Madrid, Spain — Spanish law enforcement has detained a 20-year-old man suspected of carrying out a sophisticated cyberattack on an online hotel booking system, allowing him to reserve rooms at luxury hotels across Madrid for as little as €0.01 per night.
The Policía Nacional announced on Wednesday that the arrest followed a technical investigation into a series of irregular reservations detected on February 2 by a travel booking agency. Investigators quickly realized that while reservations appeared to be fully paid on the surface, the actual payments processed through the system were for just one cent, far below the true cost of the luxury stays.
Authorities say the suspect exploited a flaw in the payment gateway of a well-known travel website. By launching a tailored cyberattack during the approval process, he was able to manipulate the system’s validation of transactions so that it would log the booking as paid in full, despite only transferring a tiny fraction of the actual amount.
“The cybercriminal manipulated the payment system so that it authorized operations after entering only €0.01,” police explained, noting that this is the first time such a modus operandi has been detected by Spanish authorities.
Hundreds in Losses and Hotel Stays Without Paying
In total, the fraud is believed to have caused losses of more than €20,000 to the affected travel company and hotels. Investigators identified the suspect within four days and tracked him to a luxury hotel in central Madrid, where he was found staying with a four-night reservation valued at roughly €4,000 — again recorded as just €0.01 on the booking system.
During his stays, the man also consumed items from minibars and other services without settling those bills, according to authorities.
Charges and Ongoing Investigation
The 20-year-old has been handed over to the judicial authorities on suspicion of computer fraud and estafa informática (digital fraud). The case remains open, and police have not ruled out additional charges as the investigation continues.
Security experts say this incident highlights emerging threats in online payment systems and the need for improved safeguards in digital reservation platforms — particularly those serving high-value tourism sectors.
