Andreas Kolb Starts New Instagram Account After Hackers Demand €300 Ransom

Jul 9, 2021 at 10:31
by James Smurthwaite  

World Cup racer Andreas Kolb is appealing for new followers after his Instagram account was hacked and held to ransom for €300. Kolb had gained a following of 9,800 fans on the account but will now have to build his online presence back up from zero.

While it may seem like a minor problem for most of us, losing a large portion of a social media presence is a big problem for professional mountain bikers. Riders rely on a social audience to help promote their sponsors and nearly two thirds of riders in our State of the Sport Survey agreed with the statement, "I have to make content to maintain my income." Andreas said, "These days it’s really important I think. If you do good on social media it’s way easier to get sponsors and sometimes even a ride in a good team."

Andreas had asked to become a verified Instagram user about three weeks ago so when he received an email confirming his verification status, he thought nothing was wrong. Unfortunately, the email was not from Instagram but a hacker. He clicked a link in the email and within 60 seconds the email address for the account was changed and the account was blocked. Andreas attempted to contact Instagram to get his account back "5-10 times" but received no help from them.

The hackers asked for a ransom of €300 to return the account and Andreas was apparently close to paying them but in the end decided against it as he could not trust they would give it back. Instead, Andreas has started a new account and is asking his former followers to keep up to date with his posts there. Andreas has already picked up more than 2,000 followers on his new account and you can help by checking out his page andreas.kolb66.

Hopefully Andreas can boost his following back up and continue to promote himself through the app. However, if you find yourself receiving a strange email about social media, "Check everything twice," he advises. "The email I got looked really good only the email address was a bit weird. Sadly I saw that too late."
The email Andreas received from the hacker.


  • 182 2
 Guess Gee is getting bored in that hospital bed .
  • 75 0
 €300 or a 12 speed chain and cassette... either will be acceptable payment!
  • 11 0
 @theboypanda - chain and cassette it is. Just to make sure you get it safely I will deliver it in person
  • 5 0
 If I stole someone's account, I would set the ransom at 2 tacos.
$300 dollars, what is this, 1800 when you can buy Mississippi for that much?
  • 58 7
 What sort of hacker demands only a 300 ransom?
  • 380 3
 Probably one that read the PB article on MTB athletes salary.
  • 15 1
 is an instagram account worth that much more?
  • 42 0
 A realistic hacker.
  • 13 0
 The one who does this too numerous accounts and doesn't get greedy by going for a very large sum, thus lowering their chances of getting caught.

Ever seen Point Break? Same concept, don't get too greedy.
  • 16 1
 @hi-dr-nick: "I caught my first tube today." That had nothing to do with your post, but I'll take any excuse I can to use that quote.
  • 1 0
Maybe this was largely automated. Have a bot look for people mentioning that they want to get verified. Then you need a list of emails to match the insta handle (maybe bought). Send the mail and set the ransom proportional to the followers.
  • 2 0
 @MHcell: All automations are still controlled or surveyed by a human.
  • 1 0
 @jaytdubs: "Make it it two Utah!"
  • 2 1
 @Muckal: Gold
  • 3 1
 @Muckal: Best PB comment of the month!
  • 4 0
 well, apparently it ain't worth 300 bucks to Andreas.
  • 1 0
 Indeed ! I would have gone full Dr Evil and asked for 1 million $
  • 1 0
 someone who know's his clientele.
  • 31 3
 "The email I got looked really good"

The English was grammar / punctuation was so bad that no person in their right mind would've clicked that.
  • 6 0
 Always check the actual email address too!
  • 18 0
 English isn't his first language I imagine as he is Austrian, so perhaps make it easier to fall for it.
  • 17 0
 Criticises someones grammar/punctuation by posting bad grammar/punctuation in response unironically.
  • 10 0
 @melonhead1145: Those errors and most of all those punctuation errors exist in German in a very similar manner. I'd reckon he was quite a bit to excited and did not double check whether that mail was legit or not.
  • 1 0
 @Mocope: speaking of which why have no hackers hacked my instagram with a phoney blue badge tick?! Feel I'm really missing out on nothing here.
  • 19 4
 What a bunch of sh*t stains the hackers are. Piss on them. Andrew, I will gladly follow your new account.

And as others have already noted.... €300 and that is it? Hacker must be a punk in their mom's basement
  • 8 1
 From what I've learned after having a million fools try and scam me out of video game items, most of them live in countries with very low cost of living. If they manage to convert on just 0.5% of the scam attempts they send out (most of them automated), they are actually making quite a lot of money compared to working the dead-end jobs they have available in the area.

This is why phone scammers will never be eradicated unless service providers come together to stop them completely. All they need is to get a single gullible old person in the US to give them their username and password and they can make significantly more per month than they would ever be able to make doing legitimate work. It really highlights the gulf of wealth inequality in the world today.
  • 2 2
 @getsendywithit: fair enough. That said, lots to be said about shitty governments/dictators/banana republics in those areas as well IF that is the case. Either way, a scammer is a scammer and they get very little sympathy from me. I am sure that's an unpopular view, but is what it is.
  • 16 0
 I can guarantee he did more than click a link. He'd have had to provide his credentials on a fake landing page afterwards.
  • 17 1
 It's what happens when you use same login credentials on Instagram as your pornhub account.
  • 5 2
 @onemind123: So crazy how common this is. RGNs in a PW vault. Its not that hard people.
  • 3 0
 @freestyIAM: ha, so true. Although my girlfriend immediately withdraws sex when I talk password security
  • 13 0
 Please setup all of your online account using Multi Factor Authentication if the support it. Instagram does:
I recommend using Google Authenticator or Microsoft Authenticator vs using SMS.
  • 2 0
 This should be the #1 voted post.
  • 2 1
 And why cant these tech heads figure out how to automatically transfer your followers to a new account?
  • 13 0
 Sounds like the perfect opportunity to not have a social media account altogether.
  • 10 0
 Is anyone with me when I call conspiracy? The hackers were sitting in that one car in Les Gets just casually looking for their victims. And there they found a cursing Austrian bloke on an expensive robot bike and thought "Hell yeah, he's our guy°"
  • 3 0
 Highly underappreciated + underrated comment .
  • 10 2
 To the few that are saying "Why Andreas?" or "How do people fall for stuff like this?": This is a common tactic in the computer science world known as phishing, and more generally social engineering.

The hacker sends out a scripted email to a very large number of users on Instagram claiming something in hopes that they click a link. The link can direct a target to a fake link, where they put in their login credentials, and when they click login it redirects them to the real page. The problem is that the fake page can look identical to the real page and when the target logins into the fake page (where it then redirects them to the real one), often the target will just think "The page may have refreshed by accident...I'll just log in again."

The ransom value is low-ish because the value is low enough that people will fall for it, and high enough that the hacker makes a large profit from targets that do fall victim.

High-value targets can be victims of spear-phishing or whaling, which is an interesting topic as well. Just wanted to give those interested some insight into what was happening here. If your suspicious of an email like this, call the official number of the company to check with them!
  • 7 1
 I got hacked and after going over all my stuff the hackers offered me 300 euro and an apology. According to them I should change my password to something other then password. Any suggestions? I was thinking about using my phone number but not sure I can remember all the digits as i never call myself...
  • 10 0
 Use your credit card number as your password then you always have the password available in your wallet.
  • 4 0
 I answer a lot of my spam phone calls to just mess with them. When they ask for my name, I give them movie star's names or well know people's names and obviously fake information. They hate it.
  • 2 0
 I played their game once, wasted like 5 minutes of their time. Didn't go longer because I didn't write down the command they wanted me to enter into the console... Next time I'll be prepared for that haha
  • 2 1
 Knowing how to swear in Hindi can get some satisfying results
  • 2 0
 My day was telling me about how hackers will demand ransoms from individuals or companies. Otherwise, they will publicize client's personal information, brick financial funds, or personal accounts! Don't trust your personal information to anyone no matter the security.
  • 2 0
 Better to just stay off the internet, other than PinkBike that is!
  • 5 1
 They picked the wrong pro sport athletes to extort. Any other pro sport…
  • 5 0
 That grey snowboard in the background is really narrow.
  • 1 0
 I call Bullshit - these hackers are crap worthless. I bet he'll get his account back regardless. Never give anyone a dime for this sort of stuff. Why not go after Tom Brady or someone with coin? Stupid hackers.
  • 3 0
 You're talking like they sat down and said, "Hey you know who we should hack? Andreas! I bet he is rolling it!", when in reality they just cast a wide net with their phishing email and pull what ever phish come in. I'm sure they'd love to hold someone like Brady for ransom but the net they cast didn't pull him in.
  • 2 0
 @freestyIAM: You're probably right - I'm only good with tech on a trail.
  • 2 0
 @freestyIAM: and I bet Instagram would be far more helpful to someone like Tom Brady about getting their account back.
  • 5 1
 'Online presence'
kiss my a$$
  • 2 0
 XTR cassettes aren't cheap, grifters gotta grift. Personally I would have asked for bike parts,
  • 3 0
 300$, man it is enough to buy at least 3 maxxis tyres !
  • 1 1
 or you could get 2 Michelin DH22 with Tannus Armour and actually enjoy your bike.
  • 6 2
 This is news?
  • 1 0
 Best comment here
  • 1 0
 "news" on Pinkbike has gotten really soft lately. Opinion and social media get more clicks than actual important info.
  • 1 0
 Whistler lets you take eBikes up on the lift now
  • 4 5
 This is not really an example of "hacking". The perpetrators didn't use some security loophole, keylogger or brute force method to get into his account. This is an example of social engineering, and unfortunately it's the responsibility of the account user to protect themselves against these kind of attacks. I don't feel bad for Andreas here in the same way that I don't feel bad for people who get their bikes stolen when they don't lock them up in public. After clicking the link I am guessing he was prompted for personal details (like ID) AND his account information, including his password. You have to take at least minimal measures to protect things that are valuable to you, as we have learned these media followings are, otherwise you are just being negligent. Yes "hackers" are a*sholes and criminals, and same goes for bike thieves, but you have to at least make it difficult and risky for them to do the things they are going to do.

While a post like this could be an opportunity to bring awareness to these kind of attacks, this one is written like we should be sympathetic to Andreas, and most of it is just helping to promote his new Instagram account. I don't even know why this is PB news-worthy or something to be included on the main page, unless it is a paid advertisement by the rider for his new account.

As many other commenters and commonplace sources of information recommend these days, you should use a password manager (usually built into your phone), use biometric security where possible, and be incredibly skeptical any time a website or app asks you for personal information. Cybersecurity is not something exclusively for nerds or IT folks these days, everyone needs to consider it and at least take minimal precautions.
  • 2 1
 Hackers can still get people's accounts and passwords.
  • 3 1
 @tacklingdummy: Yes, that's true. And bike thieves can cut through locks with the right tools, but that doesn't mean people shouldn't be responsible and do what they can to protect their stuff.
  • 2 1
 @thepwnstar39: Not saying don't protect yourself, but you have no defense if they are able to get you account info and password in the coding remotely undetected.
  • 1 1
 @tacklingdummy: "able to get you account info and password in the coding remotely undetected"

There was no "coding remotely undetected". This is an example of "phishing": posing as a trusted person or site, getting someone to click a link that looks like a real login, and snatching up whatever passwords are entered. Nobody broke into Instagram or Andreas's phone in order to steal the password. They simply asked for it, while disguised as Instagram, and he gave it to them. And there are defenses: double checking links/emails especially anytime something is asking for login info, and multi-factor authentication.

@thepwnstar39: Yeah, it's not hacking in original sense of finding holes in, and exploiting the limits of, systems in order to learn stuff; but colloquially phishing fits into the general public's definition of hacking, which seems to be anytime someone gets something they're not supposed to have and a computer system was involved at some point.
  • 1 0
 @justinfoil: Yeah, this was a phishing example. However, it is absolutely true that hackers can get people's account information and passwords remotely through the code. Watched the Phreaked Out Series on Motherboard YouTube Channel. There are three episodes. They show how they can hack into anything. Watch this episode or specifically @12:30. The guy gets FB login info and password remotely through a cellular network.

Here are the other episodes.
  • 1 1
 @tacklingdummy: "remotely through the code", That phrase is meaningless. As is "through a cellular network", because the network doesn't matter at the level of FB or Insta: apps are sending the same data packets regardless of the physical network.

I'll watch those, but "hack into anything" is also as meaningless as "hack-proof". They are just exploiting known holes in poorly designed systems, or potentially finding new holes by probing and attempting to exploit common mistakes and misconfigurations; but no one can just pick a random well-designed and secure system and instantly & reliably gain access. They may also have used rainbow tables and GPU-powered hashing to recognize common passwords or reused passwords extracted from other breaches; but those techniques aren't breaking into anything, they're just discovering passwords and using them to login in the normal manner.
  • 1 0
 @justinfoil: Watch the videos. You know what I meant. Accessing the code remotely (from another location)via cell networks or wifi to obtain the user's information and password.
  • 2 0
 It ain't much. And it's not even honest work.

I wonder if the hacker did this just to have his 5 minutes of fame on pb Big Grin
  • 2 0
 This is your mother here, pay back the 300, or get a real job and I release the account
  • 3 1
 Pinkbike....doing God's work ;P
  • 2 0
 Hide your kids, hide your wife. They hacking everyone up in here!
  • 2 0
 These hackers have gotten far too out of control.
  • 3 1
 Two-factor authentication should be mandatory.
  • 1 0
 Isn't it all linked to his Facebook anyway?
  • 2 0
 @SHREDWORX: It usually is, but two-factor still helps since it requires something more than just the password to gain access. Even if a password gets phished like this example, the phishers still can't get access since they won't have the second factor (unless the second factor is via SMS and they also compromised the victim's phone number, but that's a shit ton of work for only a $300 ransom).

So, yes, two-factor/multi-factor auth should be mandatory, and with something way more secure than SMS: at least sending codes via email (Insta doesn't even offer, not great), even better is software tokens (Insta does offer, so use it!)
  • 2 0
 Good decision and well done Andreas for not paying.
  • 2 0
 Never pay off a terrorist.
  • 1 0
 Someone start a Kickstarter to get him 300 pounds.
  • 2 0
 We got him!
  • 1 0
 It's Euro, that's like 100 pounds, no?
  • 2 0
 @SHREDWORX: Probably lots more, Brexit ****ed the pound
  • 1 0
 He’ll probably get more followers now anyway
  • 1 0
 i would help, but whats an instagram??
  • 5 5
 A good excuse to change his new username to 69 or 666 instead of 66.
  • 1 0
 300 lol
  • 1 0
 What's Instagram?
  • 1 2
 I know who the “mastermind” was: @wesleyfleatus lol

Post a Comment

You must login to Pinkbike.
Don't have an account? Sign up

Join Pinkbike  Login
Copyright © 2000 - 2021. All rights reserved.
dv56 0.014979
Mobile Version of Website