Warning on World Backup Day, March 31st

NordVPN (Headquarters: Amsterdam, Netherlands; Japan Representative: Takuro Obara), a provider of personal security services, has announced the results of a survey conducted in 2025 by its threat exposure management platform, "NordStellar," regarding the reality of damages caused by the information-stealing malware known as "Infostealer."

This survey analyzed 913 data points collected from dark web forums and Telegram groups between 2021 and 2025. It revealed the reality of "dark web travel agencies" that use credit card information stolen by Infostealers to make fraudulent purchases of airline tickets and hotel reservations, which are then resold on the dark web. 92.5% of these listings are sold at a 40-60% discount off the list price. In addition to hotel reservations (18.2%) and airline tickets (13%), the scope of these operations has expanded in recent years to include delivery coupons such as Uber Eats (21.7%).

March 31st is "World Backup Day" every year. Taking this opportunity to rethink the protection of digital data, NordVPN is once again calling for consumer caution ahead of the Golden Week and spring travel season. The damage from credit card fraud is becoming increasingly serious in Japan; according to statistics from the Japan Credit Association, the total damage in 2024 reached a record high of 55.5 billion yen. 92.5% of this was due to the theft of card numbers, and a link to the spread of Infostealers has been pointed out (Source: Japan Credit Association).

*Infostealer is malware that secretly collects credit card numbers, passwords, cookies, browser-saved information, etc., from an infected device and sends them to an external party. It infects devices through email attachments or malicious software downloads, stealing information without the user's knowledge. The dataset for this survey also included manuals in which dark web sellers explained the procedures for their crimes in detail, revealing that these methods are being systematically shared and passed down.

What is a "Dark Web Travel Agency"? Dark web travel agencies provide services in a format similar to legitimate travel booking sites, but their actual operations take place in hidden dark web marketplaces and forums. Criminals use stolen credit card information to purchase legitimate travel products on the dark web and resell them to third parties at significantly discounted prices. Analysis of data collected by NordStellar between 2021 and 2025 (913 valid entries) revealed the following:

- 92.5% of listings are sold at a 40-60% discount. A clever resale tactic disguised as "budget travel." - The most common category is hotel reservations (18.2%), followed by airline tickets (13%), Airbnb reservations (5.6%), and car rentals (5.2%). Many package deals combining flights and accommodations were also confirmed. - In recent years, it has expanded to delivery coupons. Transactions occur in the order of Uber Eats (21.7%), DoorDash (16.2%), and Amazon (10.1%). - Cryptocurrencies and cash apps are frequently used for payment. Mechanisms for building trust through "escrow" (third-party deposit) are also in place.

With travel-related service bookings becoming active ahead of Golden Week, it is necessary to be cautious about the risk of your own card information being misused on the dark web without your knowledge.

Why are travel-related scams difficult to detect? What makes this tactic particularly serious is that victims can be affected even if they have not clicked on suspicious links or shopped on shady sites. Criminals exploit card information leaked in past data breaches, leading to fraudulent use of cards in situations where the victim has no recollection of the transaction. Furthermore, this survey confirmed manuals where dark web sellers explain the criminal procedures in detail, revealing that the methods are being systematically shared and inherited.

Serious damage also extends to those who are deceived into purchasing discounted products. In addition to reservations being suddenly canceled, cases have been confirmed where buyers become targets of police investigations for complicity in fraud, or where communication with the seller is suddenly cut off, leaving the buyer to suffer the loss after paying. The original cardholders are almost always unaware of the damage until the fraudulent charges appear on their statements.

5 measures you can take right now before booking travel for Golden Week - Enable real-time notifications for credit cards and bank accounts. - Do not overlook even small, unfamiliar charges; report them to your financial institution immediately. - Set strong, unique passwords for each service and implement multi-factor authentication (MFA). - Minimize the number of places where your online payment information is saved. - Do not purchase "unnaturally cheap travel products" (there is a risk of fraud for the buyer as well).

Comment from Vikintas Maciukas, CEO of Saily: "Travel services on the dark web are a well-developed market with their own customer service and repeat customers. This business model, which profits from using stolen payment information, means that if your card information was included in a data breach, there is now a non-negligible possibility that it is being used to pay for someone else's trip."

Comment from Marijus Briedis, CTO of NordVPN: "Travel-related purchases are generally high-value and often look like legitimate expenses, so it can be difficult to immediately identify them as fraudulent on a credit card statement. Scammers can buy time before the card is canceled, and cases have been confirmed where they test the card with small charges before moving on to high-value travel bookings."

About NordVPN NordVPN is an advanced VPN service provider with millions of users worldwide. It offers over 8,200 servers in 165 cities across 127 countries, providing a variety of features such as Dedicated IP, Double VPN, and Onion Over VPN servers to enhance online privacy without tracking. One of its main features, "Threat Protection Pro," can block malicious websites, trackers, and ads, as well as scan for malware. Furthermore, it has launched its latest product, the global eSIM service "Saily." "Saily" is designed for international travelers, allowing them to easily use data communication without the need to purchase a local SIM card.