← Back to Blog

A Hacker Sent a Phishing Link to the Wrong Guy — And Lost Everything

January 19th, 2026

A hacker sent a phishing link to the wrong guy - True Story

When an Israeli cybersecurity team got targeted by a Booking.com scam, they didn't just avoid it. They dismantled the entire operation.

It started like any other phishing attempt.

Lidor Levi, head of an offensive cybersecurity team at CyberWall Global in Israel, had booked a hotel in the United States through Booking.com a few months earlier. A few days ago, he received a WhatsApp message that appeared to be from Booking and the hotel itself.

The message looked legitimate. It included his full name, exact booking dates, confirmation number, and the price he'd paid. It asked him to "re-verify" his credit card details within 24 hours — or his reservation would be canceled.

"Someone outside the industry could have easily fallen for it. Everything looked exactly like Booking."

But Levi isn't outside the industry. He investigates cyberattacks for a living. And instead of panicking, he started digging.

The Investigation Begins

Levi clicked the link — carefully. The fake website was nearly flawless: Booking's logo, an identical interface, and his personal details already populated in the form.

His first move was basic but critical: check the domain registration. The site had been registered in 2025 with no connection to Booking.com. He also contacted the real hotel and Booking directly. Both confirmed they hadn't sent the message and don't operate that way with customers.

"I realized this was something bigger," Levi said.

He brought in two colleagues from his team — Niv Kochen and Adam Kahlon — and they began analyzing the phishing site using the same offensive tools they use professionally to test organizations' security defenses.

Inside the Attacker's Server

The team found a chat feature on the fake site that looked like customer support. In reality, it was a simple chatbot that forwarded every piece of information directly to the attacker.

They also discovered a Cross-Site Scripting (XSS) vulnerability — a well-known security flaw that allows attackers to inject malicious code and steal user data.

But the real breakthrough came when they found an unsecured file upload mechanism. The attacker had used it but hadn't locked it down properly.

Using this weakness, the team uploaded a PHP webshell — a tool that lets you run commands on a server remotely. From there, they established a reverse shell connection, giving them deep access to the attacker's infrastructure.

"At that point, we weren't on the defensive anymore. We were inside his system."

Three Years of Stolen Data

What they found was disturbing.

The server contained organized folders for different brands: Booking, banks from around the world, hotel chains, and hundreds of other companies. Inside were open databases filled with names, email addresses, credit card numbers, and booking details.

They also found messages from victims — people who had realized they'd been scammed and were desperately pleading for their money back.

"That was the hardest part. We weren't affected, but so many others were."

Based on their analysis, the attacker had been running this operation for more than three years, likely collecting tens of thousands of dollars — possibly more. Evidence suggested the scammer was operating from India.

What they found inside - 3+ years of operation, 3 databases of stolen data, 100s of phishing URLs, tens of thousands stolen - All wiped in a single night

Taking It All Down

The team made a decision that went beyond self-defense.

"We told ourselves: if we already have access, and people are getting hurt, we can't just walk away."

They deleted all three databases containing stolen information. They disabled the file upload mechanism, shut down the phishing infrastructure, and took the entire operation offline.

"We destroyed three years of his work," Levi said. "We gave him a taste of his own medicine."

The work took an entire night. By the time they finished, the system was completely neutralized.

Booking's Response

The team documented everything and contacted Booking.com. According to Levi, the company was shocked by the findings. They confirmed that the hotel's database had indeed been breached — which explained how the attacker had access to real booking details.

The investigation revealed hundreds of phishing URLs with unique tracking codes for each victim, allowing the scammer to monitor everyone who fell for the trap.

The Lesson

Don't click links you don't recognize. And if anyone asks for your credit card details, always verify directly with the official source — by phone, not through links they send you.

This story is a reminder that in the world of cybersecurity, one phishing attempt sent to the wrong person can bring down years of criminal activity overnight.

This story was originally reported by Yochai Shwieger for Israel Hayom on January 16, 2026.
Original article (in Hebrew): israelhayom.co.il