The head of “Avilon Electro,” Sergey Melyukh, told the media that fraudsters are hacking the accounts of Li Auto (Lixiang brand) car owners in Russia and then demanding ransom.
According to Melyukh, more and more affected car owners are reaching out to the dealer, having encountered hacks of master accounts.
“In the past month, we have re-registered 47 accounts, some of which were compromised due to hacks or ‘hijacking’. Once gaining control over the vehicle, the perpetrators demanded a ransom from the owners, averaging 250,000 rubles. In comparison, restoring access through an official dealer currently costs 17,000-18,000 rubles,” explains the director of “Avilon Electro.”
The master account is the key to full vehicle management through the app and allows for operations such as locking and unlocking, system and climate control settings, software and multimedia updates, and more. The master account also enables remote control of the vehicle, such as moving it out of a parking spot.
The login for such an account is a Chinese phone number (starting with +86…), and the password is an SMS message sent to that number.
Melyukh explains that hacking issues are observed with cars imported into the Russian Federation over the past three years by “grey” dealers and private suppliers. In such cases, master accounts may be improperly registered or linked to foreign numbers, making them vulnerable to attacks.
According to him, there are several ways to obtain a master account. Each method has its own drawbacks that should be taken into consideration.
- A physical SIM card with a Chinese number (usually registered under the name of a Chinese citizen at the time of buying the car in China). An unscrupulous car supplier and the SIM card owner may duplicate it to gain access to the vehicle.
- A virtual SIM card registered with Esender via WeChat and linked to the car owner’s foreign passport, to which the master account is assigned when purchased. This method is considered the safest for creating a master account. The maintenance cost of such a SIM card is around 2000 rubles a year. Problems typically arise when car owners forget to renew the SIM card, as the number might be transferred to someone else along with access to the master account.
- A Chinese number registered by the seller in China, transmitted to the new owner as a login during the car purchase in Russia, with the promise that the password will be disclosed upon request at any time. In such cases, access to the car is often lost along with the first real owner of the number.
- A family account masquerading as a master account with limited functionality can be transferred, and access may be revoked at any time.
The director of “Avilon Electro” notes that when a master account is hacked or stolen, scammers typically block the owner’s application, remotely control the car (open windows and doors, start the engine, and so on), and extort between 200,000 to 250,000 rubles for the return of access.
“At the very least, you could end up with open windows in the rain, and at worst, you could lose your car. If you own a Li Auto vehicle, pay attention to how your app functions and any changes that occur to the car after parking,” says Melyukh. “We recommend that when purchasing, you personally register your number in Esender and immediately obtain all rights for it. Also, refrain from using intermediaries from classified ads for registering Chinese numbers. When using the app, you should adhere to basic digital ‘hygiene’ by using strong passwords and enabling two-factor authentication.”