Cybercrime - The invisible traps in cyberspace:Part 1: Where does personal data leak from?
Without needing sophisticated cyberattacks, many people's personal data has been collected and leaked through familiar actions such as registering for services or shopping online. Worryingly, many people only realize the truth when strange calls or messages can "read" their personal information in detail.
Content: Dang Cuong - Tien Dong - Thanh Luong
Present:Hong Toai• April 27, 2026
*****
Without needing sophisticated cyberattacks, many people's personal data has been collected and leaked through familiar actions such as registering for services or shopping online. Worryingly, many people only realize the truth when strange calls or messages can "read" their personal information in detail.
“I was working at my auto parts store when I received a call from someone claiming to be a police officer. They said my personal information was being used to borrow money from a bank in Hanoi and requested my urgent cooperation. What made me believe them was that they correctly stated my name and ID number, even mentioning some previous transactions. They kept urging me and putting pressure on me, leaving me no time to think. I said I couldn't go to Hanoi right away, so they instructed me to handle the matter over the phone. Step by step, they asked for my OTP code and password, claiming it was to 'verify and protect the account.' After a short time, when I checked my account again, I was shocked – 160 million VND had been transferred out.”
The story that Mr. Tran Minh Anh (residing in Tay Hieu ward) told the reporter is not unique. Many people only realize their personal information had been leaked beforehand when they find themselves in similar situations.
In the context of the ever-evolving digital space, personal data is generated from almost every daily activity. From registering for a phone SIM card, online shopping, installing applications, to filling out forms… each action can become a “leak point” if not tightly controlled.
In reality, many people easily click "agree" when installing apps without carefully reading the terms and conditions. Behind those seemingly simple clicks lies permission to access contacts, messages, photos, location, and more. Once collected, this data can be transferred through multiple intermediaries without the user having any control over it.
Information leaks are not limited to the online environment; they can also originate from everyday transactions such as leaving phone numbers when making purchases, registering for services, or using SIM cards that are not registered in one's name. From these fragmented pieces, malicious actors can gradually build large "data repositories" to serve their criminal purposes.
Recently, authorities have dismantled large-scale data collection and trading rings. In Nghe An province, at the end of 2024, the provincial police investigated, discovered, and dismantled a large-scale ring involved in the illegal trading of bank account information. According to the police, this was an organized crime group with specific roles assigned to members and operating in a hierarchical manner. The group was led by Vu Trung Kien (born in 1994), residing in Hung Yen province; Pham Hoang Hiep (born in 1992), residing in Nghe An province; Vu Hoang Nha (born in 1984) and Hoang Xuan Truong (born in 1988), both residing in Yen Khanh district, Ninh Binh province.
The investigation revealed that this group colluded with individuals abroad, particularly in Cambodia. They collected and purchased bank accounts from citizens and then supplied them to online fraud rings. They formed a network of "agents" and intermediaries, targeting low-income individuals and students to rent or buy accounts for prices ranging from a few hundred thousand to several million dong per account. In a short period, the group amassed over 500 accounts at various banks, including both personal and business accounts. These were the "raw materials" that enabled the fraud rings to operate smoothly online.
Money from the scams was transferred into these accounts, then further transferred through multiple intermediary accounts under the direction of the ringleaders, and used to buy cryptocurrency to erase traces and avoid detection by authorities. Initially, the police determined that the total amount involved was over 50 billion VND, including victims in Nghe An who lost hundreds of millions of VND.
Following the establishment of a special investigation, the Nghe An Provincial Police, in coordination with various relevant units, arrested 41 individuals for the illegal collection, storage, exchange, and sale of bank account information; fraud and misappropriation of assets; and money laundering.
Furthermore, the collection and trading of personal data has expanded to include citizen identification information, phone numbers, social media accounts, and more. These activities are not limited to individual scams; perpetrators are forming closed "data ecosystems" where citizens' information is collected from multiple sources, then categorized and analyzed to serve various scam scenarios.
Typically, in February 2025, the Cyber Security and High-Tech Crime Prevention Department of the Ministry of Public Security, in coordination with other professional units, cracked a case involving the illegal buying and selling of personal information led by LCĐ (born in 1997), residing in Hanoi, who bought and sold nearly 56 million pieces of personal information, earning billions of dong in illicit profits. The perpetrators used "burner" SIM cards, accounts not registered under their names, and fake accounts on social media to conceal their activities...
On private groups, forums, or chat platforms, personal information is openly sold. The data isn't limited to just names and phone numbers; it's categorized in detail by age, occupation, location, and even loan or investment needs.
It is evident that personal data is gradually being transformed into a kind of "commodity" in cyberspace, being bought, sold, and exchanged on an increasingly large scale and becoming more difficult to control.
According to statistics from the Ministry of Public Security, between 2020 and 2025, more than 24,000 cases of online fraud and property appropriation occurred nationwide, with total losses of nearly 40,000 billion VND. From 2022 to October 2025, approximately 17,200 cases were recorded, involving hundreds of thousands of victims.
In Nghe An province alone, in 2025, authorities initiated legal proceedings in 62 cases related to high-tech crimes.
Engineer Phan Thanh Thang, Project Manager at Viettel High-Tech Corporation, stated: In the context of digital transformation, an increasing amount of personal data is being digitized and stored online, becoming a target for cybercriminals. Through exploiting security vulnerabilities, these criminals collect and trade data, combining it with artificial intelligence (AI) to analyze the behavior and psychology of victims.
In reality, current forms of fraud are increasingly diverse but all share a common point: they rely on leaked personal data. Perpetrators often impersonate authorities such as police or prosecutors to exert psychological pressure; or they impersonate banks or financial institutions to request account verification, steal OTP codes, and login information.
In another form, these individuals entice participants with high-interest investment channels, luring them through fake apps or websites. Using data collected from social media or contact lists, they can also impersonate relatives or friends to message them requesting loans or urgent transfers.
The common thread in these scenarios is that they push victims into one of two states: either confusion and fear, or absolute trust. When either of these states reaches a high level, the ability to verify the information is significantly reduced.
The case of Mr. Tran Minh Anh (residing in Tay Hieu ward), who was defrauded of 160 million VND, is a prime example. Just a few "key" pieces of information, such as full name, citizen ID number, and account details, can build initial trust. Even a few matching details can easily undermine vigilance. The core issue isn't the novelty of the scheme, but the thorough exploitation of personal data. When data leaks, anyone can become a target and lose money in minutes.
Why is it that some people recognize the same trick, while others fall for it? What makes many victims unsuspecting despite having heard warnings? This will be clarified in the next installment.
------o0o------
(To be continued)