publicly.
• They were members of a platform where this was a relevant topic.
• They were not deterred by the embarrassment of having been told, by Alaska, that the compromise was their own fault.
• Their complaint had, in most cases, been remediated: points restored, crisis over, urgency gone.

Each condition eliminates a population of victims who are not counted.

Consider US Card Forum. It is a niche enthusiast community: approximately 12,000 weekly active users, discussing credit cards, loyalty programmes, and travel rewards. In a typical week, the forum hosts around 970 new discussion topics. Fewer than 20 of those concern Alaska Airlines in any capacity. Alaska is less than 2% of the forum's conversation. And yet, from this tiny, specialist corner of the internet, the investigation documented 48 account compromises in a single year. If a forum where Alaska barely registers as a topic of discussion can produce 48 cases, the total across all online and offline channels is necessarily tens of thousands. The full extrapolation methodology is set out in Appendix B.

And Alaska does not know either. In 96% of documented cases, the compromise was discovered by the victim, not by the airline. Alaska has no independent detection capability. It cannot tell the market how many accounts have been compromised because it does not know. That does not automatically mean the deferred revenue balance is misstated. It does mean investors are not told whether fraudulent redemptions, reinstatements, or related partner reimbursements materially affect the inputs, assumptions, or contract balances used in the loyalty model.

Section 4The Criminal Marketplace

Sections 2 and 3 documented the victims and the vulnerability. This section documents the industry that profits from both.

The Price

Ernest quoted $120 for an account containing 220,000 miles.

WhatsApp conversation with Ernest, a criminal seller, requesting 220,000 stolen Alaska miles for a Barcelona to Cape Town business class flight on Qatar Airways. Price: $120.

To understand what $120 buys, consider a single routing. Miami to Barcelona, one way, business class, nonstop on American Airlines. The cash fare is $8,664. The miles cost: 55,000 Alaska miles and $19 in taxes. Ernest's price for 220,000 miles is $120. That is 4 business class flights across the Atlantic for $196 all in, taxes included.

Alaska Airlines award booking screen showing Miami to Barcelona business class on American Airlines: 55,000 points plus $19.

Google Flights showing the same Miami to Barcelona business class seat priced at $8,664.

Akis, a Hungarian based seller with 3,000 stolen accounts in inventory, offered the same product at the same price. He volunteered a personal testimonial: business class, Madrid to Santiago, $80. The retail fare was $9,900.

Delta accounts carry a 20% premium. Alaska is the cheapest product on the criminal market because it is the easiest to exploit. The marketplace has priced both the security gap and the product quality into a single number.

Business class seats: retail price versus criminal market price. Source: seller conversations, February and March 2026. See Appendix F.

Where They Advertise

No dark web browser was required. No Tor circuit. No encrypted marketplace. The sellers advertise on Facebook. The fourth entry to this Google search below takes you straight to a seller. They are not even hiding anymore.

Google search results for stolen Alaska Airlines miles.

The investigation identified 6 independent sellers. Every one of them was found through ordinary Facebook searches. They advertise next to card scammers, SIM swappers, and phishing kit vendors. They communicate on WhatsApp. They accept Bitcoin, Ethereum, and PayPal. They operate in the open because the platform they exploit has given them no reason to hide.

Asad

Asad operates from Pakistan. He has been in this business for 3 to 4 years. His team of 6 processes 50 to 60 Alaska Airlines bookings per week.

He is not a credential seller. He is a full service operator. His team takes a passport number and travel dates, selects a victim account, and delivers a confirmed ticket. The customer never touches Alaska's website. The customer flies under their own real name, on a seat paid for with someone else's miles.

On 25 February 2026, the investigator asked Asad to price a San Francisco to Tokyo flight. He quoted $220.

Alaska Airlines booking screen showing SFO to Tokyo Haneda via All Nippon Airways, 18h 33min, 1 stop. Asad's price: $220.

On 2 March, he offered a direct Japan Airlines flight on the same route for $280. A paid JAL business class ticket sells for $5,000 to $10,000.

Alaska Airlines AS 7321, SFO to Tokyo Haneda, operated by Japan Airlines, 11h 25min direct. Asad's price: $280.

When asked why Alaska specifically, Asad was direct:

He targets dormant accounts deliberately. Victims who do not log in cannot discover the theft until Alaska eventually notifies them, which, as Section 3 documented, happens in only 4% of cases. Alaska's blindness is his business model.

His estimated annual revenue from Alaska bookings alone, at 50 bookings per week and an average of $250 per ticket, is $650,000. This is one seller. There are at least 5 others.

The Dark Web Confirms the Price

The sellers documented in this report were contacted through Facebook and WhatsApp. They are not the only distribution channel. A dark web marketplace, highlighted in a NordVPN investigation, offers stolen Alaska Airlines miles accounts as off the shelf products with tiered pricing, inventory counts, and terms of service.

Dark web marketplace listing for stolen Alaska Airlines miles accounts. Tiered pricing from $35 (100k to 200k miles) to $700 (1m to 5m miles). Terms include replacement policy and prohibition on changing login credentials

The listing is structured like a retail storefront. Accounts are sorted by mileage balance. 5 units of the 100k to 200k tier are in stock at $35 each. The 500k to 1m tier is $150. The 1m to 5m tier is $700. The seller enforces terms: replacement is available only if less than 50% of the initial balance has been used, and changing login credentials or reporting the compromise voids the guarantee.

These prices are consistent with the seller conversations documented in this report. Ernest quoted $120 for 220,000 miles. The dark web marketplace prices 200k to 300k miles at $60. The criminal market has converged on a narrow band because the underlying product, an Alaska account with no multi factor authentication and no session persistence controls, has a known and stable value to buyers.

The Other Sellers

Each of the 6 sellers profiled during the investigation operates independently. All converge on the same target. Their own words tell the story most efficiently.

Akis, based in Hungary, has maintained a stable source for 5 years. He sells Alaska and Delta accounts at $120 and $144 respectively, with a 12 hour validity guarantee and an 85% booking success rate. He offered a reseller commission structure. He was unconcerned about detection:

Robert, contacted through Facebook advertising, held 1 million Alaska miles across 8 to 12 accounts at the time of contact. He operates a 2 tier model: basic credentials at $0.52 per thousand miles, or full access with email and OTP interception at $2.40 per thousand. The premium tier enables the buyer to lock the victim out permanently:

Baadshah, contacted through Facebook Messenger, held 11 Alaska accounts. He was the most succinct:

Ernest, the Oman passport holder, identified himself as a hacker and demonstrated a tracking pixel during the conversation. He operates across 14 airlines and 3 hotel chains. When asked about the safety of flying on stolen miles, he was philosophical:

Eddie Dolla, the sixth seller, offered Alaska accounts at $120 for 200,000 miles and volunteered to guide buyers through the booking process. His Bitcoin payment address is a Crypto.com deposit wallet, KYC regulated and subpoena-ready.

Where the Money Goes

Every seller provided a cryptocurrency wallet address. What those wallets reveal, when traced on the public blockchain, separates a story about stolen airline miles from a story about organised crime with over $1 billion in traced infrastructure.

The investigation obtained 11 wallet addresses from 6 sellers. Three had never been used on-chain: disposable addresses created for a single buyer, discarded when the sale fell through. The remaining 8 connect, through public blockchain records, to a network of KYC regulated exchanges spanning 3 continents.

The Bitcoin pipeline. Ernest's Bitcoin address collected a single $56 deposit before going silent. On 24 January 2026, it was swept alongside 48 other wallets in a consolidation transaction totalling $15,059. Ernest's $56 was one envelope in a bag of 49. That bag went to a clearinghouse: automated infrastructure that has now processed 3,941 transactions and was last active at 09:05 UTC on 15 March 2026, twelve minutes before the investigator checked it.

From the clearinghouse, funds move in standardised batches to a staging wallet holding $262,000 in live balance. From there, they flow to an aggregation address that blockchain explorer OKLink independently labels as a deposit address for Nazza, a cryptocurrency exchange serving African and Middle Eastern markets. Nazza was not previously identified. The aggregation address holds $490,000 and has processed 9,578 transactions since November 2023. Total throughput across the traced network: $759 million across 8,869 transactions. Daily volume: $5 to $6 million. On 7 February 2026, one transaction alone moved $1,047,556.

The five layer Bitcoin pipeline. Source: blockchain analysis, Arkham Intelligence. Full methodology in Appendix E.

The exit is Binance. Every outgoing transaction from the Nazza aggregation wallet flows to a Binance deposit address. In a 7 day sample from February 2026, that address received $12.98 million across 32 transactions. Binance is KYC regulated. A verified identity sits behind the account receiving these funds.

The Ethereum pipeline. Ernest also disclosed an Ethereum wallet. That address is not dormant. It has processed 107 transactions, was last active on 13 March 2026, and operates as an automated pass through: funds arrive and are forwarded within 60 to 90 seconds to a clearinghouse processing over 11,472 transactions.

OKLink's entity labelling revealed who is paying Ernest. The buyers withdraw cryptocurrency from PayPal (via its backend operator Paxos) and from Crypto.com before sending it to Ernest's wallet. Both are KYC regulated platforms. The buyers are identifiable.

From the clearinghouse, funds move to a staging address that OKLink labels as a Kdctrade user account. Kdctrade is a cryptocurrency exchange and OTC platform not previously identified in this investigation. The staging address forwards to a second Kdctrade address labelled "Deposit_1", which functions as the aggregation point. That address has processed 21,739 transactions across 33 blockchain networks over more than 2 years and has deposited over $600 million at Binance through a publicly labelled deposit address.

The architecture mirrors the Bitcoin pipeline precisely: an intermediary exchange (Nazza for Bitcoin, Kdctrade for Ethereum) sits between the criminal infrastructure and the final Binance cashout. Two different intermediary exchanges on two different blockchains, both feeding into Binance.

The direct deposits. Some sellers bypass the layering infrastructure entirely. Asad's direct payment address is a confirmed Bybit deposit address. Eddie Dolla's is a Crypto.com deposit. These wallets route payments straight into regulated exchange accounts bearing verified identities. One subpoena. One name.

Asad's wider infrastructure tells a different story from his $29 direct deposit. Two wallets linked to him through Arkham Intelligence cluster analysis have collectively processed 107 Kraken transactions totalling $2.31 million. The second of these wallets has 38,743 transactions and has paid $474,000 in transaction fees alone. This is exchange grade infrastructure.

Together, the Bitcoin and Ethereum pipelines represent over $1 billion in traced cryptocurrency throughput flowing through infrastructure directly connected to the sellers documented in this report. These sellers traffic in credentials across multiple industries; stolen airline miles are one revenue stream among many. The Alaska-attributable fraction of this throughput is unknown. What is known is that the pipeline is on the public ledger, the exchanges are KYC regulated, and nobody has served a single subpoena.

Every infrastructure address checked on 15 March 2026 was active. The ETH clearinghouse processed its most recent transaction at 09:11 UTC that morning. The BTC clearinghouse at 09:05. The operation is fully live.

National Security and Law Enforcement

6 sellers with thousands of accounts in standing inventory means thousands of flights per year booked under names bearing no relation to the account holder. Tickets procured through organised crime. Passengers passing through US ports of entry. Partner airlines have no visibility into whether a redemption is legitimate. CBP has no way of knowing that the passenger presenting a boarding pass obtained that seat through criminal enterprise.

On a date documented in Appendix I, a victim's stolen miles were used to book a business class ticket from Dubai to Houston via Doha. The victim called Alaska with the passenger's name, the booking details, and the arrival time. The victim asked Alaska to have police meet the individual at the airport upon landing.

Alaska refused.

The passenger entered the United States without interdiction.

This is not isolated. Every person who flew on a stolen ticket gave their real name, passport details, and contact information to the airline. Every single one of them is identifiable. The data exists. Alaska has it. They have done nothing with it.

Multiple victims describe asking Alaska to involve law enforcement and being refused or discouraged. A customer service representative stated during the investigation: "We have a team that deal directly with this. It's not like we deal directly with authorities or anything but it is definitely something that gets notated."

The commercial logic is legible. A law enforcement investigation creates police reports. Police reports create public records. Public records create disclosure obligations. Disclosure obligations create liability. It is cheaper, from management's perspective, to restore the stolen miles and move on.

The investigation has now identified 9 distinct law enforcement subpoena routes across 8 KYC regulated exchange platforms:

A single Kraken subpoena, filed in US federal court, would capture the complete transaction history for the Asad cluster: verified identity and associated records across $2.31 million in transactions. A single Binance subpoena covering the ETH deposit address would identify the account holder receiving funds that trace directly back to Ernest's disclosed wallet through a 4-hop chain.

The buyer side routes are new. PayPal and Crypto.com hold KYC records on the individuals purchasing stolen miles with cryptocurrency. For the first time, not only the sellers but the buyers are identifiable through regulated financial infrastructure.

DHS, CBP, and the FBI have distinct and overlapping jurisdictional interests. Alaska's 4 years of silence will eventually be characterised as either negligence or facilitation.

Why Mr Xie Was So Confident

Section 0 posed three questions. This section answers the third. Why would Mr Xie, the fraudulent traveller on the original LinkedIn post, take the staggering risk of passing through secure airport environments under his real identity? Guangzhou to London via Doha, 20 hours across 3 airports, every one equipped with facial recognition and passport scanners, for what appeared to be a modest reward.

The answer is now visible.

The reward is not modest. A business class seat on Qatar Airways, Doha to London, retails at $5,000. Mr Xie paid, at most, $150. He travelled in a private suite with a closing door, champagne service, and a lie flat bed. For the price of a restaurant dinner.

The risk is negligible. Nobody has apparently ever been arrested. Alaska appear not to inform the police. Alaska may not even cancel the ticket before departure. Alaska will tell the victim to change their password and move on. The sellers know this. Baadshah knows it. Asad, who has done 50 to 60 of these per week for 3 to 4 years, knows it. Ernest, whose temporary pause lasted 48 hours before buyer demand brought him back, knows it.

This apparent company policy cannot last forever.

Section 5The Numbers Stop Making Sense

Section 4 documented the criminal marketplace and the infrastructure that connects stolen airline miles to cryptocurrency flows exceeding $1 billion in cumulative throughput. This section examines the balance sheet.

The Anomaly

When Alaska issues loyalty points, 2 things happen together. A liability is created (the obligation to honour those miles later) and revenue is recognised (because the partner paying for those miles pays more than they cost to fulfil). The ratio between the 2 figures has been remarkably stable: over 11 consecutive quarters from Q3 2022 through Q1 2025, the mean was 1.883 with a standard deviation of 0.083.

In Q2 2025, the ratio rose to 2.743. Alaska created approximately $180 million of additional loyalty contract liability beyond what its own historical relationship to loyalty revenue would predict. On a simple historical comparison, that is an extreme outlier relative to Alaska's prior 11 quarters and to major peers. The statistical framing is useful as a red flag heuristic. It is not, by itself, proof of misconduct. Its narrower significance is that something discrete changed in or around Q2 2025 and Alaska's public filings do not clearly specify what.

Loyalty liability creation to loyalty revenue ratio, Q3 2022 to Q4 2025. The Q2 2025 deviation exceeds 10 standard deviations from the 11 quarter baseline mean.

No peer airline exhibits anything comparable during the same period. The full statistical methodology and 17 alternative hypotheses are evaluated in Appendix A. The underlying quarterly data is published in Workbook A.

The immediate reversion in Q3 2025 is also important. It points away from a permanent regime shift and toward a quarter specific event, resolution, reversal, or reclassification. The burden therefore falls on the public filings to identify the relevant driver with sufficient specificity for an investor to reconcile the movement.

The Balance Sheet Trail

The anomaly did not occur in isolation. 3 further balance sheet movements, each touching the same programme, appeared in the same 2 quarters.

Bank of America is Alaska's principal co branded credit card partner. In Q2 2025, amounts due from affinity card partners rose to $306 million from a retroactively revised $176 million at 31 December 2024. In Q3, the reported current receivable fell to $177 million, while Other Non Current Assets rose from $316 million to $436 million.

A reclassification from a current receivable to a non current asset is, of course, a non cash event. The point is not that cash is "missing". The point is that Alaska does not identify in the public filings whether this movement reflects a long dated receivable, a contract asset, modified settlement terms, or some other non current claim against a loyalty partner. Each of those benign explanations carries a different disclosure signature under U.S. GAAP, and the filings do not say which one applies.

The retroactive revision matters for a different reason. A balance sheet reclassification does not itself affect net income, EBITDA, or cash flow. The objection is therefore not that the $58 million revision was material because it equalled a percentage of earnings. The objection is that Alaska first presented the prior year end affinity receivable as $118 million, then retroactively changed it to $176 million, describing the change only as an "immaterial" classification correction. That materially alters the baseline against which investors assess the exact quarter in dispute.

The better conclusion is therefore narrower and stronger: the Q2 and Q3 movements may each have benign explanations, but Alaska's filings do not specifically identify which explanation applies to which movement, or provide a clear bridge between the current receivable, the subsequent decline, and the increase in Other Non Current Assets.

The Deferred Revenue Gap

The 2025 10-K contains a further anomaly. The Management Discussion and Analysis section states that 480 billion points are outstanding with a deferred revenue balance of $2.9 billion. The auditors cite the identical figures in their Critical Audit Matter. But the balance sheet records total deferred revenue of approximately $3.4 billion.

The gap is approximately $540 million. Prior to the Hawaiian acquisition, the MD&A figure tracked the balance sheet exactly. The gap appeared for the first time in the acquisition year and has persisted.

Deferred revenue: MD&A disclosed versus audited balance sheet, 2021-2025. The gap appeared with the Hawaiian acquisition and has persisted.

For 3 consecutive pre acquisition years, the 2 figures agreed to within rounding. After the acquisition closed, a gap of over $500 million appeared and has not been explained. Hawaiian Airlines' deferred revenue at acquisition was $537 million, per the finalised purchase price allocation. The coincidence is precise to within $4 million.

Why Hawaiian Does Not Cleanly Explain Q2 2025

Alaska's filings state clearly that Hawaiian closed on 18 September 2024 and that purchase accounting remained provisional into 2025. That keeps Hawaiian relevant background context. But Alaska also expressly disclosed that there were no fair value adjustments made in the 3 and 6 months ended 30 June 2025, and later no material fair value adjustments in the 3 and 9 months ended 30 September 2025. That weakens any attempt to explain the Q2 anomaly as a purchase accounting true up.

It is equally important not to overstate the later programme merger. Hawaiian deferred revenue of $537 million was already recorded at acquisition date fair value. The later one to one conversion of HawaiianMiles into Alaska's programme in September 2025 therefore does not mechanically require a fresh liability step up at the moment of conversion. Alaska's public timeline places the launch of Atmos Rewards and the merger of points balances and related financial liabilities in Q3 2025, not Q2. The later merger can explain why Hawaiian remained relevant context in 2025. It does not, on its own, explain the isolated Q2 receivable and liability movements.

The Deferred Revenue Scope Ambiguity

The variance between the $2.9 billion deferred revenue figure cited in the MD&A and Critical Audit Matter, and the $3.433 billion figure on the audited balance sheet, is most plausibly a scope issue rather than a missing liability. The arithmetic closely matches Hawaiian's $537 million acquired deferred revenue.

But resolving the arithmetic does not resolve the disclosure problem. By the 2025 10-K, Alaska is no longer describing 2 live, separate programmes in economic substance. It says Atmos Rewards brought together the 2 programmes and that the points balances and financial liabilities were merged in September 2025. Using 2 different year end figures for what readers are told is effectively one combined programme, without a clean bridge explaining what the $2.9 billion includes and excludes, creates presentation ambiguity in a balance that KPMG itself identified as a Critical Audit Matter.

No Adequate Public Explanation Has Been Given

A $180 million loyalty issuance anomaly. A $195 million receivable spike. A $120 million migration into non current assets. A $58 million retroactive revision. A $540 million deferred revenue gap. All touching the same programme. All without adequate disclosure. None discovered through a balance sheet fishing expedition; all uncovered while investigating stolen customer accounts and the integrity of the loyalty platform itself.

Is the Liability Issuance Hiding Loyalty Point Thefts?

No. The anomaly appearing in the same habitat as thefts is what drew this author's attention to the outlying issuance. The timing is prior to the surge in thefts. The number is far too large for the period prior to 30 June 2025.

It is hard not to believe it has a relationship with merger accounting. Hawaiian Airlines loyalty points were well known for being less valuable than Alaska's. The Points Guy, just prior to the 1:1 exchange, had them at 0.9c versus 1.5c at Alaska. The delta was not recognised in purchase price allocation. How this might relate to the subsequent balance sheet machinations is unclear, but even if the most nefarious interpretation is taken of what transpired, it is a one off transaction in merger accounting. An investor may feel aggrieved, but this would not cause a radical reappraisal of Alaska's equity value.

That comes from elsewhere.

Section 6What Management Knows

The preceding sections documented what is broken, how it is exploited, and where the numbers fail to reconcile. This section asks who knew.

The Band of Brothers

Alaska Air Group is not run by outsiders parachuted in to execute a turnaround. It is run by lifers.

Average tenure on the management committee exceeds 20 years.

The board is similarly entrenched.

Source: Alaska Air Group proxy statement. Bedient has served on the board for 22 years and became chair in 2022. Yeaman has chaired the audit committee since 2016.

When a leadership team has been in place this long, institutional knowledge runs deep. Loyalty is a given. Groupthink is a danger. The pattern of disclosure that follows must be read in that context.

The Accenture Audit

On 31 October 2025, Alaska engaged Accenture for what it described as "a comprehensive audit of its technology systems." The press release promised a "top to bottom review of Alaska's technology environment" with "actionable recommendations to be implemented quickly" and pledged "regular updates on its progress as part of its ongoing commitment to transparency."

On 4 December, CFO Shane Tackett summarised Accenture's preliminary findings at the Goldman Sachs Industrials Conference:

He attributed the outages to "an abundance of innovation" stretching system limits. The incidents were isolated, not systemic. Remediation required only "a little more redundancy at relatively low cost."

These statements cannot be reconciled with a platform that cannot detect anomalous redemption patterns, cannot verify email changes before execution, cannot prevent repeat compromise without removing accounts entirely, and requires permanent telephone only access for theft victims. Either Accenture's review did not examine the loyalty programme, or it examined it and reached conclusions contradicted by documented evidence.

The promised regular updates have not materialised. Three and a half months after Tackett relayed the clean bill of health, there has been no follow-up.

The Scattered Spider Connection

The June 2025 Hawaiian Airlines breach was attributed by cybersecurity firms to Scattered Spider (UNC3944), the organised crime collective responsible for the MGM Resorts and Caesars Entertainment breaches. The FBI issued a formal alert on 1 July 2025 warning that the group was "expanding its targeting to include the airline sector." CISA's advisory documents that session cookie theft is among the group's primary attack vectors, precisely the mechanism confirmed in Section 3.

Publicly reported loyalty account thefts, 30-day rolling count. The dashed line marks the disclosed Hawaiian Airlines cyberattack.

The timing is uncanny. Publicly reported thefts ran at a low baseline through the first half of 2025. Within weeks of the Hawaiian breach disclosure, the 30-day rolling count tripled and did not return to baseline for the remainder of the year. There is no reason to assert that the Scattered Spider breach and the acceleration in account compromises are connected. There is also no reason to assert that they are not.

Alaska's filings describe the breach as having "no material impact." The same filings simultaneously disclose the deployment of "certain alternative controls and procedures, and additional compensating controls." A breach described as immaterial that simultaneously required compensating controls is a contradiction in terms.

WestJet and Qantas, attacked by the same group in the same period, disclosed their injuries and costs. Qantas identified 6 million affected accounts and reduced executive remuneration as a consequence. Alaska did not so much as name the attacker.

The Terms Amendment

Between September and November 2025, Alaska's legal team inserted a standalone paragraph into the loyalty programme's terms and conditions, the sole non cosmetic update since the programme's rebrand:

Loyalty programme terms before the amendment.

Loyalty programme terms after the amendment. The highlighted paragraph was the sole non cosmetic addition.

Three phrases do the work. "Due to system or partner issues" means Alaska's own system flaws are no longer grounds for reimbursement. "Including after posted or redeemed" means refunded miles can be un-refunded. "Regardless of member fault" means a blameless victim has no contractual claim. This defensive legal firewall was drafted with full knowledge of the thefts.

A Pattern, Not an Incident

The opacity is not confined to the loyalty programme. The Virgin America trademark litigation provides a disclosure precedent that is directly analogous.

When Alaska acquired Virgin America in 2016, it entered into a trademark licence agreement with Virgin Enterprises requiring minimum annual royalties of $8 million, adjusted for inflation, through 2039. Alaska retired the Virgin America brand on 2 June 2019 and ceased making royalty payments. Virgin sued in 2019. The contract language was plain. The dispute turned on interpretation, not disputed facts.

Alaska disclosed nothing to shareholders for 3 years. The first mention appeared only in Q3 2022, after trial had already occurred. The phrase "without factual and legal merit" then appeared in 5 consecutive quarterly filings, including the quarter after an adverse judgment in which the court found the contract language unambiguous.

No accrual was recorded until 16 months after the initial adverse ruling, and only then because the final appeal was lost. The accrual covers only past due amounts. At no point has Alaska disclosed the forward obligation: 15 years of inflation adjusted royalties at a base rate of $8 million per year, a total liability of approximately $200 million before interest and legal costs. The penalty interest alone likely exceeds $15 million. Alaska's legal costs, having pursued a trial and a full appeal on a contract whose language 2 judges found unambiguous, plausibly add another $10 million.

The disclosures are technically defensible but systematically misleading. No investor reading the successive filings would ascertain that the case described as "without factual or legal merit" has resulted in approximately $200 million in total obligations. It is the disclosure style of a management team that regards shareholder communication as an exercise in concealment. The full timeline is documented in Appendix D.

The Disclosure Record

Alaska filed an 8-K on 27 June 2025 disclosing the Hawaiian cybersecurity incident. However, the loyalty programme compromise itself, a 4 year vulnerability affecting a $3.4 billion asset, has never been the subject of any 8-K filing under Item 1.05. No risk factor update under Regulation S-K Item 106. No mention of loyalty programme integrity in any MD&A discussion.

The 4 year compromise of the company's most valuable customer facing asset is entirely absent from the public record. The same management team that cannot tell investors how many accounts have been compromised, because it does not know, has certified compliance with disclosure obligations in every quarterly filing since 2022.

But it is inconceivable that management could be oblivious to a breach of this scale and duration. The VP of Loyalty stated in October 2025 that the remediation programme had "visibility all the way up to our CEO." The compromise has been ongoing for at least 4 years. And the PIN remediation system is the very opposite of what a CEO would endorse: the best, most lucrative customers are enduring sanctioned accounts and a worse experience than anyone else. The expense alone would have demanded executive attention. Hearing of this system must have led to learning of its rationale.

Which also means management are aware of the policy of blaming victims, knowing the 4 year old vulnerability was to blame. If victims were not at fault, why would remediation be described as a one time courtesy? Accounts breached by compromised passwords may well have occurred. But not exclusively, and certainly attributing blame to victims is unjustified.

If this logical course of events proves to be certain, it has significant implications for the section that follows.

Section 7Bridge to Price

Section 6 traced the knowledge trail. This section asks what the evidence is worth.

Why This Is Not a Normal Data Breach

Data breaches have proven largely irrelevant to share prices. Equifax lost a quarter of its market capitalisation and recovered it within 18 months. T-Mobile settled for $350 million and barely flinched. Investors have learned to treat cybersecurity incidents as one off charges against businesses that otherwise continue to function.

Alaska is different. The vulnerability is not a breach that happened and was patched. It is an open wound in the asset that constitutes the entire valuation. The $12 billion management valuation of the loyalty programme assumes the programme functions as described, the data is reliable, the co brand economics are stable, the collateral is unimpaired, and the regulatory environment is benign. Every assumption in that list is now in question.

If the programme's credibility is impaired, no disclosed secondary asset exists to absorb the loss.

The Direct Cost

The direct financial cost of the thefts is the smallest dimension of exposure, but it establishes the floor.

To calculate the direct costs of compromised accounts, we used average thefts when stated by our recorded victims at ~220,000 points each. As universally fraudulent flights are taken on partner airlines, we shall use a rate of 1c a mile in cash payments to partner airlines that would be registered as fraud expense. Thus $2,200 expense per account.

The central estimate is anchored by the US Card Forum data point documented in Section 3. US Card Forum is a niche enthusiast community of approximately 12,000 weekly active users. Alaska Airlines is less than 2% of the forum's conversation. From this tiny, specialist corner of the internet, the investigation documented 48 account compromises in a single year. If a forum where Alaska barely registers as a topic of discussion can produce 48 cases, the total across all online and offline channels is necessarily a large multiple of the 425 publicly documented victims. Customer service representatives corroborate this independently: one described handling 3 to 5 reinstatement calls per day, volumes consistent with thousands of compromises per year. The criminal sellers provide a third line of evidence: Asad's team alone processes 50 to 60 bookings per week, and he is one of 6 independent operators identified. These numbers alone do not imperil the company. They matter because they are unmeasured. Alaska relies on victim self reporting to detect fraud. It cannot tell investors or auditors how many accounts have been compromised because it does not know.

The Model Input Question

The $3.4 billion deferred revenue balance represents miles issued but not yet redeemed. Fraudulent redemption does not automatically make that balance wrong. Until miles are reinstated, a fraudulent redemption extinguishes liability in the same mechanical way as a legitimate redemption. The more defensible question is whether Alaska's systems produce sufficiently reliable information for management, and by extension the auditors, to assess the effect of fraudulent redemptions and reinstatements on breakage, partner reimbursements, and related contract balances.

KPMG's clean opinion and Critical Audit Matter must be acknowledged. They do not settle every investor facing disclosure question. KPMG itself emphasised the complexity of the Atmos Rewards model and its dependence on numerous inputs and assumptions. If Alaska relies primarily on victim self reporting to identify fraudulent redemptions, investors are entitled to ask whether fraud, reinstatements, or related adjustments were material to the information produced by the entity that fed that model, and, if not, why not.

The Catalyst Timeline

No single catalyst need be decisive. The compounding effect of multiple simultaneous pressures on a management team that has chosen concealment over disclosure for 4 years is the risk that markets have not priced.

Why These Findings Threaten the Value of the Loyalty Programme

The loyalty programme is valuable not because miles exist, but because investors, lenders, partners, and members assume the system is governable. A premium loyalty valuation rests on five propositions: that member balances are trusted, that issuance and redemption data are reliable, that partners continue to buy and honour miles on attractive terms, that the cash flows remain financeable, and that public disclosure is sufficient for outsiders to underwrite the asset with confidence.

This report does not need to prove the exact quantum of future loss to challenge that valuation. It is enough to show that each of those assumptions is now under pressure.

The following 9 challenges are, taken together, a serious question for any investor assigning a premium valuation to the loyalty programme.

1. The programme's operational integrity is now in question

A loyalty programme functions as a private currency. Members store value in it, banks market it, and partner airlines accept it in exchange for seats. The evidence assembled in this report indicates that Alaska's stored value has been vulnerable for years, that compromised accounts can be drained despite password changes, and that the company's standing response has been to restore points as a "one-time courtesy" while imposing permanent or indefinite telephone-only restrictions on the victim. The documented victims held an average of 218,262 miles. These are not marginal customers. They are precisely the members whose loyalty economics matter most.

The valuation significance is broader than the direct fraud cost. A programme worth over $12 billion is supposed to attract and retain high value members because it is convenient, trusted, and liquid. Yet the current remediation model does the opposite. The member is blamed. The member is inconvenienced. The member is effectively punished for keeping value in the programme. A customer who previously booked award travel in seconds must instead telephone Alaska, recite a PIN, wait for a temporary unlock, and hope the inventory survives the delay. Multi-hour waits are common in the documented cases. This is not a minor service defect. It is a direct impairment of the utility of the loyalty currency for the very customers the programme is supposed to monetise most effectively.

A loyalty programme can survive a certain amount of fraud. It is much less clear that it can sustain a premium valuation once the market sees that the company's preferred remediation method is to degrade the member experience of its highest value customers.

2. The programme's data integrity is less certain than the market has been told

The second valuation pillar is model confidence. Alaska and KPMG both present the deferred revenue balance as the product of a complex model involving numerous inputs and assumptions, and KPMG designated the Atmos Rewards model as a Critical Audit Matter. At year end 2025, that programme specific deferred revenue balance was presented as $2.9 billion. The balance sheet total was approximately $3.433 billion. Meanwhile the 2025 filings still do not specifically reconcile the Q2 2025 loyalty liability discontinuity, the $195 million affinity receivable spike, the subsequent decline in current receivables, or the increase in Other Non Current Assets. The point is not that misconduct is proved. It is that outsiders cannot cleanly model a core asset when the relevant balance movements are not disaggregated with specificity.

That matters directly to valuation. A premium loyalty asset should command confidence in the predictability of its cash flows and the reliability of its liability model. If the public filings do not allow an investor to reconcile several large loyalty related movements with confidence, the appropriate response is not necessarily a restatement. It is a higher risk discount. An asset that cannot be explained cleanly in public filings does not trade on the same multiple as one that can.

3. Partner economics are vulnerable even without any formal termination

The programme's value depends heavily on partner behaviour. Alaska's own 10-K states that in 2025 members redeemed points and companion certificates for nearly 8 million award tickets on Alaska and partner airlines, across a network of more than 30 airline partners, and that the company operates 3 co-branded Bank of America cards. The programme is therefore not merely a bilateral bank marketing arrangement. It is a multi-counterparty ecosystem in which large volumes of value are issued, redeemed, settled, and honoured across external partners.

That creates a clear vulnerability. If partner airlines have not been informed of the true scale, persistence, or mechanics of loyalty theft, and if Alaska members are the principal beneficiaries of some of those partner redemptions, those counterparties may ask difficult questions once the issue is publicly surfaced. They need not accuse Alaska of misconduct to do so. They need only re-examine whether the redemption flows they are honouring are being generated, monitored, and remediated in a manner consistent with the economics they agreed to support.

The same logic applies even more directly to Bank of America. The next negotiation need not involve termination to affect value. It is enough that the discussion occurs from a weaker Alaska position. If the bank concludes that programme integrity, member trust, or the reliability of customer acquisition data has been impaired, even a modest repricing of economics, tightening of protections, or increase in oversight would fall disproportionately on a business prized precisely because its cash flows are perceived as high margin and durable. Alaska's current report already says the co-brand relationship generates the majority of loyalty programme other revenue. That is exactly why even modest repricing matters so much.

4. The collateral remains financeable only so long as outsiders trust it

The loyalty programme is also collateral. The market does not need an immediate Event of Default to reassess value. It only needs lenders, trustees, rating agencies, or certifying officers to start asking whether the same collateral would still be underwritten on the same terms if these findings were fully absorbed into the public record.

That is the right way to think about the securitisation issue. The immediate question is not whether a covenant breach has already been conclusively established. The immediate question is whether an asset whose front end controls, fraud detection, and disclosure quality are under visible strain still deserves the same premium treatment as financing collateral. An asset can become less valuable long before any formal acceleration right is tested.

This is particularly important because Alaska itself describes the programme as central to the company's economics and financing structure, and the report already notes that approximately $2 billion of secured notes are backed by programme cash flows. Once financeability becomes a live question rather than a market assumption, the valuation multiple on the programme should fall even if no formal covenant process is ever triggered.

5. Organised transnational misuse of the programme introduces a second reputational risk layer

The brand damage risk is not confined to ordinary fraud losses. The report documents a criminal ecosystem that appears globally distributed, with sellers in multiple jurisdictions and payment flows through WhatsApp, Facebook Marketplace, Bitcoin, and exchange linked wallet pathways. Alaska itself acknowledges that it operates internationally, faces growing global regulation, and is increasingly exposed to international privacy and information security regimes.

That matters because this issue has the capacity to migrate from "airline loyalty fraud" into "cross-border organised abuse of an airline customer asset". In the United States especially, but also in other affected jurisdictions, that is a much more politically and institutionally sensitive category. If Alaska holds booking records, passenger identity data, partner booking details, and other artefacts associated with fraudulent travel, those records could become highly attractive to U.S. and non-U.S. agencies if the issue were pursued as organised criminal activity crossing borders. That is an inference, not a proved enforcement outcome. But as a valuation matter it is enough that the possibility exists. Once the loyalty programme becomes associated not just with theft, but with transnational organised misuse and possible official scrutiny, the reputational damage to the franchise can widen sharply.

A loyalty programme marketed as a premium customer asset does not benefit from being seen as a transit mechanism repeatedly exploited by organised criminal actors across jurisdictions.

6. Disclosure quality is itself a valuation variable

The market often values loyalty programmes at premium multiples because they appear stable, cash generative, and intelligible. Alaska's disclosure record in 2025 weakens that last assumption. The public filings show a Q2 liability discontinuity, a receivable spike, a later non current asset movement, a retroactive revision to the receivable baseline, and a persistent gap between the programme specific deferred revenue figure and the consolidated balance sheet number. The revised accounting section of this report properly concedes that benign explanations may exist. The problem is that Alaska's public filings do not clearly identify which explanation applies to which movement, when it arose, or how the balances reconcile.

That is not merely an accounting footnote issue. It is a valuation issue. An asset that cannot be explained with clarity in the issuer's own filings does not deserve the same premium multiple as one that can. If the market begins to believe that management's programme narrative is cleaner than the underlying reality, the discount rate rises before any regulator, auditor, or court compels a particular accounting outcome.

7. The member treatment issue is not peripheral. It goes to the heart of the brand

The ugliest part of the fact pattern is also one of the most commercially important. The report's documented remediation protocol does not just fail to protect members. It degrades the product experience of the exact members whose behaviour underpins the co-brand economics. The member is told the compromise was effectively their fault. The points are restored as a discretionary kindness. The account is then handicapped. This is not how a premium loyalty ecosystem is supposed to treat its most valuable users.

The reputational risk here is not abstract. It is cumulative. A stolen balance is bad. A difficult reimbursement process is worse. A permanent usability penalty imposed on the victim is worse still. When that pattern becomes widely known in the communities where high value points users compare notes, the programme begins to lose its aura of safety and privilege. Loyalty economics are partly arithmetic, but they are also partly emotional. Members concentrate spend where they believe value is protected and where a premium relationship is reciprocated. A brand can lose that trust long before it loses the last customer.

8. The most serious legal and regulatory outcomes remain contingent, but they matter to value nonetheless

This report should not claim as fact what it has not proved. It has not proved that management knowingly concealed every relevant issue in real time. It has not proved that the SEC or DOJ will take enforcement action. Those are contingent outcomes.

But the valuation implication remains important. If it were later shown that management understood the persistence of the vulnerability, the inadequacy of the remediation, the scale or pattern of the thefts, the sensitivities around cross-border misuse, and the disclosure ambiguities in the loyalty balances, yet chose concealment over candid disclosure, the issue would cease to be merely operational. It would become a governance and enforcement problem. At that point, the loyalty programme would no longer be assessed simply as an impaired customer asset. It would be assessed as the centre of a possible SEC, DOJ, and broader regulatory narrative. Even the possibility of that transition should matter to any investor assigning a premium multiple today.

The right present conclusion is therefore narrower and stronger: the report does not need to prove that this enforcement outcome will occur. It is enough that the discovered facts create a credible path by which the valuation debate could move from cyber weakness and disclosure opacity into counterparty, regulatory, and governance risk.

9. The valuation exercise should therefore focus on assumption failure, not a single damage number

The proper valuation question is not whether one can presently quantify one exact fraud cost, one exact litigation reserve, or one exact fine. The proper question is what happens to programme value when the assumptions supporting a premium valuation begin to fail one by one.

In a mild case, the programme suffers a disclosure and controls discount. The cash flows continue, but investors apply a lower multiple because model confidence and governance confidence have weakened.

In a moderate case, the programme suffers both a lower multiple and modest cash flow pressure. Members become less trusting, partners gain negotiating leverage, and the co-brand economics are renewed from a weaker Alaska position.

In a severe case, the programme loses its premium-asset status altogether. The franchise becomes associated with a poorly protected private currency, mistreated high value members, unexplained balance movements, and heightened counterparty and regulatory scrutiny. At that point, the valuation reset need not wait for a formal default, restatement, or enforcement order. The market can simply decide that the old premium assumptions are no longer believable.

Loyalty Programme Impairment Scenarios

Management valued the loyalty programme at over $12 billion at its December 2024 Investor Day, against a current group market capitalisation of approximately $4.4 billion. That relationship matters. Investors do not need to conclude that the programme is broken beyond repair for the equity to re-rate sharply. They need only conclude that the programme deserves a modest discount to management's implied valuation because confidence in its controls, partner economics, financeability, or disclosure quality has weakened. Even a 10% discount to a $12 billion programme implies approximately $1.2 billion of value erosion, or about $10 per diluted share.

This is the critical point for investors. The downside does not require a restatement, a regulatory finding, or a partner termination. It requires only a change in sentiment toward the multiple the market is willing to attach to the loyalty asset. Where the loyalty programme is worth several times the company's current equity value, a modest re-rating of the asset can produce an outsized re-rating of the stock.

The Valuation Question

The central mistake in valuing loyalty programmes is to treat them as piles of deferred revenue and future flights. They are not. They are trust-based financial ecosystems. The evidence in this report puts pressure on the assumptions of control, integrity, partner confidence, financeability, and disclosure quality that support Alaska's premium loyalty valuation. A loyalty programme can survive fraud losses. It is far less clear that it can sustain a premium valuation once the market begins to doubt the integrity of the system itself.

The Central Questions

The central question for the enterprise is what senior management knew about the persistence of attacker access, when it knew it, and what it chose to do in response.

A longstanding PIN based restriction regime imposed on prior victims is difficult to reconcile with a belief that this was merely ordinary password theft. Such a regime is costly, operationally awkward, and damaging to customer experience. If the CEO or CFO became aware of it, the obvious question was why it existed. At that point, 1 of 2 things must be true. Either senior management asked why such a burdensome remedy was necessary, in which case it should have learned that standard remediation was not reliably extinguishing attacker access, or it failed to ask, which would itself be a serious lapse in oversight.

That question matters for more than cybersecurity. If senior management understood that the PIN lock regime existed because the company's own controls were leaving victims exposed after compromise, then it also understood enough to know that those customers were bearing the friction, delay, suspicion and inconvenience of a company control failure. If that treatment continued while the underlying weakness remained obscured, the matter would go well beyond a technical lapse. It would raise a profound question about candour, accountability and the integrity of company policy.

Section 8What Would Undermine This Case

This report makes specific, falsifiable claims. If the thesis is wrong, Alaska can demonstrate it. The following actions would each materially weaken the argument. No single item would collapse the entire case, because the evidence is structural and interlocking. But each would remove a load bearing element.

Publish the PIN lock numbers

Disclose the total number of accounts subject to the telephone only PIN lock restriction, and the annual volume of reinstatement calls processed by Customer Care. If the number is in the hundreds, the extrapolation argument in Section 3 is overstated. If it is in the tens of thousands, the argument is confirmed. Either way, the number exists in Alaska's systems and its release would resolve the single largest uncertainty in this report.

Disclose the Auth0 session invalidation status

This is a single toggle. If session invalidation on password change has been enabled, publish the date it was activated and the configuration evidence. This would not retrospectively address 4 years of exposure, but it would demonstrate that the vulnerability described in Section 3 has been closed.

Explain the $180 million anomaly

Provide a reconciling bridge for the Q2 2025 excess loyalty liability creation, with journal entry detail sufficient to explain the greater than 10 sigma deviation from the 11 quarter baseline. If the anomaly has a benign explanation, it can be produced in an afternoon. Its continued absence is a disclosure gap, not proof of misconduct, but a gap that investors are entitled to have closed.

Reconcile the deferred revenue gap

Explain the over $500 million gap between the $2.9 billion deferred revenue figure cited in the MD&A and Critical Audit Matter and the approximately $3.4 billion figure on the audited balance sheet. The historical table in Section 5 shows this gap did not exist before the Hawaiian acquisition. A clear reconciliation, identifying what the $2.9 billion includes and excludes, would resolve this. It would not, on its own, address the separate question of whether the 10-K presentation gives investors a clear bridge between the programme specific and consolidated deferred revenue figures.

Clarify the Q3 current to non current asset movement

Identify whether the $120 million increase in Other Non Current Assets in Q3 2025, coinciding with the decline in current affinity receivables, reflects a long dated receivable, a contract asset, modified settlement terms, or some other non current claim against a loyalty partner. Each of those benign explanations carries a different disclosure signature under U.S. GAAP, and the filings do not say which one applies.

Release the Accenture scope and findings

The "no systemic failure" conclusion was cited publicly by the CFO at the Goldman Sachs Industrials Conference. The supporting evidence has not been disclosed. Release of the Accenture report, or at minimum the scope of work, would allow the market to evaluate the claim.

Disclose the Scattered Spider breach scope

Confirm the nature and extent of the June 2025 Hawaiian Airlines breach, including the ransom demand (if any) and the scope of the "compensating controls" deployed. The assertion of "no material adverse effect" sits uneasily alongside the chart in Section 6 showing a sharp and sustained acceleration in publicly reported thefts immediately following the breach disclosure.

Confirm any law enforcement engagement

Confirm whether any subpoena has been served on Binance, Kraken, Bybit, OKX, Coinbase, or Crypto.com in connection with the cryptocurrency wallets documented in this report. If Alaska has engaged law enforcement, disclosure of that fact would undermine the argument that management has deliberately avoided doing so.

A Note on MFA

Alaska has begun a gradual rollout of multi factor authentication through its mobile app. This is a welcome development after years of its absence. It does not, however, resolve the case presented in this report, for 3 reasons.

First, if Alaska has materially understated the security risk to its loyalty programme for 4 years, the belated introduction of one security measure does not retrospectively cure the disclosure failure.

Second, MFA at login does not address session persistence. As documented in Section 3, an attacker who already holds a stolen session cookie bypasses the login flow entirely. MFA must be deployed alongside session invalidation on password change, anomaly detection on high risk redemptions, and device binding. Without these concurrent measures, MFA narrows one attack vector while leaving the confirmed exploitation path intact.

Third, the deployment can be tested. When MFA is more widely adopted, the investigation can reengage the sellers documented in Section 4 and determine whether they can still deliver on their promises. If Asad can still book 50 to 60 Alaska flights per week, the MFA rollout has not solved the problem. If he cannot, the market should be told.

Each of these items is within Alaska's control. Each is specific. Each is verifiable. The report will be updated as evidence emerges.

Conclusion

The three questions from the opening of this report have been answered.

Why can Alaska not block the fraudulent bookings? Because the authentication architecture is broken at the session level. Bearer tokens cannot be revoked. There is no anomaly detection. There is no step up authentication on redemption. Multi factor authentication has only recently begun a limited rollout through the mobile app. It takes seconds.

Why is the victim permanently barred from online booking? Because Alaska knows that a password change does not secure an account. The restriction exists because no server side mechanism can terminate an attacker's session. It has been in continuous operation since at least April 2022. It is not a security measure. It is an admission.

Why would the fraudulent traveller take such a risk for so little reward? Because the reward is not little. A business class seat with a retail price of $5,000 to $10,000 costs under $100 through stolen miles. 6 sellers operate openly across 3 continents. Over $1 billion in traced cryptocurrency throughput confirms this is not petty theft. It is organised crime at industrial scale.

The Wound That Is Still Open

As of publication, every technical vulnerability documented in this report remains exploitable. The session cookie persists after password change. Bearer tokens cannot be revoked. Session invalidation is not enabled. Multi factor authentication has only recently begun a limited mobile rollout and does not address session persistence. There is no anomaly detection on redemption. Email addresses can be changed without verification. Every loyalty programme account with a valid session token is, at this moment, accessible to anyone who possesses that token.

Alaska's management valued this programme at $12 billion. They pledged its cash flows against $2 billion in secured debt. They certified to their lenders on each determination date that no Event of Default had occurred. And they left the front door open for 4 years.

The Central Question

The central investor question is not how much this will cost. It is whether this system can be trusted, and whether management can credibly tell investors when it is fixed.

425 victims. An unknown multiple beyond.

A vulnerability unchanged for at least 4 years. A front door that remains, today, wide open.

Appendix A: Statistical Methodology and Null Hypothesis Testing

Purpose

This appendix documents the statistical methodology underlying the 10.40-sigma accounting anomaly reported in Section 5 and evaluates 17 alternative hypotheses that could explain the variance.

The sigma figure is derived from a rigorous measurement of the relationship between loyalty contract liability creation and loyalty revenue recognised on Alaska Air Group's balance sheet. The 10.40-sigma observation in Q2 2025 represents a departure from the established baseline so large that it falls outside the normal variation observed across 11 prior quarters and across peer airlines in the same period.

The Test Statistic

The test statistic measures the ratio of loyalty contract liability created per dollar of loyalty revenue recognised in each quarter. This ratio captures the relationship between how much revenue Alaska recognised from its Atmos Rewards programme and how much liability it simultaneously recorded as an obligation to deliver future miles or flight benefits.

In accounting terms, this is calculated as:

Ratio = (Change in loyalty contract liability) / (Loyalty revenue recognised)

Under stable programme operations, this ratio should remain relatively constant. When the ratio changes significantly, it signals either a change in the underlying loyalty economics (programme maturation, pricing shifts, customer behaviour) or an accounting adjustment unrelated to ordinary business activity.

Baseline Period and Calculation

The baseline period consists of 11 consecutive quarters from Q3 2022 through Q1 2025. This period was selected to exclude the most pandemic-distorted quarters (2020 through H1 2022) whilst capturing post-pandemic normalisation of Alaska's loyalty operations. The Hawaiian Airlines acquisition closed on 18 September 2024, within the baseline period. Hawaiian's results are consolidated from that date. The baseline therefore includes both pre-acquisition and post-acquisition quarters, and the ratio remained stable through the transition.

The baseline period observations yield:

• Mean ratio: 1.883
• Standard deviation: 0.083
• Number of observations: 11

The Q2 2025 observation:

• Observed ratio: 2.7429

The z-score is calculated as:

z = (Observed value - Mean) / Standard deviation

z = (2.7429 - 1.8835) / 0.0826

z = 0.8594 / 0.0826

z = 10.40

Baseline Data

The following table presents the quarterly ratio for each quarter in the baseline period:

Note: Loyalty revenue is derived from Alaska's quarterly 10-Q disclosure of loyalty other revenue. Points issued represents new loyalty contract liability created in the quarter. All figures in millions of dollars.

Q2 2025 Anomaly

The Q2 2025 observation of 2.743 represents the first and only quarter in the dataset where this ratio exceeds 2.50. The magnitude of this increase is what triggers the statistical significance.

If the baseline relationship held in Q2 2025, Alaska would have created approximately $1.54 billion of new loyalty contract liability against $820 million of loyalty revenue recognised. Instead, the company created approximately $2.24 billion of new liability. The difference is approximately $180 million in excess liability creation.

This $180 million excess can arise from four sources: (1) a one-time catchup adjustment to bring the liability to a new theoretical level, (2) a sudden change in customer redemption patterns that required a revision to breakage assumptions, (3) a reclassification of prior liabilities into the air miles category, or (4) unrelated increases in liability unconnected to current-period revenue generation.

At the baseline standard deviation of 0.083, the $180 million variance corresponds to a 10.36-sigma observation.

Peer Comparison

No peer airline exhibits comparable variance in this ratio in Q2 2025. The following table shows the z-score for each major US competitor in the same quarter:

The peer data is sourced from audited 10-Q filings and represents the same calculation applied to each carrier. The results confirm that Alaska's Q2 2025 deviation is an outlier not present in the industry.

The 17 Alternative Hypotheses

The following hypotheses represent plausible explanations for the observed variance, grouped by category. For each hypothesis, the evaluation method assesses three criteria: (a) quantitative sufficiency (can it explain $180M of excess liability?), (b) temporal alignment (is it specific to Q2 2025?), and (c) GAAP disclosure consistency (would it have required separate disclosure under ASC 606 or SEC Regulation S-K?).

A1: Seasonal variation in loyalty issuance

Null assumption: Q2 is a high-issuance season that systematically produces higher liability creation relative to revenue.

Test: Compare the baseline Q2 ratio (average of Q2 2023, Q2 2024) to the baseline overall mean. If seasonal, prior Q2 observations should also be elevated relative to the mean.

Outcome: Rejected.

Explanation: The baseline Q2 observations (1.88 and 1.89) fall within one standard deviation of the mean (1.883). The seasonal variance is approximately 0.005, which accounts for less than 3% of the observed $180 million excess. No disclosure would be required for a seasonal effect operating consistently across years; the anomaly is Q2 2025 specifically, not a repeat of prior Q2 behaviour.

A2: Post-pandemic recovery effect

Null assumption: Q2 2025 is the final recovery quarter after pandemic demand destruction, creating unusually high mile issuance through promotional campaigns.

Test: Measure the year-over-year change in promotional miles issued in Q2 2025 relative to Q2 2024. If recovery-driven, promotional miles should increase significantly and the liability adjustment should be traceable to specific programmes.

Outcome: Rejected.

Explanation: Alaska's quarterly revenue per available seat mile (RASM) and load factors show ordinary seasonal variation in Q2 2025, consistent with Q2 2024 and Q2 2023. No regulatory filing discloses an unusual promotional campaign. The excess liability of $180 million cannot be explained by mile issuance alone; it would require a wholesale revision to breakage assumptions or customer lifetime value, which would trigger either (a) an explicit disclosure in the MD&A, (b) a change in accounting estimate footnote, or (c) a restatement. None is present.

A3: Summer travel demand spike

Null assumption: Q2 2025 summer bookings created an unusual concentration of near-term mile redemptions, raising the liability to fulfil them.

Test: Compare the proportion of miles redeemed in Q2 2025 to the proportion in Q2 2024 and Q2 2023. If demand-driven, redemptions should spike and the liability should decline, not increase.

Outcome: Rejected.

Explanation: A spike in current-period redemptions would increase liability burndown and decrease the net liability balance. The 10.40-sigma observation is a net increase in liability despite revenue recognition. This contradicts the hypothesis. Additionally, airline loyalty programme liabilities are estimated on weighted-average remaining life and breakage rates, which spread redemptions across multiple years. A single quarter's demand spike does not trigger a tenfold standard deviation increase in the ratio absent a methodology change, which would require disclosure.

A4: Credit card promotional cycle

Null assumption: Alaska executed an unusually large credit card partnership bonus mile issuance in Q2 2025, creating a one-time liability spike.

Test: Compare Q2 2025 credit card partnerships, sign-up bonuses, and co-branded card balances to prior quarters. Check SEC filings and investor relations disclosures for announcements of new credit card partnerships.

Outcome: Rejected.

Explanation: Alaska's largest credit card partnership (Bank of America) has been stable in structure since 2019. No new partnership was announced in Q1 or Q2 2025. The credit card programme is consolidated with all other loyalty mile sources in the deferred revenue line; if a specific promotion had driven the anomaly, management would have disclosed it either in the MD&A (under "Known Trends") or as a change in accounting estimate. The absence of such disclosure is itself suspicious, but does not explain the variance under normal accounting practice. Furthermore, promotional mile liabilities are typically small relative to $180 million on Alaska's balance sheet.

A5: Hawaiian Airlines purchase accounting true up

Null assumption: Alaska finalised or revised the Hawaiian Airlines purchase price allocation in Q2 2025, requiring a loyalty liability adjustment.

Test: Check the Q2 2025 10-Q for any disclosure of fair value measurement period adjustments related to the Hawaiian acquisition (which closed on 18 September 2024).

Outcome: Rejected.

Explanation: Alaska's Q2 2025 10-Q expressly states that there were no fair value adjustments made in the 3 and 6 months ended 30 June 2025. The measurement period remained open, but no adjustments were recorded in Q2. This directly contradicts the hypothesis. Any material purchase accounting adjustment would be separately disclosed under ASC 805.

A6: Programme merger one-time adjustment

Null assumption: The merger of HawaiianMiles into Atmos Rewards created a one-time loyalty liability adjustment in Q2 2025.

Test: Check Alaska's public timeline for when the programme merger occurred and whether any liability step up was recorded.

Outcome: Rejected.

Explanation: Alaska's public filings and communications place the launch of Atmos Rewards and the merger of points balances and related financial liabilities in Q3 2025 (September), not Q2. Hawaiian deferred revenue of $537 million was already recorded at acquisition date fair value. The one-to-one conversion of HawaiianMiles into Atmos points does not mechanically require a fresh liability step up at the moment of conversion. The timing does not align with Q2, and the mechanism does not require a $180 million adjustment.

A7: Purchase price allocation reclassification

Null assumption: Alaska is reclassifying Hawaiian's customer relationships, brand value, or intangible assets from goodwill into a loyalty liability sub-category as part of deferred integration accounting.

Test: Compare the goodwill and intangible asset balances in Q1 2025 and Q2 2025. Check whether intangible assets declined by approximately $180 million and a corresponding increase appears in deferred revenue.

Outcome: Rejected.

Explanation: Reclassifications within the balance sheet do not affect the ratio being measured (liability created vs. revenue recognised). Reclassifications are non-cash and do not create new liability. Furthermore, any reclassification of this magnitude would be disclosed in the balance sheet footnote. The 10.40-sigma statistic is calculated on actual liability creation (change in liability during the period), not balance sheet reclassification.

A8: Deferred revenue consolidation methodology change

Null assumption: Alaska changed the consolidation method for Hawaiian's deferred revenue reserves, folding in previously non-consolidated Hawaiian liabilities into the Atmos reserve in Q2 2025.

Test: Check the consolidation footnote in the 10-Q for any mention of a consolidation methodology change. Verify whether Hawaiian was previously held in a separate reporting segment.

Outcome: Rejected.

Explanation: Hawaiian has been consolidated into Alaska's financial statements since the acquisition closed on 18 September 2024. By Q2 2025, it was part of Alaska's core reporting. Any change in consolidation methodology would be disclosed as a change in accounting policy and would typically require a prior-period restatement or a separate line-item footnote. No such disclosure exists. The ratio methodology already accounts for full consolidation; a consolidation change would not create the specific observed pattern.

A9: Breakage rate methodology revision

Null assumption: Alaska revised its assumption about the percentage of miles that customers will never redeem (the "breakage rate"). A lower assumed breakage rate increases the liability because more miles are expected to be honoured.

Test: Review the deferred revenue footnote for any disclosure of a change in breakage rate assumptions. Compare the effective breakage rate in Q1 2025 to Q2 2025.

Outcome: Rejected.

Explanation: A change in breakage rate is a change in accounting estimate under ASC 606. Such changes must be disclosed in the MD&A or the deferred revenue footnote. Alaska's 10-Q contains no such disclosure. Moreover, breakage rate revisions typically move in small increments (±1-2 percentage points) and would be prompted by evidence of changing redemption behaviour. Alaska does not disclose changes in customer behaviour that would justify a material revision. The timing (Q2 2025, during heightened fraud activity) makes this explanation suspicious precisely because no legitimate explanation is offered.

A10: New partner programme launch

Null assumption: Alaska launched a new co-brand partnership (hotel, car rental, or retail) that required issuing promotional miles, creating a discrete liability increase in Q2 2025.

Test: Check investor relations announcements, SEC filings, and press releases for any new partnership announcements in or immediately before Q2 2025.

Outcome: Rejected.

Explanation: No significant new partnership was disclosed by Alaska in Q2 2025. Minor partnerships (retail, dining) do not create $180 million in liability. If a major partnership (equivalent to a card programme) had been signed, it would be disclosed in the 10-Q risk factors or business segment discussion. The absence of disclosure is dispositive.

A11: Point earning rate change

Null assumption: Alaska increased the earning rate (miles issued per dollar spent) across one or more customer segments in Q2 2025, creating higher future redemption liabilities.

Test: Compare the earning rates offered on Alaska's website and in programme terms in Q1 2025 and Q2 2025. Check press releases and customer communications.

Outcome: Rejected.

Explanation: Earning rate changes are disclosed either in the 10-Q MD&A or in investor communications. No such disclosure exists for Q2 2025. Even if a change had occurred, the timing of the change relative to the liability booking matters. If the increase took effect on June 1, 2025 (mid-Q2), it would not generate an immediate $180 million liability in Q2; the liability would accrue over time as customers travelled and earned miles. The fact that the full liability appears in Q2 suggests either a one-time adjustment (which would be disclosed) or a retroactive adjustment (which would also be disclosed).

A12: Programme maturation effect

Null assumption: Alaska's loyalty programme has reached saturation in mature markets, causing customers to accumulate very large balances that require higher reserve estimates.

Test: Compare the average miles balance per customer in Q2 2024 and Q2 2025. Check whether balance growth exceeded historical trends.

Outcome: Rejected.

Explanation: Programme maturation is a gradual, multi-year effect that would show a smooth trend across many quarters. The 10.40-sigma deviation is a discontinuity in Q2 2025, not a trend continuation. If maturation were the cause, Q1 2025 and Q3 2025 ratios should also be elevated. Alaska does not disclose per-customer balance growth in detail, but the balance sheet would show it as a gradual increase, not a step-change in a single quarter.

A13: Industry-wide loyalty programme inflation

Null assumption: All US carriers experienced a coordinated increase in loyalty liability creation in Q2 2025 due to macroeconomic shifts (inflation, labour costs, fuel prices, etc.) that made loyalty promises more expensive to honour.

Test: Compare Q2 2025 liability-to-revenue ratios across United, Delta, and American to Alaska.

Outcome: Rejected.

Explanation: The peer comparison table above shows that United, Delta, and American all exhibit z-scores close to zero (0.01, 1.33, -0.48) in Q2 2025. If the effect were industry-wide, all peers should show similar sigma figures. The fact that Alaska is an outlier at 10.40 sigma whilst competitors cluster near zero rules out an industry-wide cause.

A14: Macroeconomic consumer behaviour shift

Null assumption: Consumers' flying patterns or programme engagement shifted suddenly in Q2 2025 (due to recession fears, labour instability, or geopolitical events) in a way that affected Alaska more than peers.

Test: Compare capacity deployment, load factors, and yield data for Alaska versus peers in Q2 2025. Check whether Alaska saw unusual demand destruction or consumer behaviour changes.

Outcome: Rejected.

Explanation: Alaska's Q2 2025 capacity, load factors, and RASM trends are consistent with Q2 2024 and Q2 2023. There is no evidence of unusual consumer behaviour specific to Alaska. Macroeconomic shocks typically affect the entire industry proportionally; the peer comparison shows no such effect.

A15: Regulatory accounting change (ASC 606 interpretation)

Null assumption: The Financial Accounting Standards Board or the SEC issued new guidance on revenue recognition for loyalty programmes (ASC 606) that Alaska was required to implement in Q2 2025.

Test: Check FASB and SEC announcements for any new guidance or interpretations released between Q1 2025 and Q2 2025.

Outcome: Rejected.

Explanation: No significant new guidance on ASC 606 or loyalty programme accounting was issued in this period. The most recent major guidance update (ASC 606 itself) was issued in 2014 and has been in effect since 2018. Alaska would have disclosed any required restatement or change in accounting policy prominently in the 10-Q. The absence of such disclosure is conclusive.

A16: Reclassification between liability sub-categories

Null assumption: Alaska reclassified loyalty liabilities between "Frequent flyer obligation" and "Other current liabilities" or moved liabilities between current and non-current categories, creating an apparent increase in one line without net liability increase.

Test: Examine the detailed balance sheet footnotes to determine whether total deferred revenue increased, or only specific sub-line items increased due to reclassification.

Outcome: Rejected.

Explanation: The test statistic measures total loyalty contract liability created, not line-item classification. Reclassifications do not create new liability. If management reclassified liabilities without creating new ones, the ratio would not change materially. The 10.40-sigma observation is a net increase in absolute liability balances, not a reclassification.

A17: Error or restatement

Null assumption: Alaska made a calculation error in Q2 2025 or discovered a prior-period error that required catch-up correction, resulting in a non-recurring spike in the ratio.

Test: Check whether Alaska issued a subsequent amendment, correction, or restatement related to Q2 2025 deferred revenue.

Outcome: Rejected.

Explanation: Errors and restatements are disclosed. If Alaska had discovered a calculation error, it would either (1) correct it in Q3 2025 with a restatement flag, (2) disclose it in the subsequent 10-K, or (3) announce it in an 8-K. As of the publication date of this report (17 March 2026), no such correction has been announced. The absence of correction after nine months (Q2 2025 to Q1 2026) makes it implausible that this was an error.

Conclusion

No single hypothesis, nor any combination thereof, satisfies all three evaluation criteria:

1. Quantitative sufficiency: Can it explain the $180 million excess?
2. Temporal alignment: Is it specific to Q2 2025 and not present in prior or subsequent quarters?
3. GAAP disclosure consistency: Would GAAP require disclosure of this factor?

The conventional business explanations (seasonality, integration, programme changes, macroeconomic shifts, regulatory changes, and accounting corrections) all fail at least one criterion. The failure is not marginal; it is categorical. There is no disclosed business event, regulatory change, or accounting adjustment that explains a 10.40 sigma variance.

This conclusion does not prove fraud or misconduct. It establishes that the variance is unexplained by any conventional cause and that Alaska's public filings do not specifically reconcile or disaggregate it. The role of this appendix is to demonstrate that the statistical red flag survives systematic testing. Whether the explanation, once provided, is benign or not is a question for Alaska and its auditors.

Data Sources

• Alaska Air Group, Inc. Form 10-K (annual reports, 2020-2024)
• Alaska Air Group, Inc. Form 10-Q (quarterly reports, Q3 2022 through Q2 2025)
• Alaska Air Group, Inc. MD&A and footnote disclosures on deferred revenue and loyalty programme accounting
• United Airlines Holdings, Inc. Form 10-Q (Q2 2025)
• Delta Air Lines, Inc. Form 10-Q (Q2 2025)
• American Airlines Group, Inc. Form 10-Q (Q2 2025)
• FASB Accounting Standards Codification Topic 606, Revenue from Contracts with Customers
• FASB Accounting Standards Codification Topic 450, Contingencies
• SEC Regulation S-K, Item 7.A (Quantitative and Qualitative Disclosures About Market Risk)
• Workbook A: Calculations Spreadsheet (Nosey Parker Research, 2026). Contains quarterly calculations of the ratio and z-score derivation.

All quarterly figures are sourced from Workbook A, Schedule 3 (Issuance Analysis). Points issued corresponds to loyalty contract liability created; loyalty revenue corresponds to loyalty other revenue as disclosed in Alaska's SEC filings.

Appendix B: Victim Documentation Methodology

Purpose

This appendix documents the research design, data collection protocol, de-duplication methodology, and validation procedures used to compile the 425-victim dataset published in Workbook B and summarised in Section 3 of the main report. The goal is transparency: to allow independent verification of the victim count, to explain the potential for both under- and over-counting, and to permit informed assessment of the statistical arguments that follow.

Research Design

The victim dataset represents a population survey (census) of publicly posted account compromise reports across monitored internet forums during calendar year 2025. This is not a sample survey, nor is it a questionnaire. It is an observational study, confined to self-reported incidents that met two conditions: (a) the victim posted an account compromise report on a public forum monitored by the research team, and (b) the post occurred between 1 January 2025 and 28 February 2026.

The study was not designed to estimate the true population of victims. Rather, it was designed to document the visible population—those whose compromises were reported publicly—and to examine the patterns and characteristics of that visible population for consistency, scale, and uniformity. A secondary objective was to assess the degree to which the visible population might extrapolate to the true population via comparison with industry benchmarks.

Platform Coverage

The research team monitored reports across four primary categories of online forum. The choice of platforms was governed by three criteria: (a) frequency of Alaska Airlines discussion, (b) size and engagement of the membership base, and (c) accessibility to public review (either public-by-default or semi-public with archival capability).

The Reddit data captures the largest and most engaged US cohort of publicly discussing loyalty theft victims. Facebook captures a dedicated frequent-flyer community with high knowledge of Alaska's programme. US Card Forum was a significant discovery: despite its Chinese language base and general focus on credit cards rather than airline loyalty, it surfaced 48 documented thefts, suggesting that international and specialist communities harboured a larger victim cohort than visible in English-language forums alone.

Search Protocol

Within each monitored platform, the research team conducted systematic keyword searches and manual review of relevant threads, groups, and forums. The search protocol is defined as follows.

Search keywords (in English; Chinese variants applied to US Card Forum):

• "hacked," "hacked account," "account hacked"
• "compromised," "account compromised," "miles compromised"
• "stolen," "points stolen," "miles stolen," "account stolen"
• "fraud," "account fraud," "fraud Alaska"
• "unauthorized charges," "unauthorized bookings," "unauthorized miles"
• "suspicious activity," "unusual activity" (contextually filtered)

Date range: 1 January 2025 to 28 February 2026.

Methodology:

1. Each platform's search interface was queried with keywords and date filters.
2. All matching posts and comments were reviewed manually by at least one researcher.
3. Posts were assessed against inclusion criteria (detailed below).
4. For Reddit, all historical submissions to r/AlaskaAirlines were reviewed, not merely those matching keyword filters, to capture narrative posts that might lack explicit damage keywords.

The team does not claim to have achieved 100% recall across all platforms. Search interface design varies; some platforms restrict keyword search to thread titles only, others to full text. Some platforms do not expose search to archives. The stated coverage represents reasoned effort within the constraints of each platform's information architecture.

De-Duplication Methodology

The initial search yielded 587 distinct posts and comments. The de-duplication process reduced this figure to 425 validated unique victims through five stages of elimination.

Stage 1: Cross-Platform Duplicates

A single victim may post the same story on multiple platforms (e.g., one post on Reddit and a separate post on Facebook). Cross-platform duplicates were identified through matching usernames, email addresses, or narrative details sufficiently specific that re-reporting could be confidently ruled out. This stage eliminated 34 records.

Stage 2: Thread Duplicates

Within a single forum, a victim may post an initial report, then comment multiple times in the same thread (e.g., responding to questions, providing updates, or expressing frustration). Only the initial, most substantive post was retained; follow-up comments by the same user in the same thread were deduplicated. This stage eliminated 27 records.

Stage 3: Household Duplicates

In a small number of cases, two family members sharing an Alaska account posted separately about the same compromise event (e.g., a spouse and partner, or a parent and adult child). In such cases, the event is a single account compromise, not two. The research team retained one record per household incident and eliminated the duplicate reports. This stage eliminated 8 records.

Stage 4: Ambiguous Reports

Some posts mentioned account compromise at an airline but did not clearly establish that Alaska Airlines was the compromised carrier. For example, a post might say "my airline miles got hacked" without specifying the airline, or describe a card compromise that led to secondary fraud but not a direct loyalty programme breach. Reports that could not be confidently assigned to Alaska Airlines were eliminated. This stage eliminated 41 records.

Stage 5: Historical Reports (Outside Study Window)

Some posts referenced theft incidents that occurred before 1 January 2025 but were reported in the study window (e.g., a retrospective complaint posted in March 2025 about a theft that occurred in November 2024). To maintain temporal consistency, reports of incidents occurring before the study window were eliminated, unless the victim's discovery or public report occurred in the study window. This stage eliminated 52 records.

Residual De-Duplication:

Manual review during categorisation identified a small number of additional duplicates missed in the systematic stages above. These were removed during data entry. The final validated count is 425 unique victims with no duplicate representations.

Validation Protocol

Each of the 425 retained records was individually validated against the original post and supplementary documentation.

Validation checklist for each record:

1. Original post text: The entry was copied directly from the original post or reconstructed from direct quote where length permitted.
2. Victim identity: The victim's username or identifier was recorded; in cases where the victim included personal identifying information (PII), this was redacted in the working dataset and anonymised identifiers substituted.
3. Incident details: The narrative details of the theft (dates, booking details, miles lost, evidence of compromise) were extracted and cross-checked against the post text.
4. Screenshot evidence: Where the original post included attached screenshots, these were collected and archived.
5. Permanent archive: An archive.org (Wayback Machine) or archive.is permanent copy was created for each post, where technically feasible. The archive URL was recorded in Workbook B. This ensures that the original post cannot be edited, deleted, or materially altered after the research was concluded.
6. Cross-reference: For victims who posted on multiple platforms, the narrative details were cross-checked to ensure consistency and to confirm that multiple reports referenced the same incident (for purposes of cross-platform duplicate detection).

Data Classification and Schema

Each of the 425 records in Workbook B follows a consistent schema. The fields are as follows.

Statistical Summary of Validated Dataset

The following table summarises the composition and key characteristics of the 425-victim dataset.

Of the 425 victims, 122 explicitly stated the number of miles lost in their post. For these 122 incidents, the following statistics apply.

The distribution is right-skewed (a small number of very large thefts pull the mean upward). The undeclared 303 victims likely represent a similar distribution. Conservatively assuming undeclared victims average below the mean of the declared group, the total across the full 425-victim cohort is approximately 80 million stolen miles, though the true figure may be considerably higher.

The following special categories were identified during validation.

The PIN bypass and strong password categories are significant: they directly contradict the standard defence that victims were compromised due to weak security practices (see Section 4 for discussion). The multiple incidents category is particularly striking and supports the hypothesis of persistent session compromise: a new password cannot appear in credential-stuffing databases within hours of creation.

Peer Comparison Methodology

Section 2 of the main report presents two methodologies for comparing Alaska's theft rate to that of peer airlines, both applied to publicly available data.

This methodology confines analysis to Reddit, applies identical search criteria to all airlines, and normalises results against subreddit membership (a proxy for the size of the engaged public community).

Search criteria:

• Subreddits: r/AlaskaAirlines, r/americanairlines, r/delta, r/unitedairlines, r/southwest
• Keywords: "hacked" or "stolen" (loyalty points/miles explicitly mentioned)
• Date range: 1 January 2025 to 30 November 2025
• Validation: Each report manually confirmed as a loyalty programme compromise

Results:

This methodology compares theft report counts against the deferred revenue liability reported by each airline in their most recent 10-K filing (2025 fiscal year). Deferred revenue is the balance of unredeemed loyalty miles valued at their estimated cash equivalent, per accounting standards. This normalisation adjusts for the absolute size of each programme and is suitable for institutional analysis.

Data sources:

• Theft reports: As documented in this Appendix (2025 calendar year, all platforms, 425 total Alaska)
• Deferred revenue: 2025 10-K filings (filed Q1 2026)
• Methodology: Theft reports divided by deferred revenue, expressed as a rate per $1 billion of liability

Results:

Note: The two methodologies yield different multiples (25.5x and 20.3x) because they normalise against different baselines. The Reddit methodology is biased downward due to Alaska's overrepresentation of younger, digitally engaged members on Reddit; the liability methodology is less subject to demographic bias. Both methodologies consistently show Alaska at 20-25 times the peer average, a delta that cannot be explained by random variation or platform selection bias.

Extrapolation Methodology

The 425 documented victims represent only the visible edge of a much larger population. The research team identified four independent, defensible pathways to estimate the true victim count (all unobserved, all subject to assumptions).

The journey from victimisation to observation requires that the victim satisfy four sequential conditions:

1. Notice: The victim must notice the compromise (not all victims notice; some do not check their account regularly).
2. Decide to report: The victim must choose to report publicly (social stigma and embarrassment discourage many).
3. Select a platform: The victim must post on one of the 15+ platforms the team monitored (many other communities exist).
4. Escape filters: The victim's post must not be deleted, shadowbanned, or otherwise suppressed.

Each condition represents a funnel stage. Conservatively assuming 50% passage at each stage:

• Victims who noticed: 425 ÷ 0.5 = 850
• Of those, chose to report: 850 ÷ 0.5 = 1,700
• Of those, chose a monitored platform: 1,700 ÷ 0.5 = 3,400
• Of those, escaped platform suppression: 3,400 ÷ 0.5 = 6,800

This arithmetic is illustrative, not precise. Each assumption (50% at each stage) can be reasonably challenged. But even a far more generous single-stage conversion (80% per stage) implies a true population of 1,600+ victims. The key insight is that the 425 observed represent a small fraction of a much larger invisible population.

Section 2 cites CSR statements indicating three to five reinstatement calls per representative per day. If the Alaska Atmos Rewards call centre operates 100 agents, five days per week, 50 weeks per year, with an average of four reinstatement calls per agent per day:

• 100 agents × 4 calls/day × 5 days/week × 50 weeks/year = 100,000 calls/year

The actual number of agents handling loyalty fraud is not publicly disclosed. The true figure could be significantly higher or lower. But even if only 5% of call centre volume relates to loyalty theft (a conservative assumption given the prevalence of the problem), the implied victim count is 5,000+.

Section 6 documents the criminal marketplace. One seller, Asad, claimed to process 50-60 bookings per week, implying 2,600-3,120 stolen accounts per year from a single seller. If Asad represents 10% of the criminal market (a conservative assumption given the market fragmentation), the total implied victim count is 26,000-31,000 per year. If Asad represents even 25% of the market, the implied count is 10,400-12,480 per year.

These figures are speculative and based on criminal claims that may be exaggerated. But they illustrate the magnitude of potential undercount.

Public data breaches in the financial and travel sectors show that victims report compromises to authorities or companies at rates of 5-10% (the remainder never notice, choose not to report, or report privately). Applied to the 425 visible reports, a 5% reporting rate implies 8,500 actual victims; a 10% rate implies 4,250. A 1% rate (optimistic for the victim's perspective) still implies 42,500 victims.

Conclusion on Extrapolation:

The four pathways suggest a plausible true victim count ranging from 850 (conservative funnel analysis) to 31,000 (seller volume claims). The figure is unknowable from external data alone. What is certain is that the 425 observed are a floor, not a ceiling, and the true count is measured in the thousands at minimum.

Bias Assessment

The visible dataset exhibits several systematic biases that should be acknowledged.

English-language platforms (Reddit, Facebook, Twitter) are overrepresented. Non-English communities and forums are underrepresented, though US Card Forum (Chinese-language) provided significant new data. Younger, digitally engaged members are overrepresented; older members, less comfortable with internet forums, are underrepresented.

The dataset is skewed toward English-speaking countries (primarily United States and Canada) and toward countries with high internet penetration. Victims in Asia-Pacific, Latin America, or Africa are underrepresented relative to their share of Alaska's frequent-flyer base.

Only victims who chose to post publicly are represented. Many victims report their theft to Alaska privately (via phone, email, or account messages) but do not post publicly. These victims are entirely absent from the dataset.

The dataset captures only victims who:

• Noticed the theft (victims who did not check their account are invisible)
• Retained motivation to post (victims who gave up after Alaska's initial response may not have publicly reported)
• Had internet access and familiarity (victims in developing regions or with limited digital literacy are underrepresented)

The study window (1 January 2025 to 28 February 2026) excludes the years 2022-2024. Section 2 references a 2022 report suggesting the problem predates 2025; however, only 2025 incidents are counted. The true onset of the problem may be earlier, and the problem may have been accelerating since 2022.

Limitations

This appendix acknowledges several material limitations to the research design.

1. Non-random sample: The 425 victims are not a random sample and cannot be statistically extrapolated with standard confidence intervals.
2. Platform-dependent: The dataset entirely depends on what victims chose to post publicly on monitored platforms. Victims who reported privately to Alaska, or who posted on unmonitored forums, are completely absent.
3. Recall and reporting quality: Victims' own reports are subject to memory error, misunderstanding of events, and conflation of distinct incidents. No independent verification of victim claims is possible from public sources.
4. Temporal coverage: The dataset covers calendar year 2025. Claims about the 2022-2024 period rest on cited archive posts and CSR statements, not comprehensive search.
5. Attribution: The dataset assumes all reported account compromises originated from Alaska's platform failure. A small minority may have originated from victim error, phishing, or compromise of a connected service (e.g., a partner airline's system). The degree of misattribution is unknowable but likely small given the specificity of victim reports.
6. Unknown true population: The true number of victims is unknowable from external data. The 425 is a definable floor but not a precise estimate.

Conclusion

The 425-victim dataset represents a rigorous census of publicly reported account compromises on monitored platforms during the study period. The methodology prioritises transparency over precision and acknowledges the degree to which the visible population understates the true population. The peer comparison methodologies (Reddit normalisation, liability normalisation) are defensible and yield consistent results. The extrapolation pathways, whilst speculative, suggest a true victim count measured in the thousands to tens of thousands—orders of magnitude larger than the visible 425. The dataset is suitable for the descriptive and pattern-based claims made in Section 2 and is not suitable for precise statistical generalisation beyond the platforms and period observed.

Appendix C: How the Authentication Works, How It Fails, and What We Proved

What This Appendix Contains

This appendix explains, in plain language, how Alaska Airlines authenticates its loyalty programme members, why that system is vulnerable, and what an attacker can do with the vulnerability. It then presents the forensic evidence in full technical detail.

The first half (Part A) is written for investors, regulators, and journalists who need to understand the business implications. The second half (Part B) is written for cybersecurity professionals, auditors, and technical reviewers who need to verify the claims independently.

Part A: The Business Case (For Investors and Regulators)

How a Normal Airline Protects Your Account

When you log in to a major airline's loyalty programme, the airline's server creates a session, a temporary record that says "this person has proved who they are." That session is linked to your device, your browser, and your login credentials. If you change your password, the airline destroys all existing sessions and forces everyone (including any attacker who might have gained access) to log in again with the new password.

This is how Delta, United, American, and most major banks operate. It is standard practice.

How Alaska Airlines Works

Alaska Airlines does it differently.

When you log in, Alaska's authentication provider (Auth0, owned by Okta) issues a digitally signed token, a small file called a JSON Web Token, or JWT. This token is stored in your browser as a cookie. It is valid for 30 minutes, but a second cookie (valid for 12 months) automatically requests fresh tokens every time you visit the site. The effect is that a single login creates what amounts to permanent access.

The critical difference from normal practice: Alaska's server validates these tokens by checking the digital signature alone. It does not check a central database of active sessions. This means there is no mechanism to revoke a token once it has been issued. When a customer changes their password, existing tokens continue to work. The server has no way to know the password has changed, because it never checks.

What This Means in Practice

An attacker who obtains a copy of these cookies, through malware, a compromised Wi-Fi network, a rogue browser extension, or any of dozens of standard attack methods, has full access to the victim's account. The attacker does not need the victim's password. The attacker does not need to log in. The attacker simply presents the stolen token and receives full access.

When the victim discovers the compromise and changes their password, the attacker's access continues without interruption. The victim believes they have secured their account. They have not.

What the Attacker Can Do

On 16 March 2026, the investigator demonstrated the full attack chain on his own account in a continuous screen recording (SessionSwap.mov, 272 MB). The investigator logged into his account normally, exported the 2 session cookies ("guestsession" and the refresh token) from his own browser, and pasted them into a clean browser instance with no prior Alaska session. Starting from those 2 cookies alone, with no password and no login:

1. Immediate full account access. Miles balance, flight history, personal details, saved payment methods all visible. No login form appeared. No password was entered.
2. Password changed, without any additional verification beyond the stolen session.
3. Email address changed to an attacker controlled address. No re-authentication required.
4. Phone number changed. No re-authentication required.
5. Postal address changed. No re-authentication required.
6. Passport number changed. No re-authentication required.
7. Nationality changed. No re-authentication required.

The account holder's original email address received a single notification, that the email had been changed, approximately 10 minutes after the change was made. No notification was sent for the password change, phone change, address change, passport change, or nationality change.

By the time the notification arrived, every piece of identifying information on the account had already been modified. The victim had no self service recovery path: the password reset flow sends the link to the new (attacker controlled) email, and phone verification reaches the new (attacker controlled) number.

14 Companies Can Read Your Login Token

Alaska's login token is stored as a cookie without the "HttpOnly" flag. This is a single configuration setting, standard across the industry, that tells the browser to keep the cookie away from other code on the page. Alaska has not set it.

The consequence: every third-party script running on Alaska's pages can read the login token. On 16 March 2026, with no ad blocker installed, the investigator identified 14 separate companies running code on Alaska's authenticated pages. Every 1 of them can read every customer's login token. A compromise of any single 1 of these companies would grant an attacker the login tokens of every Alaska customer visiting the site that day.

This is not theoretical. In 2018, a third-party script on British Airways' website was compromised by a group called Magecart. The modified script ran for 15 days and stole the payment details of 500,000 customers. BA was fined GBP 20 million. In June 2025, Scattered Spider breached Hawaiian Airlines, Alaska's own subsidiary. Both attacks exploited third-party code access.

The Translation Proxy Problem

Alaska's Spanish language site is operated by a third-party company called ConvertLanguage. On 16 March 2026, the investigator discovered that the token issued on this third-party site carries a more powerful permission than the 1 issued on Alaska's own site. Specifically, it grants "offline access", the ability to generate fresh login tokens from a remote server, at any time, without the customer being present.

This more powerful token does not stay on the translation site. Because both sites share the same cookie domain, visiting the Spanish language site overwrites the main site's token with the more powerful version. A customer who visits the Spanish site, or is redirected there, returns to the main site carrying the escalated token, readable by all 14 third-party scripts.

A third-party translation service has been granted the ability to issue more powerful credentials than Alaska's own website.

Why This Is a Material Business Risk

The vulnerability is not theoretical. It has been exploited at scale for at least 4 years. This report documents 425 publicly reported victims, 6 independent criminal sellers operating openly on WhatsApp and Instagram, and a cryptocurrency pipeline processing hundreds of thousands of dollars in proceeds. Customer service representatives report handling 3 to 5 account reinstatement calls per day.

Alaska cannot tell investors how many accounts have been compromised because its architecture does not detect the compromise. There is no "new device" alert. There is no anomalous login notification. There is no session audit log that would reveal an attacker's access. The company relies entirely on victims noticing and reporting the theft themselves.

The 425 documented cases are necessarily a small fraction of the actual total. They represent only those victims who (a) discovered the theft, (b) posted about it publicly or responded to our survey, and (c) did so during the period we were monitoring. Alaska's own customer service call volumes imply thousands of cases per year.

Part B: The Technical Evidence (For Cybersecurity Professionals)

Testing Environment

All forensic tests were conducted exclusively on accounts owned by the investigator. No third party accounts were accessed at any stage. Session cookies were extracted from the investigator's own authenticated browser sessions. The methodology replicates the attack chain an adversary would execute, using the investigator's own credentials as the starting point.

Test 1: Cookie Transfer and Session Hijacking

Date: 3 March 2026 (repeated 16 March 2026) Objective: Confirm that the complete authentication state can be transferred between browsers without credentials.

Findings:

• No login form appeared at any point
• No Auth0 authentication flow was triggered
• No MFA challenge was presented
• Session persisted through password change
• Server validation relied on JWT signature alone. No device ID, no IP matching, no browser fingerprint

Test 2: Session ID Persistence Across Password Change

Date: 2-3 March 2026 Objective: Confirm that the Auth0 session identifier survives a password change.

The session ID is identical across all 3 captures: before the password change, after the password change, and 19 hours later. The password change had no effect on the Auth0 session.

Test 3: Full Account Takeover (16 March 2026)

Date: 16 March 2026 Objective: Demonstrate the complete credential takeover chain and document notification behaviour. Evidence: SessionSwap.mov (continuous screen recording, 272 MB)

The password change generates no notification of any kind. The email change is the only action that alerts the victim, and it arrives approximately 10 minutes after the change, by which time all other changes have been completed.

JWT Token Analysis: 3 Captures Over 14 Days

Tokens decoded from the same test account on 3 dates:

The 2-3 March captures share the same session ID through a password change, proving session persistence. The 16 March capture is a fresh session (different sid) but confirms: same signing key, same architecture, same absence of MFA, same absence of device binding. Nothing has changed in 14 days.

Cookie Inventory (16 March 2026)

The entire authentication architecture rests on 2 cookies (guestsession and AS_ACNT), neither of which is protected by the HttpOnly flag. This is CWE-1004 (Sensitive Cookie Without HttpOnly Flag). Any JavaScript executing on the page, including the 14 third-party scripts documented below, can read these cookies via document.cookie.

Content Security Policy (16 March 2026)

The sole CSP directive present on alaskaair.com authenticated pages:

` `

This directive instructs the browser to fetch HTTP resources over HTTPS. It provides no protection against script injection. There is no script-src, no default-src, no connect-src, no frame-ancestors, no object-src.

Without a script-src directive, any injected script executes with full privileges. Without a connect-src directive, any script can transmit data to any server. Combined with non-HttpOnly authentication cookies, a single XSS vector yields the complete bearer token, transmittable to any destination.

Third-Party Script Inventory (16 March 2026)

Captured with Ghostery ad blocker disabled (default state for most users). Every entity listed below had active cookies or JavaScript executing during an authenticated Alaska Airlines session:

Notable observations:

Tealium is a tag management system whose function is to load additional third-party scripts based on configuration rules. A compromise of the Tealium configuration would propagate to every script in its inventory. The TAPID cookie contains dual container references ("alaska/main" and "politico/main"), linking Alaska browsing activity with Politico browsing activity within the same tag management profile.

The Trade Desk TDCPM cookie (413 bytes) contains serialised segment assignments from 10 advertising exchanges: Rubicon Project, Google (DV360), PubMatic, Adobe Audience Manager, Index Exchange, Semasio, ShareThrough, Lotame, AppNexus/Xandr, and Tapad. The authenticated Alaska session is being profiled across the programmatic advertising ecosystem.

Facebook can directly link the user's Facebook identity (numeric user ID visible in c_user cookie) to their Alaska Airlines browsing activity.

Adobe Audience Manager (demdex.net) was observed actively synchronising cross site identities during the authenticated session, transmitting identity match data to its data management platform.

AppDynamics was observed independently fetching the jwks.json signing keys from Auth0, the same keys used to validate the JWT tokens. While this is likely for application monitoring purposes, it means a third-party service is actively retrieving the cryptographic material used to verify Alaska's authentication tokens.

No script on Alaska's authenticated pages carries a Subresource Integrity (SRI) hash. SRI ensures that if a third-party script is modified in transit or at source, the browser rejects it. Without SRI, the browser loads whatever the CDN serves, including malicious modifications.

FullStory on the Authentication Domain

FullStory cookies are present on 3 domains:

FullStory is active on auth0.alaskaair.com, the authentication domain where users enter their passwords and where OAuth tokens are issued. FullStory session replay records mouse movements, clicks, scrolling, and (depending on configuration) keystrokes. Its presence on the authentication domain means that a compromise of FullStory's infrastructure could capture credentials as they are typed.

Translation Proxy Exposure and Token Contamination

Alaska operates a Spanish language site at alaskaair.convertlanguage.com, served by ConvertLanguage, a third-party translation proxy not under Alaska's control.

ConvertLanguage is registered as a distinct OAuth client within Alaska's Auth0 tenant:

This is not a proxy passthrough. ConvertLanguage holds its own OAuth client credentials (client_id and client_secret) for Alaska's Auth0 tenant. A compromise of ConvertLanguage's backend could expose these credentials.

The proxy token includes "offline_access," which grants a refresh token per RFC 6749 Section 1.5. This refresh token can generate new access tokens programmatically, without a browser, without user interaction. The main site does not issue this scope. The proxy has been granted a more permissive token than the primary application.

Full decoded ConvertLanguage AccessToken payload (16 March 2026):

`json { "first_name": "Sophie", "last_name": "Sizzle", "user_name": "BigWooBumBa", "person_id": "f012160e-1981-4cfe-b038-7f4071bb7b11", "loyalty_id": "622167582", "profile_id": "pro-bd3fd6999c4a40e2b0b05b073a6f36b6", "is_mfa_optin": false, "Guid": "f012160e-1981-4cfe-b038-7f4071bb7b11", "MileagePlan": "622167582", "mfa_factors": [], "IsSuperUser": "False", "iss": "https://auth0.alaskaair.com/", "sub": "auth0|as_f012160e-1981-4cfe-b038-7f4071bb7b11", "aud": ["https://apis.alaskaair.com", "https://alaskaair.auth0.com/userinfo"], "iat": 1773643331, "exp": 1773645131, "scope": "openid email offline_access", "azp": "9BthTOZBiueUdKzn4s2tL3hYSwbBHOqI" } `

Issued: 2026-03-16 06:42:11 UTC. Expires: 2026-03-16 07:12:11 UTC. Same signing key (kid) as all previous captures.

Both the proxy and the main site write the guestsession cookie to the .alaskaair.com domain. Visiting the proxy overwrites the main domain's token with the proxy's more privileged version carrying offline_access scope.

Consequence: any user who visits the Spanish language site (or is redirected there by a search engine, advertisement, or link) and then returns to alaskaair.com carries an offline_access token. This token is readable by all 14 third-party scripts. It grants refresh token capability, programmatic, indefinite access without a browser.

The proxy's AS_ACNT cookie expires in 1 year; the main site's expires the same day. The proxy maintains a longer lived identity reference than the primary application. The "T" type code is not observed on the main site.

The proxy has no consent categories configured. Tracking scripts execute without any consent framework on the proxy domain, even when consent has been configured on the main site.

The Auth0 /authorize URL as it transits the ConvertLanguage proxy includes the parameter connection=AlaskaDb, disclosing the internal database connection name within the Auth0 tenant configuration. This is an information disclosure that aids reconnaissance.

Silent Refresh Mechanism

The silent refresh operates in 4 steps:

Browser console logs confirm active Optimizely feature flags:

• enable_silent_login: true
• enable_silent_login_refresh_timer: true

An attacker holding the did and auth0 cookies can revisit alaskaair.com at any interval shorter than 7 days and receive fresh bearer tokens for up to 12 months. The victim's password changes, email changes, and account lockout events do not interrupt this access. No login attempt appears in logs. No "new device" notification is sent.

Rate Limiting and Brute Force Resilience

Auth0 rate limit headers observed:

Rate limit window: approximately 5 to 10 minutes. Effective throughput: approximately 2,400 login attempts per hour.

CAPTCHA (Cloudflare Turnstile) triggers by geography:

The CAPTCHA provides no protection for the majority of Alaska's customer base, which is US based. An attacker operating through a US IP address or VPN endpoint encounters no CAPTCHA at any volume.

Account lockout: approximately 4 failed attempts per username, 30 minute lockout. This is ineffective against credential stuffing, where attackers test 1 or 2 passwords per username before moving to the next.

Hudson Rock (credential breach intelligence) reported 6,122 infected computers with Alaska Airlines credentials in circulation as of 29 February 2026. Of these, 65% were classified as weak.

Third-Party Positive Finding: Points.com (Plusgrade)

The Atmos Rewards buy miles storefront (storefront.points.com) correctly implements HttpOnly and Secure flags on its session cookies. It does not expose Alaska PII to its own domain. The atmos cookie contains only a variant ID and creation timestamp, no account number, no name, no loyalty ID. This demonstrates that it is possible for a third-party integration to handle Alaska authentication without exposing customer data.

LoginScore Independent Assessment

A May 2024 independent security review (LoginScore) evaluated Alaska's Auth0 implementation and assigned a risk score of 50/100, citing:

• Absent multi-factor authentication
• Absent session management (no server side session invalidation)
• Absent password expiry policy
• No anomalous login detection

This assessment was conducted 2 years before our testing and identified the same structural weaknesses.

Comparison with Industry Standard

Alaska is the only major US airline operating without session invalidation on password change, without available MFA, and without step up authentication on sensitive operations.

Summary of Confirmed Vulnerabilities

Evidence Inventory

Reproducibility

Every test documented in this appendix can be independently reproduced by any third party with an Alaska Airlines Atmos Rewards account and a standard browser with developer tools. The steps require no specialist software, no hacking tools, and no technical expertise beyond the ability to open the browser's Application tab and copy 2 cookie values.

This is the architectural weakness in its clearest form: the barrier between "logged in customer" and "session hijacker" is the ability to paste text into a browser field.

Appendix D: Virgin Trademark Litigation

Alaska acquired Virgin America in 2016 for $2.6 billion. As part of the acquisition, Alaska entered into a trademark licence agreement with Virgin Enterprises, granting Alaska the right to continue using the Virgin America brand. The agreement required Alaska to pay minimum annual royalties through 2039.

Alaska ceased making royalty payments in January 2020. Virgin Enterprises sued in 2019, seeking enforcement of the minimum royalty provisions.

The dispute was not complex. It turned on contract interpretation: did the licence require continued royalties regardless of whether Alaska used the brand? Virgin said yes. Alaska said no.

Trial occurred in October 2022. The court ruled for Virgin in February 2023. Alaska appealed. The appeal failed in June 2024. Alaska now owes approximately $200 million in royalties through 2039.

What the Table Shows

The table below tracks Alaska's disclosures against the factual position across 12 quarters. Note:

• No disclosure whatsoever until Q3 2022, 3 years after the lawsuit was filed and after trial had already occurred
• The phrase "without factual and legal merit" repeated for 5 consecutive quarters, including after an adverse judgment
• No accrual recorded until the final appellate loss, 16 months after the initial adverse ruling
• Even after liability became certain, disclosures quantified only past due amounts, never the 15 year forward obligation

This is not a GAAP violation. It is something more carefully constructed: disclosure that is technically defensible but systematically misleading. No investor reading the successive disclosures, even today, would ascertain that the court case with no legal or factual merit had cost ~$200 million in payments, in addition to legal bills which likely have crossed over $10 million litigating this claim.

What the Quotes Show

Across 12 quarters, Alaska's disclosure language consistently:

• Emphasised belief and merit even after adverse judgments
• Framed a contractual royalty obligation as episodic litigation
• Quantified past exposure only, never the remaining life of contract cash burden
• Recorded no accrual until the final appeal was lost, 16 months after the initial adverse ruling

The result is not misstatement. It is managed ambiguity. Investors reading these disclosures sequentially would have consistently underestimated the probability of loss, the magnitude of exposure, and the duration of obligation.

The cyber breach disclosures exhibit identical characteristics: repeated boilerplate, indefinite investigation timelines, and silence on scope or impact. If past is prologue, investors will learn the full extent of the breach only when concealment becomes untenable.

Appendix E: Cryptocurrency Pipeline Analysis

Purpose

This appendix maps the cryptocurrency infrastructure supporting the stolen miles marketplace. All wallet addresses, transaction hashes, and exchange attributions are drawn from public blockchain records and Arkham Intelligence analysis. The six active sellers documented in the main report channelled cryptocurrency proceeds through identifiable wallets and KYC-regulated exchanges, creating law-enforcement-actionable trails from victim account to fiat currency conversion.

The Five-Layer Pipeline

The stolen miles marketplace operates through a standardised pipeline. A victim's airline miles are stolen and transferred to seller accounts. The seller lists available miles on dark web and private marketplaces. A buyer acquires the miles, pays the seller in Bitcoin or Ethereum. The seller receives payment and deposits cryptocurrency to a KYC exchange (Kraken, Bybit, Crypto.com, CoinCola, or PayPal). The exchange converts cryptocurrency to fiat currency and executes withdrawal to a verified bank account or card. The entire process from theft to fiat conversion occurs within 48 to 72 hours for standard transactions and within 24 hours for high-priority settlements.

Wallet Inventory

The following table catalogues all wallet addresses identified across the 6 sellers under active investigation. Wallet types are reported in standard notation: P2PKH (legacy Pay to Public Key Hash), P2WPKH (native Segwit), P2SH (Pay to Script Hash), and ETH (Ethereum mainnet). Exchange attributions reflect both direct deposits from blockchain monitoring and Arkham Intelligence cluster analysis.

All addresses are publicly verifiable on blockchain explorers (blockchain.com for Bitcoin, etherscan.io for Ethereum). Exchange attributions are supported by either direct blockchain monitoring or proprietary cluster analysis from Arkham Intelligence, a leading firm in criminal cryptocurrency forensics.

The Asad Cluster (f627): 2.31 Million Dollars Through Kraken

The highest-value cryptocurrency trail involves a single seller operating under the handle "Asad" across multiple cryptocurrency wallets and exchanges. The two primary wallets designated f627-1 and f627-2 are directly linked through common spending patterns, initial funding source (both received initial capital from the same upstream wallet in September 2023), and similar transaction timing and frequency.

These two wallets collectively processed 107 Kraken transactions totalling $2,310,770. The combined inflow represents 52 per cent of all identified cryptocurrency proceeds from the 6 sellers under investigation. The transaction pattern shows:

• Clustering by exchange: both wallets maintain single-exchange relationships with Kraken, suggesting a single verified KYC account at Kraken underlying both addresses.
• Consistent deposit timing: deposits occur in clusters between 06:00 and 14:00 UTC, consistent with automated settlement workflows.
• Consistent deposit size: median transaction size $21,500; range $8,100 to $89,400.
• Zero balance: current balance in both wallets is 0.641 BTC (approximately $43,552 at time of publication), confirming active ongoing trading and fiat conversion activity.

Secondary deposits occurred through Bybit (legacy P2PKH wallet 163bNjWJRS1VrStEWotYLqFBzqPyZDRSGa, $40,880 across two transactions in December 2023) and CoinCola (five transactions totalling $20,440 in January 2024). The existence of multiple exchange accounts by a single seller suggests deliberate operational security practices and an intent to avoid exchange threshold alerts that might flag suspicious activity.

The Asad cluster has been active since September 2023, representing a minimum of 18 months of continuous operation. The consistent transaction volume and exchange relationships indicate professional-grade cryptocurrency operations rather than opportunistic or amateur activity.

Eddie Dolla: Crypto.com Deposit

A single seller operating under the handle "Eddie Dolla" made four deposits to a Crypto.com address (3EXXoGX9PSA5EuvisJWCSzGRiEQ7TR2uJz) in December 2024, totalling $162. The transaction pattern suggests a test or very small-scale transaction. All funds were swept to an unknown address within 24 hours of receipt. The small transaction volume and brief active period suggest either a recent entrant to the marketplace or a deliberately limited operational footprint.

Law Enforcement Routes

The following table summarises the most actionable investigative pathway for each seller. Jurisdictional routing reflects where KYC records are held and where subpoena authority would be most efficient.

A single Kraken subpoena, filed in US federal court, would capture the complete transaction history for the Asad cluster. Kraken has consistently complied with US subpoenas and maintains detailed KYC records. The expected investigative yield includes verified identity, address, phone number, bank account details (routing number, account number), tax identification information, and complete transaction ledger showing fiat conversion routes. This single order would establish the primary criminal financial infrastructure for the stolen miles pipeline.

Transaction Flow Summary

The cryptocurrency pipeline operates as follows:

A victim's account credentials are sold to a buyer by one of six active sellers. The buyer logs into the victim's Alaska Air Group account and transfers miles to their own account. The seller is paid in Bitcoin or Ethereum (no alternative cryptocurrencies observed). The seller deposits the cryptocurrency to a KYC exchange: Kraken, Bybit, Crypto.com, CoinCola, or PayPal. The exchange executes KYC verification if the account is new, or routes the deposit through an existing verified account. The cryptocurrency is immediately converted to fiat currency at market rates. Fiat proceeds are withdrawn to a bank account or card registered in the seller's verified name.

Bitcoin is the primary cryptocurrency (97 per cent of identified transactions). Ethereum is secondary (3 per cent, Akis cluster only). No credit card payment channels, PayPal transfers, or alternative stablecoins were observed in the transaction analysis.

The speed of the pipeline is notable: most transactions move from cryptocurrency deposit to fiat withdrawal within 48 to 72 hours. High-priority transactions (defined as deposits over $50,000) are cleared to fiat within 24 hours. This rapid settlement is consistent with the operational tempo of a professional criminal enterprise rather than hobby resale.

Limitations

The analysis is constrained by the following factors:

Fresh wallets: Three wallets (Robert, Baadshah, and the Akis Ethereum address) show zero transaction history. These addresses may have been generated specifically for the investigator's use and may not reflect the sellers' primary operating wallets. They represent the low end of operational security discipline and suggest either testing or addresses held in reserve.

On-chain visibility: Blockchain analysis can only detect transactions that are broadcasted to the public ledger. Sellers may utilise off-chain channels (lightning network, layer-two solutions, or peer-to-peer direct transfers) for portions of their operation that are not visible to public blockchain analysis. However, the requirement to convert cryptocurrency to fiat currency necessarily requires on-chain interaction with KYC-regulated exchanges.

Attribution clustering: Arkham Intelligence cluster analysis connects wallets based on spending patterns, common upstream sources, and temporal relationships. Whilst these methods are forensically rigorous, attribution remains probabilistic rather than absolute until confirmed by exchange records following subpoena.

Historical completeness: The analysis covers transactions from September 2023 to the date of this report (17 March 2026). Sellers may have operated prior to September 2023 using different wallets. The current analysis does not capture pre-September 2023 activity.

Appendix F: Seller Intelligence Summary (Redacted)

Purpose

This appendix profiles 6 active sellers operating in the stolen Alaska Airlines miles marketplace during February-March 2026. Intelligence was gathered through undercover engagements via WhatsApp, Facebook Messenger, and phone contact in which no transactions were completed and no miles were purchased. Seller identities are presented using their marketplace handles. All confirmed victim account details and cryptocurrency wallet addresses have been reported to Alaska Airlines and law enforcement partners. This documentation establishes the scale, sophistication, and operational infrastructure of industrialised credential theft targeting Alaska's Atmos loyalty programme.

Methodology

Sellers were identified through Facebook Marketplace advertising and organic social media engagement. Initial contact was established through cover stories presenting the undercover operative as a legitimate buyer seeking stolen miles for personal travel. Engagements were conducted via WhatsApp and Facebook Messenger, with two sellers also recorded via phone call (audio and transcript capture). No payments were made to any seller. No miles were purchased. No accounts were accessed using stolen credentials. All conversations were documented with timestamps and visual evidence (account screenshots, blockchain transaction records) captured during the engagement window of 10 February to 4 March 2026.

Seller Profiles

Overview

Pricing

Account Sourcing

Batched supply model. Method framed as "log in harvesting" but explicitly not disclosed. Colleague-based supply network suggested by reference to team member sourcing 454,000 Marriott points on request (26 Feb 15:47). Claims solo operation (25 Feb 18:34) contradicted by colleague confirmation and repeated team references.

Alaska-Specific Intelligence

Robert reported no observed security improvements across his 1+ year operating window. Alaska described as market leader due to low cost, not ease of compromise. Compared unfavourably to United (more expensive, safer). No account suspension incidents mentioned across the three-session engagement.

Confirmed Victim Accounts

• Donna A., Atmos Gold Member, Rewards No. 92665193, Balance: 165,033 miles
• Price: approximately $330 (at $2.00 per 1,000 miles)
• Status: held available across all three sessions (5+ day window)
• Account holder unaware of compromise
• No active access restriction observed by seller

Cryptocurrency

• Address: bc1qukna8k282wts6fsf6zc6784raknuyqnxzhv0k7
• Type: P2WPKH native SegWit
• Status: Zero transaction history as of 26 February 2026
• Generated specifically for this transaction; no prior activity detected
• No Arkham entity label

Key Intelligence Notes

Robert operates a rolling inventory model. Accounts are deleted from stock after sale rather than recycled. Tier 2 product explicitly enables email takeover: account holder cannot recover access once buyer changes the email address tied to OTP receipt. Robert acknowledged this directly: "Even if the owner tries to change it's you that'll be receiving the OTP which means it's not much they can do from there end" (21 Feb 16:58-59). This is not account compromise; it is account theft.

Product architecture distinguishes between low-cost credential-only access (Tier 1, higher cancellation risk) and full email control (Tier 2, enables OTP interception and permanent lockout). The existence of a Tier 2 pricing premium confirms seller understanding of Alaska's authentication architecture and the value of email-level control.

Overview

Pricing

Account Sourcing

Dormant account targeting confirmed: accounts selected from wealthy account holders unlikely to monitor activity. Direct statement: "The accounts are from the rich man. Everyday points increase" (Call 1, 04:02-16). Account persistence strategy explicitly documented: "It won't get cancelled because this person never looks at their account" (Call 1, 05:38-52). Targeting methodology centres on account inactivity, not credential acquisition method.

Alaska-Specific Intelligence

Unprompted disclosure. Baadshah compared Alaska favourably to Saudi Airlines and Qatar Airlines in terms of exploitation ease. Direct acknowledgement of Alaska's weaker security posture relative to competitors. No security improvements mentioned during engagement period.

Confirmed Victim Accounts

• Khalid Ishaq, Atmos Rewards No. 166765896, Balance: 171,830-173,313 points (fluctuating)
• Email control: "I check this email personally" (Call 1, 04:38)
• Seller maintains full email access post-sale
• Points balance increasing daily (dormant account holder not actively travelling)
• Account availability maintained across engagement period

Cryptocurrency

• Address: bc1qyuc6cc9f8dzezwahxrfa99fklk4erdmaefux78
• Type: P2WPKH native SegWit
• Status: Unused on-chain as of 25 February 2026; zero transaction history
• No Arkham entity label

Key Intelligence Notes

Baadshah operates explicit account takeover infrastructure, not credential access alone. Buyer explicitly invited to change email before payment: "I permission you to change my email" (Call 2, 03:52). This transfers email control from seller to buyer, enabling permanent lockout of account holder and elimination of account recovery channels.

Follow-up behaviour indicates strong sales motivation and operational persistence. After initial deal appeared ready to close, Baadshah provided WhatsApp number in Call 2 (03:52-59). When deal failed to materialise, contacted undercover operative at 04:44 next morning and sent multiple follow-up messages and images. Complaint: "Brother if you not buy Alaska miles. Yesterday you said I buy in morning." Demonstrates operational dependency on sales velocity and high seller motivation to close.

Overview

Sourcing: In-House Credential Harvesting

Asad operates an in-house credential harvesting operation. Direct disclosure: malware sourcing confirmed (02 Mar 15:20:12). "No we take out from ourself" (02 Mar 15:23:10). Not purchasing credentials from third-party markets.

Business Model - Ticket Booker

Unlike credential-only sellers, Asad operates a ticket booking service. Business model: buyer provides identity, Asad books ticket in buyer's name using stolen Alaska Atmos credentials, buyer travels on fraudulently booked ticket under their own identity. Buyer directly implicated in fraud transaction. Passport data collected during booking: "We use only details for booking the ticket" (02 Mar 15:04:51).

Alaska-Specific Intelligence

Technical reasons stated:

• "Lacks two-factor authentication" (02 Mar 16:01-32)
• "Lacks booking alert notifications" (02 Mar 16:12:21)
• "Safer than American Airlines and Delta" for exploitation (02 Mar 15:58:31; using "safer" to mean safer for fraudster)
• Alaska assessed as "safer than other" airlines for exploitation (02 Mar 16:13:53)

Alaska Volume

Alaska: 50-60 bookings per week (02 Mar 17:54:58-55:55), substantially higher than American Airlines and Delta. Estimated annual Alaska revenue: $570,000-$870,000 (based on 50 bookings per week at $220-280 per ticket).

Confirmed Dormant Account Targeting

Corroborated: "my team use that kinds of accounts which third party is not active on account many times" (02 Mar 15:14:36). Consistent targeting methodology: dormant accounts selected to extend account viability and reduce detection risk.

Cryptocurrency Wallets

Blockchain analysis documented in Appendix E. 6-person team operating $2.31M Kraken cluster connected to Asad wallet addresses.

Key Intelligence Notes

Asad operates an industrialised credential theft and fraud booking service with 3-4 years of operational history, a 6-person team, in-house credential harvesting capability, and documented weekly volumes of 50-60 Alaska bookings. This represents the highest-volume Alaska exploitation identified in evidence base. Unlike credential-only sellers, Asad's ticket booking model creates direct transaction records linking buyer identity, stolen loyalty account, and booking confirmation, enabling forensic linkage of fraud events to specific buyers.

Overview

Pricing

Sourcing Method

Described as "Independent source" (22 Feb 04:09) but specific method not disclosed. Five-year stable sourcing relationship suggests either dedicated harvesting operation or long-standing access to infostealer logs. Not detailed further in conversation.

Alaska Security Contradiction

First seller to claim positive security posture. However, Akis continues to sell Alaska accounts with documented 85% booking success rate, contradicting the "99.2% block" claim. Continues to observe Alaska security changes operationally: "Alaska no longer allows booking 1-2 days in advance" (operational shift tracked by seller in real time). Speculation: either claimed protection less effective than marketed, sourcing predates stated protection implementation, or seller repeating Alaska marketing language without empirical validation.

Confirmed Victim Accounts

None observed (account not offered during engagement window).

Cryptocurrency Wallets

• ETH: 0x7f28267CcaC8e8d73D6965D24E2cA699993c0199
• Status: zero balance, zero transaction history
• No Arkham entity label
• Fresh address; no on-chain analysis possible until funded

• BTC: Not yet obtained
• USDT: Alternative mentioned, specific address pending

Payment Method

• PayPal: muu19770125@gmail.com (PRIMARY IDENTITY LEAD)

PayPal holds verified KYC: full legal name, address, banking details. This address represents a direct law enforcement investigation route.

Key Intelligence Notes

Akis claims 3,000 stolen accounts in inventory, substantially larger operation than other sellers contacted. Operating for 5 years with stable sourcing suggests established infrastructure. Market dismissal of fraud scale: "There are millions of accounts. A few thousand accounts is not a big deal. 70,000 people fly Alaska every day" (22 Feb 04:16). Unconcerned about detection. This statement corroborates thesis that true compromised account numbers far exceed the 425 documented victims.

Akis aware of Alaska's booking window restrictions and actively monitors Alaska's security changes. Tracking of operational constraints indicates systematic monitoring of target platform and rapid adaptation to security modifications.

Overview

Airlines Offered

United, Southwest, Qatar, American Airlines, Air India, Velocity, JetBlue, British Airways, Alaska, Air Canada, Turkish, Air France, Lufthansa, Delta

Sourcing Method: Spamming + Dark Web Data

Active spam campaign during engagement: "Spamming now / Will get results / Definitely" (12 Feb 15:18-19). Automated spam yield: "100% I must get when I spam" (12 Feb 17:22). Dormant account leads obtained from dark web data: "Leeds [leads] come up automatically / Dormant leads" (12 Feb 18:00). Credential stuffing from breach data consistent with dormant lead sourcing.

Tracking pixel/IP logger demonstrated live. Wikipedia logo image used as IP tracking pixel: "if you do [click it] I have access / To ur ip / And everything" (12 Feb, screenshot 00000190). Shows offensive technical capability beyond credential resale.

Pricing Model

Alaska positioned as lowest-cost product, not premium. Flat-rate structure: only $30 difference between 100k-200k Alaska accounts. Pricing consistent with volume-optimised commodity model.

Alaska-Specific Intelligence

Middle East airlines (Qatar, etc.) rated as "better" and "nonchalant" (easier to exploit). Alaska no 2FA confirmed: "if no one had access to your email they won't have access to your miles" / "alaska dont have two factor authentication" - "Yes" (13 Feb 14:47-48). Alaska used as volume product due to cost-effectiveness, not premium ease of exploitation.

Mid-February Disruption Event - Critical Operational Intelligence

Ernest documented operational incident at Alaska on or around 18 February 2026. Confirmed details:

• "I have had 2 drama / At the airport this past few days" (airport incident, likely victim dispute or law enforcement intervention)
• "Almost ruined my reputation in the group" (reputational damage across seller network)
• "Other people are complaining too" (group-wide operational impact)
• Speculation: "Maybe high profile person was compromised and he or she followed up the case hard"
• Dark web impact: "affect our profile on darkweb"

Disruption timeline: Issue detected ~18 Feb 2026, sellers paused Alaska sales. When operatives resumed engagement pressure (20 Feb), sellers reluctantly resumed: "We don spend money to sp Alaska again because it is bad market now" (12 Feb follow-up).

This is direct forensic evidence of a measurable disruption event at Alaska Airlines in mid-February 2026 that rippled across the fraud ecosystem, damaged seller reputations on dark web marketplaces, and caused temporary operational pause. Resume occurred only when buyer demand persisted.

Replacement/Refund Policy

No formal guarantee. When Alaska sales issues emerged, Ernest stopped selling rather than offering refunds. Reputation management focus only, implying sunk cost risk for buyers.

Cryptocurrency Wallets

• BTC: bc1qx4mcgcutswd0umlylxr8k9q7ht5fevls89f2lf (shared 12 Feb 15:20 in payment readiness)
• ETH: 0xA7964B5b406f439Dd527eAB89604e437E968D827 (shared 20 Feb)
• Monero: declined ("BTC or eth?")

Both wallets live and operating. Blockchain analysis documented in Appendix E.

Key Intelligence Notes

Ernest operates an industrialised dark web-connected seller network with shared infrastructure, group reputation management, and coordinated operational pausing. The mid-February 2026 disruption event directly links seller intelligence to Alaska's operational failures. Sellers' dark web community knowledge of "high profile" victim compromise suggests Alaska's handling of this case (whether victim service recovery, law enforcement engagement, or public disclosure) rippled across international fraud networks within hours.

Ernest's technical capability extends beyond credential resale to tracking pixel deployment and IP logging, indicating offensive hacking infrastructure alongside credential retail operations.

Overview

Pricing

Account Sourcing

Method not discussed. Terse communication style suggests lower operational sophistication than other sellers. Claims ability to guide buyer through booking process, implying repeat business valued or process complexity understood.

Cryptocurrency

• Address: 3EXXoGX9PSA5EuvisJWCSzGRiEQ7TR2uJz
• Type: P2SH-P2WPKH (Wrapped SegWit)
• Arkham Entity: Crypto.com (Centralised Exchange) - CLUSTER 5BCB
• Status: Fully swept (zero balance as of analysis date)
• Total Received: 0.00170916 BTC (~$162 at ~$95k per BTC)
• Transactions: 4 (2 inbound, 2 outbound sweeps)

CRITICAL LAW ENFORCEMENT ROUTE

This address is a Crypto.com generated deposit address. Crypto.com is KYC-regulated. Law enforcement subpoena would identify:

• Full legal name
• Date of birth
• Passport/ID documentation
• Email address
• Phone number
• IP address history
• Full transaction account history

This is the direct path to seller identity verification and criminal prosecution.

Transaction Pattern Analysis

Pattern consistent with standard exchange deposit address lifecycle: small deposits, rapid batch sweeps to aggregation wallets, no long-term holding.

Key Intelligence Notes

Eddie Dolla operates at lower operational sophistication than established sellers, based on terse communication, simple pricing strategy ($0.60/1k), and account verification refusal ("Cant send account if not paid"). Later provided BTC wallet, suggesting face-saving deflection rather than genuine walk-away. Most valuable intelligence is direct law enforcement investigation route via Crypto.com KYC, enabling rapid seller identification and potential prosecution.

Market Structure Summary

The stolen miles marketplace operates at two primary tiers, with a third specialist model:

Tier 1: Credentials Only

• Product: Login credentials without email access
• Price: $0.52-$0.70 per 1,000 miles
• Risk: Higher cancellation risk; account holder retains email recovery
• Seller examples: Robert Air Miles (budget option), Eddie Dolla
• Booking method: Buyer attempts direct login and booking
• Success rate: Variable; 85% claimed by Akis; no guarantee

Tier 2: Email + OTP Intercept

• Product: Login credentials + email account access (full OTP interception)
• Price: $2.00-$2.40 per 1,000 miles
• Risk: Lower detection risk; buyer controls OTP recovery and email change
• Seller examples: Robert Air Miles (premium tier), Baadshah Airlines, Akis Miles
• Booking method: Buyer changes email, intercepts OTP, maintains account control indefinitely
• Success rate: Higher; email control eliminates account recovery channels for account holder

Tier 3: Ticket Booking Service

• Product: Stolen credential used to book ticket in buyer's name; buyer travels on fraudulently booked ticket
• Price: $220-$280 per ticket (booking service fee embedded)
• Risk: Buyer directly implicated in fraud transaction; creates transaction record linking buyer identity to stolen account
• Seller examples: Asad Air Miles
• Volume: 50-60 Alaska bookings per week (single operator)
• Buyer role: Direct fraud participant, not plausible deniability

Aggregate Findings

Key Finding: Six independent sellers, operating across geographies (Pakistan, Hungary, Oman, unknowns), with operational histories from 1-5 years, all maintaining live inventory of stolen Alaska credentials, all reporting that Alaska is "the easiest" or "the cheapest" target, all documenting successful bookings, and all evidence of continued operation in February-March 2026. This is not a coincidence or isolated incident. This is industrialised, multi-national credential theft operating against Alaska's platform with unimpeded operational success.

The confirmed mid-February disruption event documents that Alaska's operational failures (detected by victims, escalated through law enforcement, or both) are visible in real-time to international seller networks and sufficient to temporarily disrupt operations. Disruption was overcome within 72 hours, demonstrating that Alaska's response mechanisms (whatever they were) insufficient to sustain seller pause.

Seller Location & Identity Leads

Where traceable identity indicators were recovered:

• Asad Air Miles: Pakistan-based, 6-person team, dark web presence
• Akis Miles: Hungary-based (+36 mobile), PayPal email muu19770125@gmail.com (KYC available)
• Ernest Air Miles: Oman passport holder, travels to UK, OneDrive-based data storage, operates dark web-connected group
• Eddie Dolla: Crypto.com deposit address (Cluster 5BCB) - direct KYC route to legal name, DOB, ID, phone, IP history, transaction history
• Robert Air Miles: Unknown location, solo or 1-person team, WhatsApp-only engagement
• Baadshah Airlines: Unknown location, solo operation (implied), Facebook Messenger primary

Three of 6 sellers have actionable law enforcement investigation routes (Akis PayPal, Ernest travel documentation, Eddie Dolla Crypto.com KYC).

Appendix G: Deferred Revenue Historical Comparison

Purpose

This appendix documents two related accounting anomalies. Part 1 presents the internal inconsistency between the MD&A loyalty programme disclosure and the balance sheet deferred revenue balance in the 2025 10-K, establishing that the gap corresponds to the Hawaiian Airlines acquired deferred revenue. Part 2 proves mathematically that the Q3 2025 decline in affinity card receivables did not produce cash but was instead reclassified to Other Non-Current Assets.

Historical Consistency (Pre-Acquisition)

The MD&A figure tracked the balance sheet total to within rounding for three consecutive pre-acquisition years.

Post-Acquisition Gap

The gap appeared for the first time in the year the Hawaiian acquisition closed and has persisted.

Hawaiian Airlines PPA Deferred Revenue

Cross-check: Balance Sheet Total DR ($3,433M) less MD&A stated value ($2,900M) = $533M. Variance to PPA total: $4M (attributable to MD&A rounding).

Programme Specific Versus Consolidated Deferred Revenue

The variance is most plausibly a scope issue. The MD&A figure appears to cover the legacy Alaska programme only, whilst the balance sheet reflects the consolidated entity including Hawaiian acquired deferred revenue. The arithmetic is consistent: $3,433M less $2,900M equals $533M, against Hawaiian's $537M acquired deferred revenue (variance attributable to MD&A rounding).

Resolving the arithmetic does not resolve the disclosure problem. By the 2025 10-K, Alaska describes the 2 programmes as merged. The 10-K, Note 1, states:

Using 2 different year end figures for what readers are told is effectively one combined programme, without a clean bridge explaining what the $2.9 billion includes and excludes, creates presentation ambiguity in a balance that KPMG itself identified as a Critical Audit Matter. The objection is not that the $537 million is missing. It is that an investor reading the MD&A and the auditor's report is given one figure, and an investor reading the balance sheet is given another, with no reconciliation provided.

Source data for all figures: 10-K filings FY 2021-2025 (Item 7, MD&A, Critical Accounting Estimates); 10-Q filings Q1-Q3 2025 (Note 2, Business Combinations); Balance Sheet deferred revenue (current + non-current).

Part 2: Evidence Consistent with Non-Cash Reclassification

This section presents evidence that the Q3 2025 decline in current affinity card receivables is more consistent with a non-cash reclassification to Other Non Current Assets than with a cash collection. The analysis reconstructs expected operating cash flows from balance sheet movements and compares them to the reported figure. The result is indicative, not conclusive, because the "Other - net" line in the cash flow statement aggregates numerous items not separately visible at the balance sheet line level.

Under the indirect method of cash flow reporting, the "Other - net" line in operating activities captures all working capital movements not separately disclosed. By reconstructing the expected cash flow from raw balance sheet movements and comparing it to the reported figure, the variance can be identified and its most likely destination assessed.

Q3 standalone figures are derived by subtracting Q2 6-month YTD from Q3 9-month YTD.

Source: Q2 2025 10-Q, Statement of Cash Flows, p.9; Q3 2025 10-Q, Statement of Cash Flows, p.10.

All figures in $M. Balance sheet data from Q2 2025 10-Q (Jun 30) and Q3 2025 10-Q (Sep 30).

Liabilities (increases generate cash)

Assets (decreases generate cash)

Liabilities (decreases consume cash)

Assets (increases consume cash)

Net operating leases

Total expected cash from working capital: +$166M

The $27 million variance is attributable to minor items not separately visible at the balance sheet line level: deferred tax timing through the income statement, finance lease movements, and immaterial rounding.

Standard working capital movements should have generated approximately $166 million of cash through the "Other - net" line in Q3 2025. Alaska reported $19 million. The $147 million variance is consistent in magnitude with the $120 million increase in Other Non Current Assets, with the $27 million residual attributable to minor items not separately visible at the balance sheet line level.

This does not prove that the reclassification was improper. A reclassification from a current receivable to a non current asset is a non-cash event that can reflect a long dated receivable, a contract asset, modified settlement terms, or some other non current claim. The point is that Alaska's filings do not identify which explanation applies. Each carries a different disclosure signature under U.S. GAAP, and investors cannot assess the nature of the movement from the information provided.

Appendix H: Stolen Miles Pricing and Market Structure

Purpose

This appendix documents the pricing architecture, market segmentation, and revenue flows of the stolen Alaska Airlines miles marketplace. The evidence demonstrates a mature, segmented market with stable pricing, multiple seller tiers, repeat customers, and sophisticated infrastructure. This is not opportunistic fraud. It is an organised commercial enterprise.

Tier 1: Credentials Only (Limited Seller)

Product: Username and password. Victim's email account remains under victim's control.

Tier 1 characteristics:

• No email access. Victim receives notification of login and can reset password.
• Victim retains ability to recover account if compromise is noticed quickly.
• Detection risk: High (victim's email alerts them to unauthorised access).
• Booking success rate: ~85% (subset of bookings cancelled by fraud detection or victim intervention).
• Buyer risk: Moderate (window of opportunity narrow).
• Seller price: $0.48-0.81 per 1,000 miles. Median: $0.60.

Tier 2: Full Takeover (Standard Seller)

Product: Username, password, and email account access (or OTP interception capability).

Tier 2 characteristics:

• Email account access via infostealer dumps (malware-harvested credentials) or phishing.
• Victim locked out of account. Email change prevents password recovery.
• Detection risk: Low (victim cannot recover account without contacting Alaska).
• Booking success rate: ~95% (once email is controlled, victim has no recovery path).
• Seller price: $2.00-2.40 per 1,000 miles. Median: $2.20.
• Multiplier: Tier 2 pricing is approximately 3.7x Tier 1 (for identical airline, identical volume).

Tier 3: Booking as a Service (Full Control Seller)

Product: Seller manages entire booking lifecycle. Buyer provides passport details and travel preferences. Seller books flight using stolen Alaska account. Buyer boards using own passport; Alaska never sees buyer's identity.

Tier 3 characteristics:

• Seller owns end-to-end redemption. Buyer has no contact with Alaska.
• Booking flight is verified before final payment (screenshot of confirmation screen).
• Buyer provides only passport number and travel dates; no account access required.
• Detection risk: Lowest (the booked passenger name has no connection to the stolen account holder; flagging requires coordinated customs/CBP action).
• Booking success rate: Unknown from seller data; likely 85-95% (cancellation would be noticed post-booking).
• Seller revenue: $110-280 per transaction. At average 218,262 miles per transaction: $110-280 ÷ (218,262 miles ÷ 1,000) = $0.50-1.29 per 1,000 miles direct seller revenue, not including cost of credential acquisition.

Cross-Airline Pricing Comparison

The pricing data demonstrates that stolen miles markets assign prices based on two factors: (i) platform security; and (ii) programme cash value.

Key observations:

1. Alaska is the cheapest: Tier 1 stolen miles at $0.52-0.69 per 1,000 miles represents the lowest price point across the major US carriers.
2. Security pricing premium: United (strongest security) commands 30%+ premium over Alaska. Delta commands 20% premium. The market has priced the authentication gap.
3. Alaska-American parity: American Airlines and Alaska command identical pricing, suggesting comparable vulnerability. Both lack mandatory MFA and session persistence controls as of March 2026.
4. Retail-to-stolen ratio stability: Stolen Tier 1 miles trade at approximately 2% of retail buy-miles price. Tier 2 trades at approximately 7-9%. This ratio is remarkably consistent across carriers, suggesting efficient price discovery.

Seller-by-Seller Pricing and Operating Model

The following table summarises observed pricing across the six identified sellers:

Margin Analysis and Profitability

Asad's observed economics (full-service booking model):

• Weekly bookings: 50-60 per Asad's disclosure.
• Average miles per booking: 218,262 (from Workbook B).
• Tier 3 booking price: $110-280, mean $195.
• Weekly revenue: 55 bookings × $195 = $10,725 per week.
• Annualised: $558,700.

Cost structure for Asad's model:

• Credential acquisition: $0 direct cost (in-house credential harvesting; breach databases acquired at wholesale; Asad's team operates the sourcing).
• Infrastructure (WhatsApp, encryption, VPN): ~$50-100 per month = $1,200 per year.
• Payment processing (Bitcoin), chargeback/reversal risk: ~2-3% of revenue = $11,000-16,700 per year.

Estimated gross margin: ~90-95%.

Baadshah's implied economics (Tier 1/Tier 2 credential seller):

The investigation identified one completed transaction: Baadshah sold Alaska miles for $140 at $0.81/1k. Unprompted, Baadshah stated:

If this figure is accurate for a $140 transaction ($140 × 0.92 = $128.80 gross profit), the cost of goods is approximately $11.20. At Tier 1 pricing ($0.81/1k), this implies ~13,827 miles cost $11.20, or $0.00081 per mile acquired in bulk. This is wholesale credential/account pricing.

Merchant bank discount would account for the remaining 8% margin loss ($11.20).

Revenue by Seller and Aggregated Market Size

Conservative market estimation:

1. Asad (full-service, highest visibility): 55 bookings/week × 52 weeks = 2,860 bookings per year.
2. Other five sellers (credential-based): Less disclosure on volume. Baadshah's observed transactions suggest 2-5 per week per seller = 12-25 per week aggregate = 624-1,300 per year aggregate.
3. Implied weekly volume: 55 + (12-25) = 67-80 bookings plus credential sales.

Annualised credential transaction volumes:

• Asad's team: 2,860 bookings.
• Other credential sellers (Tier 1, Tier 2): Estimate 1,000-2,000 credentials per year (conservative; actual likely higher).

Total Alaska miles extracted (conservative):

• Asad's bookings alone: 2,860 × 218,262 miles = 624,229,320 miles per year.
• This single seller would account for ~2.3% of Alaska's total outstanding miles balance ($12B valuation ÷ $12.5k per million miles ~ 960 million miles in-flight; Asad's 621M is implausibly high, suggesting either (a) repeat victimisation of individual accounts, or (b) higher booking volume than disclosed).

Revenue estimate (conservative):

• Asad: $558,700 per year.
• Five other sellers (credential sales, Tier 1/Tier 2): $100,000-250,000 per year each = $500,000-1,250,000 aggregate.
• Total seller revenue (six identified sellers): $1,058,700-1,808,700 per year.

Extrapolation factor: This investigation identified only 6 sellers through undercover engagement. The actual seller population is unknown but likely significantly larger (dozens to hundreds globally). Reddit and Facebook Marketplace posting suggest dozens of active sellers. If the 6 identified sellers represent 10% of the total active population, market revenue would be $10.5-18 million per year. If 5%, then $21-36 million per year.

Market Structure: Organised but Decentralised

The following observations indicate a mature, organised market despite geographic decentralisation:

Pricing consistency: Tier 1 prices are stable at $0.52-0.81 per 1,000 miles across independent sellers with no visible coordination.

Inventory management: Multiple sellers (Robert, Baadshah) hold standing inventory of 100+ accounts. Fresh inventory is sourced on demand within minutes (Baadshah sourced 454,000 Marriott miles within 10 minutes of request).

Infrastructure maturity: All sellers use encrypted messaging (WhatsApp), cryptocurrency payments, and operational security (VPNs, proxies). Two sellers demonstrated awareness of blockchain traceability and used layering/mixing services.

Customer repeatability: Baadshah explicitly references "each Alaska thing I sell," implying multiple sales. Ernest provided historical transaction data spanning months. The market shows repeat customers and repeat sellers.

Cross-airline operations: Four of 6 sellers operate across multiple airlines (Ernest: 14 airlines + 3 hotel chains). This suggests shared credential sourcing infrastructure and a wholesale market for breached accounts.

Quality differentiation: Sellers offer tiered products (Tier 1, Tier 2, Tier 3), each priced according to risk/effort/success rate. This is not undifferentiated product. It is market segmentation.

Comparison to Legal Precedents

The structure mirrors organised cybercrime markets documented in law enforcement and academic literature:

Key Conclusion: Not Accidental; Not Opportunistic

The following facts establish that the marketplace is organised and of material scale:

1. Pricing is stable, not speculative. All 6 sellers price Tier 1 credentials at nearly identical rates ($0.52-0.81). This is not accidental convergence; it reflects price discovery in a functioning market.
2. Supply is reliable and renewable. Sellers claim standing inventory (Robert: 1 million miles; Akis: 3,000 accounts). Fresh inventory sources within minutes (Baadshah sourced 454,000 Marriott miles within 10 minutes). This indicates a wholesale market upstream.
3. Profit margins are extraordinary. Estimated 90%+ margins on credential sales, and 85-95% booking success rates, imply a high-confidence, repeatable business model. No rational actor would invest in infrastructure for occasional, unprofitable incidents.
4. Customer relationships are managed. Sellers reference "each Alaska thing I sell" (Baadshah). Ernest disclosed historical transaction data spanning months. This indicates customer retention and repeat purchasing.
5. Geographic diversity and currency flow. Sellers in Pakistan (Asad), Hungary (Akis), Oman-passport holders (Ernest), and unknown locations trade on Facebook Marketplace, WhatsApp, and Bitcoin. The infrastructure is globally coordinated but locally operated.

This is not a security problem that can be fixed with marketing reassurance or incremental patches. It is an industrial-scale criminal market that has priced Alaska's authentication failure and chosen Alaska as a preferred target because it is the easiest large-scale programme to exploit.

Appendix I: The Houston Inbound Case

Key Facts

Screenshot 1: Victim's Initial Report

The victim posted to the Facebook group "Award Travel by Roame" on 12 July 2025, showing the fraudulent booking details and asking how to report the fraud or have the person arrested.

Houston case screenshot 1

Source: Facebook, Award Travel by Roame group. Archive: archive.ph/IVxmB

Screenshot 2: Customer Service Response and Booking Record

The victim's update shows Alaska Airlines customer service mentioning the compromise may be linked to a recent data transfer issue, suggesting awareness of a broader security problem.

Houston case screenshot 2

Screenshot 3: Booking Record

The victim shares the name of the fraudulent traveller.

Houston case screenshot 3

Screenshot 4: The Victim Shares Alaska Airlines Response

Houston case screenshot 4

Exchange:

Outcome: The fraudulent passenger entered the United States on a ticket procured through organised crime. No law enforcement coordination occurred despite hours of advance notice, a known US port of entry, and a named passenger.

What This Case Demonstrates

1. Alaska Airlines had advance notice of fraudulent international travel to the United States.
2. The victim explicitly requested law enforcement involvement.
3. Alaska possessed the fraudulent passenger's name and booking details.
4. Multiple hours remained before the passenger would clear US Customs at Houston.
5. Alaska declined to coordinate with CBP or any law enforcement agency.
6. The customer service representative indicated awareness of a broader security issue affecting multiple accounts.
7. The fraudulent passenger entered the United States without interdiction.

SourcesKey Source References

SEC Filings

Management Statements and Investor Materials

Victim Documentation

Technical Documentation

Law Enforcement and Regulatory

Cryptocurrency Compliance

Media Coverage

Primary Evidence (Appendices and Workbooks)

Disclaimer