A new cybercrime campaign is sweeping through the global hospitality sector. The campaign first targets hotels and then turns on their guests. Cybersecurity firm Sekoia has revealed alarming details about this ongoing operation, which has been active since April 2025 and continues to expand.
The campaign is called “I Paid Twice” and was named after a victim’s email subject line describing their experience—paying once to the hotel and once to the scammers. According to Sekoia’s research, the attackers are well-organised and are operating at a professional scale.
The attack begins with a phishing email sent to hotel staff. These emails often mimic legitimate communications from platforms like Booking.com. This makes it difficult to detect. The email contains a malicious link that uses a technique known as ClickFix to install malware called PureRAT, also known as PureHVNC or ResolverRAT.
PureRAT is sold as a service and allows attackers to gain full remote access to infected systems. Once installed, it can steal login credentials for booking platforms. This gives criminals direct access to hotel reservation systems.
Researchers found that the scammers often buy or scrape unlisted hotel contact details from dark web forums such as LolzTeam, where email databases of administrators sell for just a few dollars. Once they compromise a hotel account, they can either sell the access or use it to target hotel guests directly.
With stolen Booking.com or Expedia credentials, the attackers impersonate hotel staff and reach out to actual guests. Victims are contacted through WhatsApp or email, informed of a supposed “payment security issue,” and asked to verify their booking on a fake website.
The phishing page closely resembles official booking sites and tricks guests into entering their bank or credit card details. The report also claims that there are hundreds of these fake domains operating for several months.
This campaign uses social engineering, malware-as-a-service, and stolen credentials to exploit both businesses and consumers in one chain of attacks. It is a reminder that cybercriminals continue to evolve their methods. So we all have to take extra precautions. Travellers are advised to never make payments through links sent via messaging apps or emails. Instead, they should confirm all transactions directly through official booking platforms or hotel websites.
