Global Hotel Guests Targeted in New Cybercrime Campaign “I Paid Twice”

A new cybercrime campaign is spreading rapidly across the global hospitality industry, targeting both hotels and their guests. Cybersecurity firm Sekoia has uncovered details about the operation, which began in April 2025 and is still active.

The campaign, called “I Paid Twice,” gets its name from a victim’s email describing their experience—paying once to the hotel and again to the scammers. Researchers say the attackers are highly organised and operate on a professional scale.

The attack starts with a phishing email sent to hotel employees. These emails are carefully crafted to look like legitimate messages from popular booking platforms such as Booking.com or Expedia, making them difficult to spot. When a staff member clicks the malicious link in the email, it uses a technique called ClickFix to install malware known as PureRAT (also called PureHVNC or ResolverRAT).

PureRAT gives hackers full remote access to the infected system. It can steal login credentials for booking and reservation platforms, allowing criminals to take control of hotel accounts.

According to Sekoia, attackers often buy or collect hotel contact information from dark web forums like LolzTeam, where administrator email databases are sold for just a few dollars. Once hackers compromise a hotel’s account, they either sell the access to others or use it to target hotel guests directly.

Using stolen booking credentials, the scammers pose as hotel representatives and contact guests via email or WhatsApp, claiming there is a payment issue with their reservation. Victims are then asked to verify their booking on a fake website designed to look identical to the real one. Once guests enter their bank or credit card details, the information is stolen.

Researchers have discovered hundreds of fake booking domains that have been active for several months, used to deceive unsuspecting travellers.

This campaign combines social engineering, malware-as-a-service, and stolen credentials to exploit both businesses and customers.

Experts warn travellers never to make payments through links sent via messaging apps or emails. Instead, all transactions should be completed only through official booking platforms or hotel websites to stay safe from such scams.