Lorraine Williamson
The one-cent hotel scam sounds like a bad internet joke, but Spanish police say it was real enough to land a 20-year-old in custody after a string of luxury hotel bookings were allegedly confirmed for €0.01.
According to reports citing the Policía Nacional, the suspect is accused of manipulating the online payment validation process used by a travel and luxury accommodation booking website, making the system authorise reservations at a token price instead of the real cost.
Arrested while staying in a luxury Madrid hotel
The arrest took place in Madrid after a travel agency reported “multiple irregular reservations” made through its platform, according to Europa Press. The suspect was detained just days after police received the complaint, while he was staying in a high-end hotel in the capital.
Cadena SER identifies the venue as the Hotel Ritz and says the suspect had been staying in a suite for several days, allegedly paying a cent per night while consuming additional paid services.
Police sources quoted by Spanish media describe a targeted cyber-attack designed to interfere with how a recognised international payment platform validated transactions, so the booking appeared correctly authorised on the merchant side even though only €0.01 was entered.
In plain terms, investigators believe the weakness wasn’t a “discount code” or a simple glitch. It was allegedly a deliberate attempt to bend the payment confirmation step — the part of an online purchase that tells a hotel, “this has been paid”.
The scale: at least €20,000 — and potentially more
Police estimate the losses at more than €20,000, with some reports suggesting the activity may have involved more than one hotel. The investigation remains open.
Why this matters for travellers too
Most people will never try to game a booking platform, but cases like this highlight a wider issue: travellers and hotels now rely on invisible digital “handshakes” between booking sites and payment services. When those links are attacked, the damage can land on small businesses, staff and legitimate guests as well as the platforms themselves.
For consumers, the practical takeaway is simple. If a deal looks impossible, it usually is — and a booking that “goes through” can still be cancelled or investigated if payment validation is later shown to be fraudulent.