Spain’s National Police have broken up a sophisticated cyber fraud operation following the arrest of a 20-year-old hacker from Tenerife who was able to reserve luxury hotel suites across the country for just one cent.
The suspect, identified as Carlos, was detained on 6 February at the Mandarin Oriental Ritz in Madrid. The case was uncovered after an online travel agency flagged a string of irregular transactions that ultimately resulted in losses exceeding €20,000. The findings prompted the Central Cybercrimes Unit to open an investigation dubbed Operation Drago.
According to police investigators, the suspect exploited a technical vulnerability during the online payment process. Authorities explained that he interfered with the checkout stage, altering HTML or API data just before payment confirmation via PayPal, replacing four-figure room prices with a nominal charge of €0.01.
This manipulation allowed the booking system to generate a ‘Paid in Full’ confirmation for hotels, despite only a negligible amount being transferred. Police added that around €7,000 of the total losses were linked to non-refundable flights, which travel agencies had already paid for to fly the suspect to destinations including Dubai and Madrid.
Despite the technical complexity of the scheme, officers say the hacker made several basic mistakes. Carlos used his real name to book his stay at the Ritz and regularly posted images on Instagram highlighting an apparently lavish lifestyle.
‘He was staying in a suite costing over €1,000 per night and had nearly emptied the minibar at the time of his arrest,’ police reported.
Officers apprehended him at the hotel reception desk on 6 February. While he was wearing casual sportswear, investigators say his online activity and digital trail made it easy to locate him.
Police confirmed the arrest was not his first encounter with law enforcement. Carlos, who lives in San Cristóbal de la Laguna, had previously been detained in the Canary Islands for using the same price-alteration method to obtain high-end computer equipment and accommodation at exclusive local resorts.
Although a judge has granted provisional release, the case remains under investigation. Authorities are now reviewing luxury hotel records nationwide to establish whether other five-star hotels were targeted as part of the scheme uncovered under Operation Drago.
Subscribe to the Weekly Newsletter from Spain in English.
🏨 Detenido por ciberatacar una pasarela de pago con la que conseguía reservas en #hoteles de lujo a un céntimo
— Policía Nacional (@policia) February 18, 2026
🚨Fue localizado mientras estaba alojado en un lujoso hotel de #Madrid al que había provocando un perjuicio de más de 20.000 euros
🚩Mediante este modus operandi… pic.twitter.com/uwdj8edWsN
Please support us with a donation.
Click here to get your business activity or services listed on our DIRECTORY.