What happens there is supposed to stay there, but the absent-minded are more likely to contract ransomware in Las Vegas than any other American city.

That’s according to a survey by ransomware protection software company Malwarebytes. It looked at just under half a million incidents between July and October in which a computer was exposed to ransomware, an increasingly common strain of malicious code, often delivered via a criminal’s email attachment, that causes computers and networks to freeze, and a computer’s files to be encrypted. It’s accompanied by a ransom note to pay up in bitcoin if the user wants to access those files again.

That Vegas, the 28th most populous city in the U.S., would be such a hub seems a strange finding at first. “I was surprised,” Adam Kujawa, the Malwarebyte’s Director of Malware Intelligence, said. But he had a guess, based on the fact that Las Vegas is consistently at or near the top of most metrics for business conventions.

“Vegas is a place where people go from all over the world,” he said. “They visit a central location, they connect to all kinds of wifi connections, whether it be hotels, casinos, things like that. And a lot of people tend to be less cautious when they’re in Vegas, so that’s our first theory — that people just click on anything.”

Focusing strictly on cities — this study’s metric only looks at areas with a population of 250,000 or more — would bump up Las Vegas in the rankings. In May, the FBI released a survey of its ransomware complaints from 2015. There, the results largely correlated with population. California was hit hardest, but states like Texas, Florida, and New York were also near the top.

According to the 2010 census, Nevada is the third-most urbanized state in the U.S., with more than one in five of its residents residing within Vegas city limits. Coupled with a rapid turnover of a distracted business class, that might explain why Sin City is so likely to fall for basic online attacks.

Ransomware is often spread through basic phishing attacks, in which a criminal’s email is designed to appear to be a friendly one in order to convince a user to download it. It’s possible that cities with larger tech industries, like San Francisco, Los Angeles, Austin, or New York, might be better trained to not fall for such tricks, according to Data Science Analyst Nima Samadi.

“I think maybe these more cosmopolitan major cities have more an awareness or knowledge of these security issues, and maybe that’s why some of these midwestern cities or smaller cities are more often victims of opportunity, in the sense that they’re more likely to fall for potentially the phishing scam or whatever it might be,” Samadi said.

Whatever the reason, the results for rust belt cities don’t look good. While none of the aforementioned larger tech cities made the top 10, several Rust Belt cities — Detroit; Cleveland and Columbus, Ohio; Buffalo, New York; and Fort Wayne, Indiana — all did.