Europe has an electric bike problem. Direct-to-consumer e-bikes from inexpensive Chinese brands like Engwe and countless others can be easily purchased online despite openly flouting EU restrictions. They feature throttles and powerful motors that can be easily unlocked to far exceed the 25km/h (16mph) legal speed limit — no pedaling required.
Technology
Engwe Mapfour N1 Pro e-bike review: the new ‘premium’
Here in Amsterdam, cheap Super73-knockoffs ridden at almost twice the legal speed have made the city’s renowned bicycle lanes increasingly chaotic and dangerous. Across the Netherlands, over 10,000 of these electric “fat bikes” were seized in 2024.
Engwe’s new Mapfour lineup is the company’s attempt at going legit by expanding from souped-up electric fat bikes and foldables into “premium commuter” e-bikes. And because they’re the first e-bikes that Engwe has designed exclusively for European roads, the company swears they can’t be unlocked for more speed.
I’ve been riding the new Mapfour N1 Pro model for the last few weeks. It lists for €1,899 (almost $2,000), or €1,799 during the initial launch — a price that brings heightened expectations.
The N1 Pro is slathered in premium capabilities like GPS/GSM tracking for which some bike makers charge subscriptions. The monocoque frame and fork are made from carbon fiber supplied by Toray — “the same high-quality carbon fiber as Trek and Specialized,” claims Engwe. There’s even turn-by-turn navigation built into the full-featured app, a large colorful display integrated into the handlebars, and a built-in mechanical lock in the rear wheel hub that automatically engages when the bike is turned off and stationary.
My review bike was missing a fender bolt, occasionally flashed a strange error code, and the solar-powered rear light won’t turn on. Still, it’s likely the highest quality electric bike Engwe has ever made.
$1714
The Good
- Looks and rides sporty
- Long list of features for price
- Removable battery
- Can’t be speed hacked
The Bad
- Strange error messages
- Servicing parts likely an issue
- Doesn’t support height range claimed
- Can’t be speed hacked
I have lots of experience with assembling direct-to-consumer e-bikes and the N1 Pro was ready to ride in about an hour, which is typical. Even with a carbon-fiber frame it weighs 20.1kg (44lbs) fully assembled according to my scale, which is heavy for an e-bike — just not Veloretti-heavy.
In the box you’ll find a basic toolset that includes everything needed for assembly and instructions written in stellar English unlike some previous Engwe tutorials I’ve read. I had to assemble the pedals, front wheel, kickstand, handlebar, and fenders, and fish out a replacement fender bolt from some spare bicycle parts I had lying around. I then went to adjust the saddle to my height only to discover that I was too tall for the N1 Pro.
The saddle stem has a marked safety line that stops well before the height needed for my 6 foot (183cm) frame, despite being sold in the Netherlands where I’m considered a short king. Nevertheless, exceeding the line by about 2.5cm (one inch) hasn’t made the saddle feel insecure, even when riding over rough cobblestones. Engwe claims the N1 Pro supports riders from 165–190cm, and is considering offering the option for a longer saddle stem at checkout based upon my feedback.
The N1 Pro’s geometry puts the rider into what’s essentially a mountain bike stance: a moderate forward lean with hands spread wide out in front of the body. That wrist and body angle combined with a rather stiff saddle are not ideal for riding long distances, especially in combination with a backpack that’ll put even more weight on the hands and derrière. I do like that fun, sporty posture over short distances, but if you’re looking for a more relaxed ride then Engwe has the upright €1,399 MapFour N1 Air available in both step-over and step-through frames.
The 250W mid-drive Ananda motor on the N1 Pro is nearly silent under the din of road noise, and the integrated torque sensor provides an intuitive pedal-assist at all speeds. It produces up to 80Nm of torque that lets me easily start from a dead stop in fourth gear (of seven) on flat roads, but testing on a hill with a gradient of about 15 percent required a start from first gear. Typically, I only needed to shift to a high gear when I wanted to use my leg power to propel the bike at speeds above the 25km/h motor cutoff.
Despite claiming a range of up to 100km from its modest 360Wh battery, my first test performed over a few weeks yielded just 23km off a full charge in near-freezing conditions. I usually rode in power setting three of five on mostly flat roads. The second test performed on a single warmer day improved the range to 27km with 28 percent charge remaining — or an estimated 36km if I had time to run the battery dry for a below average 10Wh consumed per kilometer travelled. The bike battery seems to suffer from idle battery drain of about 1-2 percent per day when parked inside my house.
Worrisome for a “premium” e-bike: on two occasions I saw an “09” error message flash on the display which Engwe is still diagnosing. Once, while starting the bike after it had been sitting outside in the rain for a few hours. Another time after riding home on a rain-soaked street while switching between the N1 Pro’s regular and high-beam lights. In the first case, a simple reboot cleared it and I was able to ride away fine, but the other time required riding home under my own power before it inexplicably cleared the next morning.
- The bike’s integrated display is readable in all lighting, and shows the remaining battery level, speed, power level, and even distance and direction of next turn if using the navigation built into the useful but overwrought Engwe app.
- I didn’t find Engwe’s turn-by-turn navigation very useful as the guidance presented on the display wasn’t informative or urgent enough for me to make confident decisions when traversing the dense network of crossroads in Amsterdam.
- It has a very loud alarm that can ward off thieves and help locate the e-bike in large parking garages.
- The daytime running lights are fun and help with visibility, but also dorky if you choose the animated options.
- The solar-powered rear light never worked on my review unit.
- Engwe provides a chain guard on shipping units.
- The hydraulic disc brakes from an unspecified vendor provide good controlled stops.
- Includes a 1-year warranty on electrical components, chassis, and battery.
1/19
There was a time when premium e-bikes had list prices around €2,000 / $2,000. Those days are as gone as the free venture capital propping up e-bike startups, pushing premium prices up to a starting price closer to €3,000 / $3,000. The Engwe N1 Pro is therefore priced about right. It’s not a bad e-bike, but it’s also not great despite checking off lots of features on a marketing sheet.
Just remember, servicing a direct-to-consumer e-bike can be a problem as it requires the ready availability of spare parts and the knowledge to replace them. As with any electric bike exposed to the elements and regular road use, the N1 Pro’s motor and any proprietary electronics like the controller, display, battery, lights, buttons, and integrated lock will eventually need servicing. So you’d better be on very good terms with your local bike shop or be handy with a wrench and oscilloscope to prevent your mail-order e-bike from quickly turning into e-waste.
Photography by Thomas Ricker / The Verge
The folks behind Jmail are at it again with a clone of Wikipedia that turns the treasure trove of data in Epstein’s emails into detailed dossiers on his associates. Entries include known visits to Epstein’s properties, possible knowledge of Epstein’s crimes, and laws that they might have broken. The reports are dense, listing how many emails they exchanged with Epstein, basic biographical information, and details about how they’re connected.
Beyond that, there are entries for the properties Epstein owns, detailing how they were acquired and the alleged activities that took place there. There are also entries for his business dealings, including his relationship with JPMorgan Chase.
It is worth noting that the entries are AI-generated. While a casual glance seems to suggest Jikipedia is citing its sources, it’s still possible (if not likely) that there are some inaccuracies contained within them. The Jmail X account said that they’ll be implementing the ability for users to report inaccuracies and request changes soon.
NEWYou can now listen to Fox News articles!
If you use an Android phone, this deserves your attention.
Cybersecurity researchers warn that hackers are using Hugging Face, a popular platform for sharing artificial intelligence (AI) tools, to spread dangerous Android malware.
At first, the threat appears harmless because it is disguised as a fake antivirus app. Then, once you install it, criminals gain direct access to your device. Because of this, the threat stands out as especially troubling. It combines two things people already trust — security apps and AI platforms.
Sign up for my FREE CyberGuy Report
Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide — free when you join my CYBERGUY.COM newsletter.
MALICIOUS GOOGLE CHROME EXTENSIONS HIJACK ACCOUNTS
Researchers say hackers hid Android malware inside a fake antivirus app that looked legitimate at first glance. (Kurt “CyberGuy” Knutsson)
What Hugging Face is and why it matters
For anyone unfamiliar, Hugging Face is an open platform where developers share AI, NLP and machine learning models. It is widely used by researchers and startups and has become a central hub for AI experimentation. That openness is also what attackers exploited. Because Hugging Face allows public repositories and supports many file types, criminals were able to host malicious code in plain sight.
The fake antivirus app behind the attack
The malware first appeared in an Android app called TrustBastion. On the surface, it looks like a helpful security tool. It promises virus protection, phishing defense and malware blocking. In reality, it does the opposite.
Once installed, TrustBastion immediately claims your phone is infected. It then pressures you to install an update. That update delivers the malicious code. This tactic is known as scareware. It relies on panic and urgency to push users into tapping before thinking.
FAKE ERROR POPUPS ARE SPREADING MALWARE FAST
The fake TrustBastion app mimics a legitimate Google Play update screen to trick users into installing malware. (Bitdefender)
How the malware spreads and adapts
According to Bitdefender, a global cybersecurity company, the campaign centers on a fake Android security app called TrustBastion. Victims were likely shown ads or warnings claiming their device was infected and were instructed to manually install the app.
The attackers hosted TrustBastion’s APK files directly on Hugging Face, placing them inside public datasets that appeared legitimate at first glance. Once installed, the app immediately prompted users to install a required “update,” which delivered the actual malware.
After researchers reported the malicious repository, it was taken down. However, Bitdefender observed that nearly identical repositories quickly reappeared, with small cosmetic changes but the same malicious behavior. That rapid re-creation made the campaign harder to fully shut down.
What this Android malware can actually do
This Trojan is not minor or annoying. It is invasive. Bitdefender says the malware can:
Take screenshots of your device
Show fake login screens for financial services
Capture your lock screen PIN
Once collected, that data is sent to a third-party server. From there, attackers can move quickly to drain accounts or lock you out of your own phone.
What Google says about the threat
Google says users who stick to official app stores are protected. A Google spokesperson told CyberGuy, “Based on our current detection, no apps containing this malware are found on Google Play.
“Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services.
“Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play.”
BROWSER EXTENSION MALWARE INFECTED 8.8M USERS IN DARKSPECTRE ATTACK
Once installed, the malware could capture screenshots, fake login details and even your lock screen PIN. (Kurt “CyberGuy” Knutsson)
How to stay safe from Hugging Face Android malware
This threat is a reminder that small choices matter. Here is what you should do right now:
1) Stick to trusted app stores
Only download apps from reputable sources like Google Play Store or the Samsung Galaxy Store. These platforms have moderation and scanning in place.
2) Read reviews before installing
Look closely at ratings, download counts and recent comments. Fake security apps often have vague reviews or sudden rating spikes.
3) Use a data removal service
Even careful users can have personal data exposed. A data removal service helps remove your phone number, email and other details from data broker sites that criminals rely on. That reduces follow-up scams, fake security alerts and account takeover attempts.
While no service can guarantee the complete removal of your data from the internet, a data removal service is really a smart choice. They aren’t cheap, and neither is your privacy.
These services do all the work for you by actively monitoring and systematically erasing your personal information from hundreds of websites. It’s what gives me peace of mind and has proven to be the most effective way to erase your personal data from the internet. By limiting the information available, you reduce the risk of scammers cross-referencing data from breaches with information they might find on the dark web, making it harder for them to target you.
Check out my top picks for data removal services and get a free scan to find out if your personal information is already out on the web by visiting Cyberguy.com
Get a free scan to find out if your personal information is already out on the web: Cyberguy.com
4) Run Play Protect and use strong antivirus software
Scan your device regularly with Play Protect and back it up with strong antivirus software for added protection. Google Play Protect, which is built-in malware protection for Android devices, automatically removes known malware. However, it is important to note that Google Play Protect may not be enough. Historically, it hasn’t been 100% effective at removing all known malware from Android devices.
The best way to protect yourself against malicious links that install malware and potentially access your private information is to have strong antivirus software installed on all your devices. This protection can also help you detect phishing emails and ransomware, keeping your personal information and digital assets safe.
Get my picks for the best 2026 antivirus protection winners for your Windows, Mac, Android and iOS devices at Cyberguy.com
5) Avoid sideloading APK files
Avoid installing apps from websites outside the app store. These apps bypass security checks, so always verify the publisher name and URL.
6) Lock down your Google account
Your phone security depends on it. Enable two-step verification (2FA) first, then use a strong, unique password stored in a password manager to prevent account takeovers.
Next, see if your email has been exposed in past breaches. Our No. 1 password manager (see Cyberguy.com) pick includes a built-in breach scanner that checks whether your email address or passwords have appeared in known leaks. If you discover a match, immediately change any reused passwords and secure those accounts with new, unique credentials.
Check out the best expert-reviewed password managers of 2026 at Cyberguy.com
7) Be cautious with permissions
Be cautious with accessibility permissions. Malware often abuses them to take control of your device.
8) Watch app updates closely
Malware can hide inside fake updates. Be cautious of urgent fixes that push you outside the app store.
Kurt’s key takeaways
This attack shows how quickly trust can be weaponized. A platform designed to advance AI research was repurposed as a delivery system for malware. A fake antivirus app became the threat it claimed to stop. Staying safe no longer means avoiding sketchy-looking apps. It means questioning even those apps that appear helpful and professional.
Have you seen something on your phone that made you question its security? Let us know your thoughts by writing to us at Cyberguy.com
CLICK HERE TO DOWNLOAD THE FOX NEWS APP
Sign up for my FREE CyberGuy Report
Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide — free when you join my CYBERGUY.COM newsletter.
Copyright 2026 CyberGuy.com. All rights reserved.
Sammy Azdoufal claims he wasn’t trying to hack every robot vacuum in the world. He just wanted to remote control his brand-new DJI Romo vacuum with a PS5 gamepad, he tells The Verge, because it sounded fun.
But when his homegrown remote control app started talking to DJI’s servers, it wasn’t just one vacuum cleaner that replied. Roughly 7,000 of them, all around the world, began treating Azdoufal like their boss.
He could remotely control them, and look and listen through their live camera feeds, he tells me, saying he tested that out with a friend. He could watch them map out each room of a house, generating a complete 2D floor plan. He could use any robot’s IP address to find its rough location.
“I found my device was just one in an ocean of devices,” he says.
On Tuesday, when he showed me his level of access in a live demo, I couldn’t believe my eyes. Ten, hundreds, thousands of robots reporting for duty, each phoning home MQTT data packets every three seconds to say: their serial number, which rooms they’re cleaning, what they’ve seen, how far they’ve traveled, when they’re returning to the charger, and the obstacles they encountered along the way.
I watched each of these robots slowly pop into existence on a map of the world. Nine minutes after we began, Azdoufal’s laptop had already cataloged 6,700 DJI devices across 24 different countries and collected over 100,000 of their messages. If you add the company’s DJI Power portable power stations, which also phone home to these same servers, Azdoufal had access to over 10,000 devices.
When I say I couldn’t believe my eyes at first, I mean that literally. Azdoufal leads AI strategy at a vacation rental home company; when he told me he reverse engineered DJI’s protocols using Claude Code, I had to wonder whether AI was hallucinating these robots. So I asked my colleague Thomas Ricker, who just finished reviewing the DJI Romo, to pass us its serial number.
With nothing more than that 14-digit number, Azdoufal could not only pull up our robot, he could correctly see it was cleaning the living room and had 80 percent battery life remaining. Within minutes, I watched the robot generate and transmit an accurate floor plan of my colleague’s house, with the correct shape and size of each room, just by typing some digits into a laptop located in a different country.
Separately, Azdoufal pulled up his own DJI Romo’s live video feed, completely bypassing its security PIN, then walked into his living room and waved to the camera while I watched. He also says he shared a limited read-only version of his app with Gonzague Dambricourt, CTO at an IT consulting firm in France; Dambricourt tells me the app let him remotely watch his own DJI Romo’s camera feed before he even paired it.
Azdoufal was able to enable all of this without hacking into DJI’s servers, he claims. “I didn’t infringe any rules, I didn’t bypass, I didn’t crack, brute force, whatever.” He says he simply extracted his own DJI Romo’s private token — the key that tells DJI’s servers that you should have access to your own data — and those servers gave him the data of thousands of other people as well. He shows me that he can access DJI’s pre-production server, as well as the live servers for the US, China, and the EU.
Here’s the good news: On Tuesday, Azdoufal was not able to take our DJI Romo on a joyride through my colleague’s house, see through its camera, or listen through its microphone. DJI had already restricted that form of access after both Azdoufal and I told the company about the vulnerabilities.
And by Wednesday morning, Azdoufal’s scanner no longer had access to any robots, not even his own. It appears that DJI has plugged the gaping hole.
But this incident raises serious questions about DJI’s security and data practices. It will no doubt be used to help retroactively justify fears that led to the Chinese dronemaker getting largely forced out of the US. If Azdoufal could find these robots without even looking for them, will it protect them against people with intent to do harm? If Claude Code can spit out an app that lets you see into someone’s house, what keeps a DJI employee from doing so? And should a robot vacuum cleaner have a microphone? “It’s so weird to have a microphone on a freaking vacuum,” says Azdoufal.
It doesn’t help that when Azdoufal and The Verge contacted DJI about the issue, the company claimed it had fixed the vulnerability when it was actually only partially resolved.
“DJI can confirm the issue was resolved last week and remediation was already underway prior to public disclosure,” reads part of the original statement provided by DJI spokesperson Daisy Kong. We received that statement on Tuesday morning at 12:28PM ET — about half an hour before Azdoufal showed me thousands of robots, including our review unit, reporting for duty.
To be clear, it’s not surprising that a robot vacuum cleaner with a smartphone app would phone home to the cloud. For better or for worse, users currently expect those apps to work outside of their own homes. Unless you’ve built a tunnel into your own home network, that means relaying the data through cloud servers first.
But people who put a camera into their home expect that data to be protected, both in transit and once it reaches the server. Security professionals should know that — but as soon as Azdoufal connected to DJI’s MQTT servers, everything was visible in cleartext. If DJI has merely cut off one particular way into those servers, that may not be enough to protect them if hackers find another way in.
Unfortunately, DJI is far from the only smart home company that’s let people down on security. Hackers took over Ecovacs robot vacuums to chase pets and yell racist slurs in 2024. In 2025, South Korean government agencies reported that Dreame’s X50 Ultra had a flaw that could let hackers view its camera feed in real time, and that another Ecovacs and a Narwal robovac could let hackers view and steal photos from the devices. (Korea’s own Samsung and LG vacuums received high marks, and a Roborock did fine.)
It’s not just vacuums, of course. I still won’t buy a Wyze camera, despite its new security ideas, because that company tried to sweep a remote access vulnerability under the rug instead of warning its customers. I would find it hard to trust Anker’s Eufy after it lied to us about its security, too. But Anker came clean, and sunlight is a good disinfectant.
DJI is not being exceptionally transparent about what happened here, but it did answer almost all our questions. In a new statement to The Verge via spokesperson Daisy Kong, the company now admits “a backend permission validation issue” that could have theoretically let hackers see live video from its vacuums, and it admits that it didn’t fully patch that issue until after we confirmed that issues were still present.
Here’s that whole statement:
DJI identified a vulnerability affecting DJI Home through internal review in late January and initiated remediation immediately. The issue was addressed through two updates, with an initial patch deployed on February 8 and a follow-up update completed on February 10. The fix was deployed automatically, and no user action is required.
The vulnerability involved a backend permission validation issue affecting MQTT-based communication between the device and the server. While this issue created a theoretical potential for unauthorized access to live video of ROMO device, our investigation confirms that actual occurrences were extremely rare. Nearly all identified activity was linked to independent security researchers testing their own devices for reporting purposes, with only a handful of potential exceptions.
The first patch addressed this vulnerability but had not been applied universally across all service nodes. The second patch re-enabled and restarted the remaining service nodes. This has now been fully resolved, and there is no evidence of broader impact. This was not a transmission encryption issue. ROMO device-to-server communication was not transmitted in cleartext and has always been encrypted using TLS. Data associated with ROMO devices, such as those in Europe, is stored on U.S.-based AWS cloud infrastructure.
DJI maintains strong standards for data privacy and security and has established processes for identifying and addressing potential vulnerabilities. The company has invested in industry-standard encryption and operates a longstanding bug bounty program. We have reviewed the findings and recommendations shared by the independent security researchers who contacted us through that program as part of our standard post-remediation process. DJI will continue to implement additional security enhancements as part of its ongoing efforts.
Azdoufal says that even now, DJI hasn’t fixed all the vulnerabilities he’s found. One of them is the ability to view your own DJI Romo video stream without needing its security pin. Another one is so bad I won’t describe it until DJI has more time to fix it. DJI did not immediately promise to do so.
And both Azdoufal and security researcher Kevin Finisterre tell me it’s not enough for the Romo to send encrypted data to a US server, if anyone inside that server can easily read it afterward. “A server being based in the US in no way, shape, or form prevents .cn DJI employees from access,” Finisterre tells me. That seems evident, as Azdoufal lives in Barcelona and was able to see devices in entirely different regions.
“Once you’re an authenticated client on the MQTT broker, if there are no proper topic-level access controls (ACLs), you can subscribe to wildcard topics (e.g., #) and see all messages from all devices in plaintext at the application layer,” says Azdoufal. “TLS does nothing to prevent this — it only protects the pipe, not what’s inside the pipe from other authorized participants.”
When I tell Azdoufal that some may judge him for not giving DJI much time to resolve the issues before going public, he notes that he didn’t hack anything, didn’t expose sensitive data, and isn’t a security professional. He says he was simply livetweeting everything that happened while trying to control his robot with a PS5 gamepad.
“Yes, I don’t follow the rules, but people stick to the bug bounty program for money. I fucking don’t care, I just want this fixed,” he says. “Following the rules to the end would probably make this breach happen for a way longer time, I think.”
He doesn’t believe that DJI truly discovered these issues by itself back in January, and he’s annoyed the company only ever responded to him robotically in DMs on X, instead of answering his emails.
But he is happy about one thing: He can indeed control his Romo with a PlayStation or Xbox gamepad.
Follow topics and authors from this story to see more like this in your personalized homepage feed and to receive email updates.
Arizona5 minutes ago
Arizona suffers first home loss of season against Texas Tech
Arkansas11 minutes ago
Arkansas Lottery Powerball, Cash 3 winning numbers for Feb. 14, 2026
California17 minutes ago
Southern California sky is lit up by Valentine’s Day SpaceX launch
Colorado23 minutes ago
No. 22 BYU survives upstart Colorado in overtime
Connecticut29 minutes ago
Search for missing hikers in Southington
Florida1 year ago
Florida High School Football Rankings: Top 25 teams – Oct. 21
Connecticut2 years ago
Cleary's 21 help Le Moyne down Central Connecticut State 69-64 in OT
Oregon2 years ago
How old is Bo Nix? What to know about Oregon quarterback ahead of 2024 NFL Draft
Virginia2 years ago
99th annual Pony Swim held in Virginia
Indiana1 year ago
Indiana Members Credit Union announced as new anchor tenant at Bottleworks District
Politics7 hours ago
Fetterman slams Democrats’ ‘Jim Crow 2.0’ voter ID rhetoric as party unity fractures
World8 hours ago
Will Warsaw become the seat of a new EU agency? To be decided in March
News8 hours ago
Four people on NASA’S Crew-12 arrive at the International Space Station
News18 hours ago
Video: Vermont Made Child Care Affordable. Could It Lead by Example?
Politics19 hours ago
Here’s how the DHS shutdown could impact the lives of everyday Americans
-
Politics1 week agoWhite House says murder rate plummeted to lowest level since 1900 under Trump administration
-
Alabama1 week agoGeneva’s Kiera Howell, 16, auditions for ‘American Idol’ season 24
-
Ohio1 week agoOhio town launching treasure hunt for $10K worth of gold, jewelry
-
News1 week agoThe Long Goodbye: A California Couple Self-Deports to Mexico
-
Culture1 week agoVideo: Farewell, Pocket Books
-
Science1 week agoVideo: Rare Giant Phantom Jelly Spotted in Deep Waters Near Argentina
-
News1 week agoVideo: Investigators Say Doorbell Camera Was Disconnected Before Nancy Guthrie’s Kidnapping
-
Technology1 week agoApple might let you use ChatGPT from CarPlay