South Korean law enforcement has arrested four suspects linked to the breach of approximately 120 000 IP cameras installed in private homes and commercial spaces — including karaoke lounges, pilates studios, and a gynecology clinic. Two of the hackers sold sexually explicit footage from the cameras through a foreign adult website. In this post, we explain what IP cameras are, and where their vulnerabilities lie. We also dive into the details of the South Korea incident and share practical advice on how to avoid becoming a target for attackers hunting for intimate video content.

How do IP cameras work?

An IP camera is a video camera connected to the internet via the Internet Protocol (IP), which lets you view its feed remotely on a smartphone or computer. Unlike traditional CCTV surveillance systems, these cameras don’t require a local surveillance hub — like you see in the movies — or even a dedicated computer to be plugged into. An IP camera streams video directly in real time to any device that connects to it over the internet. Most of today’s IP camera manufacturers also offer optional cloud storage plans, letting you access recorded footage from anywhere in the world.

In recent years, IP cameras have surged in popularity to become ubiquitous, serving a wide range of purposes — from monitoring kids and pets at home to securing warehouses, offices, short-term rental apartments (often illegally), and small businesses. Basic models can be picked up online for as little as US$25–40.

You can find a Full HD IP camera on an online marketplace for under US$25 — affordable prices have made them incredibly popular for both home and small business use

One of the defining features of IP cameras is that they’re originally designed for remote access. The camera connects to the internet and silently accepts incoming connections — ready to stream video to anyone who knows its address and has the password. And this leads to two common problems with these devices.

1. Default passwords. IP camera owners often keep the simple default usernames and passwords that come preconfigured on the device.
2. Vulnerabilities in outdated software. Software updates for cameras often require manual intervention: you need to log in to the administration interface, check for an update, and install it yourself. Many users simply skip this altogether. Worse, updates might not even exist — many camera vendors ignore security and drop support right after the sale.

What happened in South Korea?

Let’s rewind to what unfolded this fall in South Korea. Law-enforcement authorities reported a breach of roughly 120 000 IP cameras, and the arrest of four suspects in connection with the attacks. Here’s what we know about each of them.

• Suspect 1, unemployed, hacked approximately 63 000 IP cameras, producing and later selling 545 sexually explicit videos for a total of 35 million South Korean won, or just under US$24 000.
• Suspect 2, an office worker, compromised around 70 000 IP cameras and sold 648 illicit sexual videos for 18 million won (about US$12 000).
• Suspect 3, self-employed, hacked 15 000 IP cameras and created illegal content, including footage involving minors. So far, there’s no information suggesting this individual sold any material.
• Suspect 4, an office worker, appears to have breached only 136 IP cameras, and isn’t accused of producing or selling illegal content.

The astute reader may have noticed the numbers don’t quite add up — the figures above totaling well over 120 000. South Korean law enforcement hasn’t provided a clear explanation for this discrepancy. Journalists speculate that some of the devices may have been compromised by multiple attackers.

The investigation has revealed that only two of the accused actually sold the sexual content they’d stolen. However, the scale of their operation is staggering. Last year, the website hosting voyeurism and sexual exploitation content — which both perpetrators used to sell their videos — received 62% of its uploads from just these two individuals. In essence, this video enthusiast duo supplied the majority of the platform’s illegal content. It’s also been reported that three buyers of these videos were detained.

South Korean investigators were able to identify 58 specific locations of the hacked cameras. They’ve notified the victims and provided guidance on changing the passwords to secure their IP cameras. This suggests — although the investigators haven’t disclosed any details about the method of compromise — that the attackers used brute-forcing to crack the cameras’ simple passwords.

Another possibility is that the camera owners, as is often the case, simply never changed the default usernames and passwords. These default credentials are frequently widely known, so it’s entirely plausible that to gain access the attackers only needed to know the camera’s IP address and try a handful of common username and password combinations.

How to avoid becoming a victim of voyeur hackers

The takeaways from this whole South Korean dorama drama are straight from our playbook:

• Always replace the factory-set credentials with your own logins and passwords.
• Never use weak or common passwords — even for seemingly harmless accounts or gadgets. You don’t have to work at the Louvre to be a target. You never know which credentials attackers will try to crack, or where that initial breach might lead them.
• Always set unique passwords. If you reuse passwords, a single data leak from one service can put all your other accounts at risk.

These rules are universal: they apply just as much to your social media and banking accounts as they do to your robot vacuums, IP cameras, and every other smart device in your home.

To keep all those unique passwords organized without losing your mind, we strongly recommend a reliable password manager. Kaspersky Password Manager can both store all your credentials securely and generate truly random, complex, and uncrackable passwords for you. With it, you can be confident that no one will guess the passwords to your accounts or devices. Plus, it helps you generate one-time codes for two-factor authentication, save and autofill passkeys, and sync your sensitive data — not just logins and passwords, but also bank card details, documents, and even private photos — in encrypted form across all your devices.

Wondering if a hidden camera is filming you? Read more in our posts:

• Webcam stalking: fact or fiction?
• Airbnb security: tips for safe travel
• Four ways to find spy cameras
• Lumos: IoT device detection system
• IP camera security: the bad, the ugly, and the evil

News outlets recently reported that a threat actor was spreading an infostealer through free 3D model files for the Blender software. This is troubling enough on its own, but it highlights an even more serious problem: the business threat posed by free open source programs, uncontrolled by corporate infosec teams. And the danger comes not from vulnerabilities in the software, but from its very own standard features.

Why Blender and 3D model marketplaces pose a risk

Blender is a 3D graphics and animation suite used by visualization professionals across various industries. The software is free and open-source, and offers extensive functionality. Among Blender’s capabilities is support for executing Python scripts, which are used to automate tasks and add new features.

The package allows users to import external files from specialized marketplaces like CGTrader or Sketchfab. These platforms host both paid and free 3D models by artists and studios. Any of these model files potentially contain Python scripts.

This creates a concerning scenario: marketplaces where files can be uploaded by any user and may not be scanned for malicious content, combined with software that has an Auto Run Python Scripts feature. It allows files to automatically execute embedded Python scripts immediately upon opening — essentially running arbitrary code on the user’s computer in unattended mode.

How the StealC V2 infostealer spread via Blender files

The attackers posted free 3D models with the .blend file name extension on the popular CGTrader platform. These files contained a malicious Python script. If the user had the Auto Run Python Scripts feature enabled, downloading and opening the file in Blender triggered the script. It then established a connection to a remote server and downloaded a malware loader from the Cloudflare Workers domain.

The loader executed a PowerShell script, which in turn downloaded additional malicious payloads from the attackers’ servers. Ultimately, the victim’s computer was infected with the StealC infostealer, enabling the attackers to:

• Extract data from over 23 browsers.
• Harvest information from more than 100 browser extensions and 15 crypto wallet applications.
• Steal data from Telegram, Discord, Tox, Pidgin, ProtonVPN, OpenVPN, and email clients like Thunderbird.
• Use a User Account Control (UAC) bypass.

The danger of unmonitored work tools

The problem isn’t Blender itself — threat actors will inevitably try to exploit automation features in any popular software. Most end-users don’t consider the risks of enabling common automation features, nor do they typically dive deep into how these features work or how they could be exploited.

The core issue is that security teams aren’t always familiar with the capabilities of specialized tools used by various departments. They simply don’t account for this vector in their threat models.

How to avoid becoming a victim

If your company uses Blender, the first step is to disable the automatic execution of Python scripts (Auto Run Python Scripts feature). Here’s how to do it according to official documentation.

How to disable the automatic execution of Python scripts in Blender. Source

Furthermore, to prevent the sudden spread of threats via work tools, we recommend that corporate security teams:

• Prohibit the use of tools and extensions that haven’t been approved by the security team.
• Thoroughly vet permitted software, and assess risks before implementing any new services or platforms.
• Regularly train employees to recognize the risks associated with installing unknown software and using dangerous features. You can automate security awareness training with the Kaspersky Automated Security Awareness Platform.
• Enforce the use of secure configurations for all work tools.
• Protect all company-issued devices with modern security solutions.