Bkwifi.net — Http-

When a luxury hotel chain’s backup WiFi portal ( http://bkwifi.net ) is hijacked, a junior network engineer discovers a decade-old backdoor that turns a convenience page into a silent data vacuum. Part 1: The Blue-and-White Portal The screen was painfully simple. A white box on a blue background. No HTTPS padlock. Just a form asking for a room number and a last name.

The problem? Starlight Networks went bankrupt in 2019, and no one renewed the domain’s enterprise DNSSEC. The hotel’s internal DNS still pointed to a local IP (192.168.88.2) – but the public registration of bkwifi.net had lapsed. In 2022, a grey-hat hacker known only as "Cipher" noticed the expired domain. He bought it for $11.99 on GoDaddy.

She SSH’d into the Pi. Its local log showed a single line repeated every 90 seconds: http- bkwifi.net

Priya’s stomach dropped. Internal device phoning external unknown host.

He didn’t change the IP immediately. Instead, he set up a honeypot. He copied the old blue-and-white portal perfectly, but added one line of JavaScript. It wasn't malicious yet—it was a logger . Every time someone in the world accidentally typed http://bkwifi.net (perhaps misremembering a hotel’s private address), Cipher saw their IP, their browser, their OS. When a luxury hotel chain’s backup WiFi portal

For three years, guests at the "Aurora Grand" had accepted this as normal. "It's just the backup WiFi," the front desk would say. "If the main fiber goes down, connect to BK-5G and log in here."

By 4 AM, Cipher had forwarded rules set up in Elena’s inbox. Every email containing the word "invoice" or "wire" was silently copied to a burner Gmail. A month later, the hotel’s new IT director, a sharp woman named Priya, ran a routine vulnerability scan. She noticed that bkwifi.net was resolving to an Amazon EC2 IP in Virginia, not the basement Raspberry Pi. No HTTPS padlock

And just like that, the hotel’s backup network had a new master. Cipher didn’t want to steal credit cards. Too noisy. He wanted persistence .

[system] Outbound heartbeat to bkwifi.net: SUCCESS (external IP 54.234.12.87)

That night, Cipher’s script went to work. Elena checked her Ethereum wallet at 3:15 AM. The fake banking clone didn't touch her crypto—too traceable. Instead, it harvested her session cookie for her corporate email (an Exchange server with no MFA on legacy protocols).