A large-scale cybercrime investigation in South Korea has revealed the compromise of more than 120,000 IP surveillance cameras installed in private homes, businesses, and medical facilities. The case demonstrates how unchanged default passwords on internet-connected cameras can quickly turn everyday security systems into powerful tools for covert surveillance and privacy abuse.
Scale of the IP camera breach and how the attackers operated
According to the National Police Agency of South Korea, four individuals have been detained on suspicion of systematically hacking IP cameras across the country. Investigators attribute the bulk of the intrusions to two primary suspects: one is believed to have compromised around 63,000 devices, while the other allegedly gained unauthorized access to approximately 70,000 cameras.
The remaining two suspects, described as either self-employed or unemployed, are thought to have hacked an additional 15,000 cameras and 136 cameras respectively. Although the technical methods used were relatively simple, the combined scale of the breach highlights how quickly weakly protected devices can be enumerated and taken over once attackers automate the process.
Targeting medical facilities and highly sensitive locations
Investigators stated that at least two of the suspects deliberately focused on medical institutions, including examination rooms such as gynecology clinics. Stolen video fragments were allegedly compiled into pornographic content and sold through an anonymized online platform referred to by police as “Site C”.
This aspect of the case underscores a critical risk: CCTV and IP cameras deployed in hospitals, clinics, care facilities, and other sensitive environments can expose extremely private moments if they are accessible from the public internet and not properly secured.
Monetization of hacked CCTV streams and buyer liability
Police report that the two main suspects did not merely access the cameras but turned the operation into a stable revenue stream. One reportedly earned about 35 million won (roughly USD 23,800), while the other generated around 18 million won (approximately USD 12,200) by selling either live access to camera feeds or edited video compilations.
Law enforcement has also detained three buyers who allegedly purchased the illicit recordings. This sends a clear legal signal: in many jurisdictions, those who knowingly buy, distribute, or consume illegally obtained surveillance footage can face criminal charges alongside the original intruders. Demand for such content directly fuels these operations.
Root cause: default and weak passwords on IP cameras
South Korean police emphasized that the majority of intrusions exploited default or extremely weak passwords left unchanged after installation. Many IP cameras ship with pre-set administrator credentials such as “admin/admin” or known vendor-specific defaults that are publicly documented in manuals, user forums, or online databases.
Attackers typically use automated tools to scan the internet for exposed devices and then perform credential stuffing or simple password guessing. This does not require advanced exploits or deep expertise: a basic understanding of networking combined with freely available software is often sufficient. Similar weaknesses have previously enabled large-scale botnets made of IoT devices and numerous incidents involving baby monitors, home cameras, and smart doorbells.
Law enforcement response and on-site security checks
Park Woo-hyun, head of the Cyber Investigation Division at the National Police Agency, noted that crimes involving IP cameras inflict serious psychological and reputational harm on victims. Authorities intend to intensify both enforcement and preventive efforts to curb similar attacks.
As part of the investigation, officers visited 58 locations where cameras were confirmed to have been compromised. Device owners were notified about the breaches and received guidance on strengthening security settings, including changing passwords and reviewing remote access configurations. Formal charges against the suspects are still pending as the investigation continues.
What the South Korean IP camera hack reveals about IoT security
The incident illustrates a broader systemic issue: many users treat IP cameras as simple household appliances rather than networked computers that require ongoing security management. Yet these devices often have direct visual access to homes, workplaces, medical procedures, and critical infrastructure – and many are reachable from the public internet with minimal protection.
Practical cybersecurity best practices for IP cameras and IoT devices
Security professionals consistently recommend a set of baseline controls that dramatically reduce the risk of similar attacks:
- Change default credentials immediately on every IP camera and IoT device, including both username and password.
- Use strong, unique passwords of at least 12–14 characters, combining letters, numbers, and special symbols, and avoid reusing them across systems.
- Keep firmware and software updated so that known vulnerabilities are patched promptly.
- Limit remote access by placing cameras behind firewalls, using VPNs for remote viewing, and disabling direct internet exposure unless absolutely necessary.
- Enable multi-factor authentication (MFA) wherever the camera platform or cloud service supports it.
- Segment the network so that cameras and IoT devices are isolated from critical business systems and personal computers.
The compromise of more than 120,000 IP cameras in South Korea demonstrates that low-effort attacks can still produce high-impact privacy violations when basic security hygiene is ignored. As the number of connected devices continues to grow worldwide, organizations, healthcare providers, and homeowners should treat camera security with the same seriousness as physical locks and alarm systems: reviewing configurations regularly, changing passwords, and applying updates are minimal yet essential steps to prevent unauthorized surveillance and protect digital and physical privacy.
