How a Tenerife hacker stayed at the Ritz Madrid for €0.01: Operation Drago arrest details

The Spanish National Police have dismantled a high-tech fraud scheme after arresting a 20-year-old hacker from Tenerife who managed to book luxury hotel suites across Spain for just one cent.

The suspect, identified as Carlos, was apprehended at the Mandarin Oriental Ritz in Madrid on February 6. Investigators from the Central Cybercrimes Unit launched Operation Drago after an online travel agency reported a series of suspicious financial discrepancies totaling over €20,000 in losses.

The hacker utilised a sophisticated technical bypass during the checkout process. According to police sources:

•Payment Manipulation: Before finalising a booking via PayPal, the suspect would modify the HTML or API data to overwrite the four-figure room rate with a minimum value of €0.01.

•Validation Bypass: The hack tricked the booking platform into issuing a "Paid in Full" confirmation to the hotel, even though only a fraction of a cent had been processed.

•Flight Fraud: Of the €20,000 lost, approximately €7,000 involved non-refundable flight costs already paid by agencies to transport the suspect to destinations like Dubai and Madrid.

Despite his digital skills, the suspect's downfall came from basic operational security errors. Carlos used his real identity for the Ritz reservation and frequently updated his Instagram with photos showcasing his high-end lifestyle.

"He was staying in a suite costing over €1,000 per night and had nearly emptied the minibar at the time of his arrest," police reported.

Officers intercepted him at the hotel reception on February 6. Although he was dressed in a simple tracksuit, his digital footprint led authorities straight to his door.

This was not the suspect's first brush with the law. A resident of San Cristóbal de la Laguna, Carlos had a prior arrest record in the Canary Islands for using the same price-alteration trick to purchase expensive computer components and stay at exclusive local resorts.

While a judge has granted him provisional release, the investigation remains open. Authorities are currently auditing luxury hotel registries nationwide to determine if other five-star establishments fell victim to the "Operation Drago" hacker.