The head of “Avilon Electro,” Sergey Melyukh, told the media that fraudsters are hacking the accounts of Li Auto (Lixiang brand) car owners in Russia and then demanding ransom.
According to Melyukh, more and more affected car owners are reaching out to the dealer, having encountered hacks of master accounts.
“In the past month, we have re-registered 47 accounts, some of which were compromised due to hacks or ‘hijacking’. Once gaining control over the vehicle, the perpetrators demanded a ransom from the owners, averaging 250,000 rubles. In comparison, restoring access through an official dealer currently costs 17,000-18,000 rubles,” explains the director of “Avilon Electro.”
The master account is the key to full vehicle management through the app and allows for operations such as locking and unlocking, system and climate control settings, software and multimedia updates, and more. The master account also enables remote control of the vehicle, such as moving it out of a parking spot.
The login for such an account is a Chinese phone number (starting with +86…), and the password is an SMS message sent to that number.
Melyukh explains that hacking issues are observed with cars imported into the Russian Federation over the past three years by “grey” dealers and private suppliers. In such cases, master accounts may be improperly registered or linked to foreign numbers, making them vulnerable to attacks.
According to him, there are several ways to obtain a master account. Each method has its own drawbacks that should be taken into consideration.
- A physical SIM card with a Chinese number (usually registered under the name of a Chinese citizen at the time of buying the car in China). An unscrupulous car supplier and the SIM card owner may duplicate it to gain access to the vehicle.
- A virtual SIM card registered with Esender via WeChat and linked to the car owner’s foreign passport, to which the master account is assigned when purchased. This method is considered the safest for creating a master account. The maintenance cost of such a SIM card is around 2000 rubles a year. Problems typically arise when car owners forget to renew the SIM card, as the number might be transferred to someone else along with access to the master account.
- A Chinese number registered by the seller in China, transmitted to the new owner as a login during the car purchase in Russia, with the promise that the password will be disclosed upon request at any time. In such cases, access to the car is often lost along with the first real owner of the number.
- A family account masquerading as a master account with limited functionality can be transferred, and access may be revoked at any time.
The director of “Avilon Electro” notes that when a master account is hacked or stolen, scammers typically block the owner’s application, remotely control the car (open windows and doors, start the engine, and so on), and extort between 200,000 to 250,000 rubles for the return of access.
“At the very least, you could end up with open windows in the rain, and at worst, you could lose your car. If you own a Li Auto vehicle, pay attention to how your app functions and any changes that occur to the car after parking,” says Melyukh. “We recommend that when purchasing, you personally register your number in Esender and immediately obtain all rights for it. Also, refrain from using intermediaries from classified ads for registering Chinese numbers. When using the app, you should adhere to basic digital ‘hygiene’ by using strong passwords and enabling two-factor authentication.”
2025.02.08 — Hackers exploit RCE vulnerability in Microsoft Outlook
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned Federal Civilian Executive Branch (FCEB) Agencies that they have to secure their systems from ongoing…
Full article →
2025.03.18 — Black Basta ransomware group developed its own automated brute-forcing framework
According to EclecticIQ, Black Basta Ransomware-as-a-Service (RaaS) group has developed its own automated brute-forcing framework dubbed BRUTED. It's used to hack edge network devices…
Full article →
2025.01.28 — J-magic backdoor attacked Juniper Networks devices using 'magic packets'
A massive backdoor attack targeting Juniper routers often used as VPN gateways has been uncovered. The devices were attacked by the J-magic malware that…
Full article →
2025.02.12 — 2.8 million IP addresses used to brute-force network devices
The Shadowserver Foundation warns of a massive web login brute-forcing attacks targeting nearly 2.8 million IP addresses per day. Unknown attackers are seeking…
Full article →
2025.02.03 — PyPI introduces a project archival system to combat malicious updates
The Python Package Index (PyPI) introduces a new project archival system: a project can now be archived to notify users that it's not expected to be updated…
Full article →
2025.01.25 — 18,000 script kiddies have been infected with backdoor via XWorm RAT builder
According to CloudSEK analysts, malefactors attack novice hackers using a fake malware builder. Script kiddies' systems become infected with a backdoor that steals data and subsequently…
Full article →
2025.04.16 — Android devices will restart every three days to protect user data
Google introduces a new security feature for Android devices: locked and unused devices will be automatically restarted after three days of inactivity to return their memory to an…
Full article →
2025.01.26 — Cisco patched a critical vulnerability in Meeting Management
Cisco released updates to fix a critical (CVSS score: 9.9) vulnerability in Meeting Management. The bug enables an unprivileged remote authenticated attacker to gain administrative privileges. The vulnerability…
Full article →
2025.04.15 — Hackers exploit authentication bypass bug in OttoKit WordPress plugin
Hackers exploit an authentication bypass vulnerability in the OttoKit (formerly SureTriggers) WordPress plugin used by more than 100,000 websites. First attacks were recorded just…
Full article →
2025.02.21 — Microsoft fixes vulnerability in Power Pages exploited by cybercriminals
Microsoft patched a severe privilege escalation vulnerability in Power Pages used by hackers as a 0-day. The vulnerability tracked as CVE-2025-24989 (CVSS score 8.2) pertains…
Full article →