March 30, 2023by Adi Bleih

Malicious Traffic: The Race Between Underground Car Hackers and Automotive Security

Cars are lucrative yet fast-moving targets for hackers. As they transform from combustion engines into sophisticated computers-on-wheels, threat actors have a larger attack surface to exploit. However, the automotive industry has also invested considerably in securing cars, seeking to lock attackers out, both physically and virtually.

Threat actors share information and tools related to automobile hacking and theft on several dedicated underground forums. They also sell stolen cars, equipment for auto theft, fake driver's licenses, and bank certificates for car loans.

Improved tools and more sophisticated techniques may have contributed to the significant recent rise in US vehicle theft, which increased from ~888,000 in 2020 to over 1 million in 2022.

This article examines activity on underground automotive forums, including sales of various tools, stolen cars, and fraud services.


Master Keys: A master car key can open the doors and start the ignition on multiple vehicles. While these keys are reserved exclusively for auto industry professionals and locksmiths, thieves can readily obtain them to steal cars.

Forum screenshotFigure 1: A threat actor looking for a master car key

examples of keysFigure 2: A threat actor selling BMW G-series keys

Forum screenshotFigure 3: A threat actor selling BMW G-series master keys for 150,000 rubles (~$1,974)

Forum screenshotFigure 4: An image of the keys for sale

Forum screenshotFigure 5: The actor explains how to activate the key for a specific automobile

Code grabbers: Many new and late-model cars are equipped with keyless entry/start fobs, which enable motorists to start the vehicle without removing the devices from their pockets. Thieves use devices called code grabbers to intercept signals between key fobs and the car. They can then use code grabbers to repeat the signal to the car, spoofing the key fob and activating the automobile. Code grabbers are readily available online and on underground forums.

Forum screenshotFigure 6: A request for a Mercedes code grabber on an automotive hacking forum

Forum screenshotFigure 7: A threat actor sells code grabbers for brands such as Lexus, Toyota, and BMW.


Threat actors advertise various automobile fraud services, enabling others to carry out more sophisticated thefts.

Registration fraud: Threat actors carry out fraudulent sales and re-register a car in the name of a new owner through the Department of Motor Vehicles (DMV). One actor offering this service explains (figure 8) that once a car’s registration changes, the new “owner” can sell the car, tow it, or report it as stolen to convert it into cash.

Forum screenshotFigure 8: Registration fraud services

Fake documents: Fraudsters also sell fake documents that enable actors to purchase and operate vehicles. These include fake driver's licenses, bank loan documents, and car insurance forms.

Forum screenshotFigure 9: Fake driver's licenses and vehicle registration documents offered for sale on the underground

Stolen Cars: Several actors even sell vehicles on underground hacking forums. While they do not generally mention if they have legal possession of these cars for sale, several indicators signal that they are illicit (beyond the obvious fact that anything sold on the dark web is inherently suspicious). First, in the example below (figure 10), the price is suspiciously lower than the vehicle’s recommended value on the second-hand market.

Second, sellers of stolen vehicles generally only list the price and mileage. They omit essential information, such as the number of previous owners, insurance details, and registration/test data.Finally, these transactions are cash-only, preventing a paper trail that law enforcement can follow.

Forum screenshotFigure 10: A presumably stolen vehicle offered for sale on an underground automotive hacking forum

Furthermore, prospective buyers look for cars without documents or “unnecessary questions” (figure 11).

Forum screenshotFigure 11: An actor in England looks to purchase a car illegally


Over the last decade, automobiles have transformed into complex computer platforms. While this provides considerable convenience to drivers, it has also expanded the threat landscape for threat actors to exploit.

Our analysis of underground automotive hacking forums has shown that car hackers use a combination of innovative technologies--such as signals interception and time-worn methods, such as social engineering and forgery, in order to obtain and operate vehicles illegally. Car manufacturers must ensure that new features do not open the door for attackers by implementing security and tracking chatter among hackers.

Cybersixgill automatically aggregates data leaks and alerts customers in real time.

Learn More

You may also like

Analyst looking at multiple monitors

July 11, 2024

Chinese APT40 Hackers Hijack SOHO Routers: Unleashing Cyber Espionage Attacks

Read more
Abstract digital landscape with flowing lines of glowing binary code in blue and orange, representing data streams and modern technology.

July 08, 2024

CVE-204-6387 Poses Risk to Organizations Relying on OpenSSH’s Server (sshd)

Read more
CSG-IQ vs ChatGPT-Thumbnail

June 12, 2024

Navigating AI: Comparing ChatGPT to Cybersixgill IQ

Read more