Sekoia, a cyber threat detection and response specialist, has released details on a widespread and ongoing cybercrime operation that first targets hotels and then directly goes after their guests.
Researchers began investigating after a partner reported a phishing campaign hitting hospitality customers. They named the report “I Paid Twice” after an email subject line from a victim tricked into paying for their reservation twice, once to the hotel and again to the criminal.
The company believes the scammers are highly organised. To begin, they acquire unlisted contact details of hotel managers, usually by searching websites or buying email lists on forums like the Russian language one called LolzTeam. These administrator databases can cost as little as “tens of dollars” for bulk sale…
Sekoia, a cyber threat detection and response specialist, has released details on a widespread and ongoing cybercrime operation that first targets hotels and then directly goes after their guests.
Researchers began investigating after a partner reported a phishing campaign hitting hospitality customers. They named the report “I Paid Twice” after an email subject line from a victim tricked into paying for their reservation twice, once to the hotel and again to the criminal.
The company believes the scammers are highly organised. To begin, they acquire unlisted contact details of hotel managers, usually by searching websites or buying email lists on forums like the Russian language one called LolzTeam. These administrator databases can cost as little as “tens of dollars” for bulk sales, researchers noted.
How the Attack Begins at the Hotel
Active since April 2025 and still running in early October 2025, the scheme starts with an attack on hotel systems. Staff receive tricky emails appearing to be customer requests, sometimes using the Booking.com logo. These emails are sent to a hotel’s reservation or administration email.
The email contains a link that uses a tactic called ClickFix to install malware, specifically PureRAT (aka PureHVNC and ResolverRAT), which is sold as a service by its developer, PureCoder. This malware can steal professional login details for booking platforms like Booking.com.
PureRAT gives criminals full remote control, allowing them to steal professional login details. Sometimes the malware is also delivered automatically via drive-by downloads using malicious online ads or search engine tricks to get hotel staff onto infected websites accidentally. Once compromised, this stolen hotel account access is often sold online.
Targeting the Travellers
With access to a genuine Booking.com account, the fraudsters use guests’ personal and reservation details to make their next step incredibly convincing. Customers are contacted via WhatsApp or email and told there’s a security problem with their payment. It is important to note here that the attackers claim this is a procedure put in place by Booking.com to stop cancellations, lending it false credibility.
The guest is then sent to a fake website to steal their bank details. Sekoia researchers assessed that this scheme must be very profitable, as they tracked “hundreds of malicious domains active for several months as of October 2025.”
WhatsApp Phishing Message and the Use of the ClickFix technique (Source: Sekoia)
In addition to Booking.com, the research firm found that the scammers are also impersonating other booking sites, such as Expedia. This shows how widely they are targeting people in the travel and hospitality industry.
Cybercrime, as we know it, has become a highly organised business, and this particular fraud model, which targets both businesses and their customers, continues to be successful for the people running it.