Empty pots, stolen bank cards: Vinted users are robbed by a major scam

This is a site used by every third Frenchman. Second hand clothing platform Vinted has 23 million users. Transactions every second and turnover is kept secret, but since 2019 it has exceeded a billion euros. This financial surprise whetted the appetite of cybercriminals. Online hackers robbed the accounts of hundreds (at least) of users in a matter of days, and testimonies of victims are mounting.

On the second hand clothing platform forum alone, hundreds of posts have mentioned the scam in the past hours. And call the site for help. “I just noticed that my Vinted wallet was empty when I had 160 euros,” the user is sad. “They hacked me for almost 800 euros, what can I do? Maeva asks. “The 52 euros that were in my account were transferred to the scammer’s account… This is a tiny amount compared to some of the victims when I see the comments… But for me it’s a lot,” Camilla is also touched.

The damage can really be huge. Marianne Leleu, an eight-year-old Vinted employee who was specifically in charge of fighting piracy, saw her Instagram account explode with evidence that she runs Les nuggets of Vinted and has 88,500 people following her. “I already received a dozen warnings on Tuesday. The next morning I had 200 messages in one night… This method existed, but was not as massive. Over the past two days, a network has been organized with victims in Spain and Italy,” worries the one who alerted his community.

Money transferred to Germany, Ireland or Luxembourg

What is this process? Users receive an SMS or phone call with the four-digit code required to change their contact details on Vinted. “SMS that I deleted because we are getting false. Then they called me, I answered, it was voice mail telling me the same thing. I hung up, like all the promotional calls we have,” explains Vanessa, a medical secretary from Aix-en-Provence, who is being drained of 203 euros from her wallet.

Some of the victims then receive an email notifying them that their coordinates have changed. Then it will be too late because the cybercriminals have already taken control of their account and harvested the fruits of their sales.

However, changing the password or name is not systematic. “We have testimonies from victims who could not see anything, for whom the criminals simply changed their bank details and patiently waited for the transfer made by the users,” says Marianna Leleu. According to our findings, a verification code is not required to transfer funds to an external account.

Worse still, in an attempt to prevent victims from reacting by changing the compromised password and removing the perpetrators’ RIBs whenever possible, some thieves go so far as to post pornographic content on the account so that the latter is automatically blocked after the money has been transferred. got robbed…

“Recently, we blocked access to the accounts of several of our members due to an incident in which fraudulent access to these accounts was noted,” the Vinted platform admitted this Thursday evening with a Parisian.

Data received outside the platform?

The site, which says it has “already contacted interested members to help them regain access to their accounts,” guarantees that “the connection information used (usernames, passwords, etc.) was obtained from data which have been addressed elsewhere. outside the platform and not affiliated with Vinted.” Apparently, the thieves recovered this data in a previous internet hack and used the then-stolen email address and password combination to connect to accounts to be deleted on the used platform.

It seems that these hacked accounts were not chosen by chance. “We notice that they identify and act according to the amounts in the portfolios. They seem to have access to a nickname and access to available money, but fraud takes their time, so they do not focus on small accounts,” continues Marianne Leleu, who is wary of “code aces”.

“I just sold a branded bag for 530 euros”

Evidence, if any, of the hackers’ knowledge of internal procedures for forcibly closing an account. “Mine has been blocked since Thursday. I don’t feel safe on Vinted anymore. I just sold a designer bag for 530 euros that I left in my e-wallet. I also gave up my bank card,” says Leyla, 35, a project manager in finance.

Judging by the screenshots that the victims were able to provide us, on which the first letters and numbers of the account are visible, the money was transferred to Germany, Luxembourg or Ireland. Previously, they probably sent it from account to account in order to become elusive for investigators. It is still necessary for victims to report themselves. This seems to be difficult for Internet users who have been contacted, who regret the lack of evidence. “It is difficult to write a statement, I have nothing to report to the police,” Vanessa regrets.

These voracious and experienced cybercriminals are not content with freeing the Vinted kit from its victims. Some go so far as to successfully use bank cards registered in a customer account to make purchases when their security is compromised. “I warned all my friends that they took their bank cards and emptied their kittens,” Aurélie, 42, a self-employed person in Seine-et-Marne, who also saw her kitten liquidated, assures us.

The wind of panic, which will lead to the mass removal of kittens by users, also threatens the Lithuanian company. In addition to blocking all accounts with suspicious messages, it now displays a special message when its clients try to withdraw their funds: “Transfers to a bank account may take longer than usual. We apologize for this inconvenience.” With Le Parisien, Vinted is already talking about compensating victims “in case they lose money in their wallet.”