The holiday season is upon us and many are busy making travel plans to visit loved ones. In the process, some might be taking advantage of deals with illicit underpinnings.

As Joseph Cox from Motherboard reports, “An established and booming underground trade allows people to stay in four and five star hotels at a steep discount, with sellers obtaining the rooms through stolen loyalty point accounts, abused employee discounts, or corrupted hospitality industry insiders.”

In his quest to investigate this underground travel industry, Cox booked a hotel room in Times Square in Manhattan–in a setup that he notes was bought with loyalty points, versus a stolen credit card. In the process, he discovered the inner workings of fraudulent tourism.

According to a listing on Dream Market, which Cox describes as “the biggest dark web marketplace at the time of writing,” the underground travel agents book the deals using points to make them appear as legit as regular bookings.

Typically, the services require Bitcoin as payment. And since many of the customers of these services are fraudsters, themselves, the whole process becomes that much more convenient. When Motherboard sent the travel agent the Bitcoin payment (worth $100), it noticed that the funding was then transferred to another Bitcoin address that contained about $60,000 dollars.

By relying on loyalty points and frequent flyer miles as preferred currency for bookings, it becomes easier to skirt the law. That’s because it can be challenging for airlines and hotels to ascertain if the points or miles were obtained fraudulently. Not only that, reservations made with points raise less suspicion and “cut out fraud-spotting banks altogether.”

The industry has gained pickup as more of it has gone electronic, including the use of e-tickets. But it’s not a complete success story. According to Motherboard,  in one sting operation, 193 people were arrested last year for participating in an airline fraud scam. Several months ago, a cybercriminal who used victims’ air miles to travel to Las Vegas for gambling excursions was also arrested.

To prevent fraud alerts and ensure that the trip goes as planned, scammers try different tactics like limiting the advance window of time before travel to just one to five days.

While airlines and other travel-related organizations might put the onus on customers to make sure they’re being careful with their passwords, businesses have a responsibility, too. Data is data.

Notes Motherboard, “All of the hotels and airlines that responded to requests for comment said they take fraud seriously and have measures in place to stop it; Motherboard’s test indicates that there still are gaps in these protections.”

Get the full story at Motherboard.