An online scam network has expanded its operations to target users of popular accommodation booking platforms like Booking.com and Airbnb. According to recent findings from ESET researchers, the cybercriminals are utilizing a sophisticated Telegram-based toolkit known as Telekopye to defraud unsuspecting users.

Telekopye, which has been operational since 2016, is used by organized scam groups to facilitate large-scale fraud. The toolkit, accessible via a Telegram bot, helps scammers create phishing pages and other malicious content. While the tool was originally designed to target buyers and sellers on platforms like OLX, Vinted, and eBay, the scope of attacks has  broadened throughout 2024 to include users booking hotel and apartment reservations online.

The new scam scheme involves fraudsters contacting users who have recently made reservations and tricking them into believing there is an issue with their payment. Victims receive a message through in-platform communication channels, complete with a link to a malicious webpage that mimics the booking platform.

The web pages appear authentic as they contain prefilled information from the victim's actual bookings, including check-in/check-out dates, pricing, and the accommodation’s location. This information is likely obtained through compromised accounts of legitimate hotels and accommodation providers, which scammers access using stolen credentials purchased on cybercriminal forums.

Telekopye operates as a well-organized business, according to ESET. Scam groups using the tool often consist of thousands of members, structured hierarchically with clear roles and responsibilities. The scammers (referred to as “Neanderthals” by ESET researchers) need little technical expertise, as Telekopye’s bot automates the entire process of generating phishing content and harvesting sensitive data from victims, who are referred to as “Mammoths.”

According to ESET, Telekopye scam groups keep records of all transactions, and the stolen sensitive information, including payment card details, is handed over to higher-ranking members of the organization, who are responsible for managing the funds.

ESET’s telemetry shows that the surge in the scams began in mid-2024, with a sharp increase in July. The researchers said that clues point to Russia as the country of origin of the bot’s author(s) and also the scammers using it.

Last year, the Czech and Ukrainian law enforcement authorities arrested tens of cybercriminals using Telekopye, including the key players. The police operations were targeted an unspecified number of Telekopye groups, which had accumulated at least €5 million (approximately $5.5 million) since 2021.