Lixiang Car Owners Face Master Account Hacks

📟 News

Date: 01/08/2025

The head of “Avilon Electro,” Sergey Melyukh, told the media that fraudsters are hacking the accounts of Li Auto (Lixiang brand) car owners in Russia and then demanding ransom.

According to Melyukh, more and more affected car owners are reaching out to the dealer, having encountered hacks of master accounts.

“In the past month, we have re-registered 47 accounts, some of which were compromised due to hacks or ‘hijacking’. Once gaining control over the vehicle, the perpetrators demanded a ransom from the owners, averaging 250,000 rubles. In comparison, restoring access through an official dealer currently costs 17,000-18,000 rubles,” explains the director of “Avilon Electro.”

The master account is the key to full vehicle management through the app and allows for operations such as locking and unlocking, system and climate control settings, software and multimedia updates, and more. The master account also enables remote control of the vehicle, such as moving it out of a parking spot.

The login for such an account is a Chinese phone number (starting with +86…), and the password is an SMS message sent to that number.

Melyukh explains that hacking issues are observed with cars imported into the Russian Federation over the past three years by “grey” dealers and private suppliers. In such cases, master accounts may be improperly registered or linked to foreign numbers, making them vulnerable to attacks.

According to him, there are several ways to obtain a master account. Each method has its own drawbacks that should be taken into consideration.

  • A physical SIM card with a Chinese number (usually registered under the name of a Chinese citizen at the time of buying the car in China). An unscrupulous car supplier and the SIM card owner may duplicate it to gain access to the vehicle.
  • A virtual SIM card registered with Esender via WeChat and linked to the car owner’s foreign passport, to which the master account is assigned when purchased. This method is considered the safest for creating a master account. The maintenance cost of such a SIM card is around 2000 rubles a year. Problems typically arise when car owners forget to renew the SIM card, as the number might be transferred to someone else along with access to the master account.
  • A Chinese number registered by the seller in China, transmitted to the new owner as a login during the car purchase in Russia, with the promise that the password will be disclosed upon request at any time. In such cases, access to the car is often lost along with the first real owner of the number.
  • A family account masquerading as a master account with limited functionality can be transferred, and access may be revoked at any time.

The director of “Avilon Electro” notes that when a master account is hacked or stolen, scammers typically block the owner’s application, remotely control the car (open windows and doors, start the engine, and so on), and extort between 200,000 to 250,000 rubles for the return of access.

“At the very least, you could end up with open windows in the rain, and at worst, you could lose your car. If you own a Li Auto vehicle, pay attention to how your app functions and any changes that occur to the car after parking,” says Melyukh. “We recommend that when purchasing, you personally register your number in Esender and immediately obtain all rights for it. Also, refrain from using intermediaries from classified ads for registering Chinese numbers. When using the app, you should adhere to basic digital ‘hygiene’ by using strong passwords and enabling two-factor authentication.”

Related posts:
2025.01.29 — Google to disable Sync in older Chrome versions

Google announced that in early 2025, Chrome Sync will be disabled in Chrome versions older than four years. Chrome Sync enables users to save and sync their…

Full article →
2025.03.12 — Mass exploitation of PHP-CGI vulnerability in attacks targeting Japanese companies

GreyNoise and Cisco Talos experts warn that hackers are actively exploiting CVE-2024-4577, a critical PHP-CGI vulnerability that was discovered and fixed in early June 2024. CVE-2024-457…

Full article →
2025.01.27 — Zyxel firewalls reboot due to flawed update

Zyxel warned its customers that a recent signature update may cause critical errors in USG FLEX and ATP series firewalls. As a result, devices go into…

Full article →
2025.01.27 — YouTube plays hour-long ads to users with ad blockers

Users complain that YouTube plays very long unskippable ads. Sometimes such ads are longer than the video the person is watching. The issue was raised…

Full article →
2025.04.16 — Android devices will restart every three days to protect user data

Google introduces a new security feature for Android devices: locked and unused devices will be automatically restarted after three days of inactivity to return their memory to an…

Full article →
2025.01.25 — 18,000 script kiddies have been infected with backdoor via XWorm RAT builder

According to CloudSEK analysts, malefactors attack novice hackers using a fake malware builder. Script kiddies' systems become infected with a backdoor that steals data and subsequently…

Full article →
2025.04.12 — Hackers compromised a bureau within the U.S. Department of the Treasury and spent months in hacked systems

The Office of the Comptroller of the Currency (OCC), an independent bureau within the United States Department of the Treasury, reported a major cybersecurity incident. Unknown attackers had…

Full article →
2025.03.16 — Researchers force DeepSeek to write malware

According to Tenable, the AI chatbot DeepSeek R1 from China can be used to write malware (e.g. keyloggers and ransomware). DeepSeek was released in January 2025 and caused a stir…

Full article →
2025.02.08 — Hackers exploit RCE vulnerability in Microsoft Outlook

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned Federal Civilian Executive Branch (FCEB) Agencies that they have to secure their systems from ongoing…

Full article →
2025.03.24 — Alexa to stop processing data locally. All voice requests will be sent to Amazon Cloud

Amazon announced that the privacy option allowing users of Echo speakers to avoid sending their voice recordings to the company's cloud will no longer be supported. Effective March…

Full article →