SEOUL, South Korea — South Korean authorities have arrested four people for hacking more than 120,000 internet-connected security cameras in private homes and businesses, using the footage to produce sexually exploitative videos for sale on a foreign website. The National Police Agency announced the arrests on Sunday, revealing that the suspects exploited basic security weaknesses, such as simple default passwords, to access cameras in locations including residences, a pilates studio, a gynecologist's clinic, and karaoke rooms. Police have personally notified victims at 58 identified locations and are working to shut down the overseas website hosting the illegal content.

Scale and Method of the Attack

The cybercrimes unit detailed that the four suspects operated independently and did not conspire. However, the scale of their individual breaches was vast. One unemployed suspect is accused of hacking approximately 63,000 cameras, creating 545 exploitative videos, and selling them for 35 million won (about $24,000) in cryptocurrency. A second suspect, an office worker, allegedly hacked 70,000 cameras, produced 648 videos, and earned about 18 million won.

Police stated that the material from these two suspects alone accounted for roughly 62% of all videos posted in the past year on a specific overseas website dedicated to distributing hacked camera footage. Two other suspects are accused of hacking 15,000 and 136 cameras, respectively, and possessing the footage without distributing it. Authorities have also arrested three individuals within South Korea suspected of purchasing or viewing the illegal material.

A Familiar Vulnerability: Weak Passwords

The investigation found that the primary point of failure was alarmingly simple: weak user passwords. The hacked Internet Protocol (IP) cameras were often protected by basic passcodes, such as repeated characters (e.g., "1111") or simple alphanumeric sequences. IP cameras, a cheaper alternative to traditional CCTV, connect directly to home internet networks and are popular for monitoring children, pets, and home security. Their convenience, however, comes with risk if security is neglected.

"The barriers to performing sophisticated cyberattacks have dropped substantially," noted a recent report from AI company Anthropic, which detailed the growing use of artificial intelligence to automate and scale cyber intrusions. While this specific hack relied on simple password exploitation, it occurs in a global environment where hacking tools are becoming more accessible and automated.

Police Response and Victim Support

In response to the breaches, the National Police Agency is pursuing a multi-pronged strategy. Domestically, they have requested the Korea Communications Standards Commission to block access to the foreign website involved. Internationally, they are cooperating with law enforcement agencies to investigate the site's operator and seek its shutdown.

"For victims, the damage is immense, and it is a serious crime," said Park Woo-hyun, a cyber investigation chief at the National Police Agency. "Viewing and possessing illegally filmed videos are also serious crimes, so we will actively investigate them".

Police are providing direct support to identified victims, offering guidance on securing devices, helping to delete and block illicit content online, and connecting them with state-affiliated support centers for victims of digital sex crimes. They continue to work to identify more individuals whose cameras may have been compromised.

A National Context of Cyber Vulnerabilities

This mass camera hack is not an isolated incident but part of a distressing trend of major data breaches in South Korea. Just days before this announcement, e-commerce giant Coupang—often called the "Amazon of South Korea"—disclosed a data breach potentially affecting 33.7 million customer accounts, a figure representing nearly two-thirds of the country's population.

The widespread hacking of over 120,000 private security cameras occurs within a broader national context of severe cyber vulnerabilities in South Korea. Just days before the camera hack was announced, the country's leading e-commerce platform, Coupang—often referred to as the "Amazon of South Korea"—disclosed a potentially catastrophic data breach.

That incident, which may affect approximately 33.7 million customer accounts, represents one of the largest leaks in the nation's history, impacting nearly two-thirds of the population. This pattern is deeply concerning: earlier in the year, telecommunications giant SK Telecom was fined nearly $100 million for a breach affecting more than 20 million subscribers, and financial service provider Lotte Card suffered a leak of data on roughly 3 million customers following a cyberattack.

This series of high-profile failures has ignited intense criticism from media and government officials, who argue that corporate investment in cybersecurity remains woefully inadequate. An editorial in a major national newspaper labeled the Coupang breach as "preposterous," while the Governor of the Financial Supervisory Service explicitly criticized the overall level of security spending in the country.

The camera hack, while uniquely invasive in its targeting of private homes, is therefore part of a distressing trend of major data security failures shaking public trust.

Prevention in an Insecure Era

The police agency's primary advice for preventing such crimes is straightforward but essential. They urge all users of IP cameras and connected devices to immediately change default passwords to strong, unique alternatives combining letters, numbers, and symbols. They further recommend changing these passwords regularly—at least once every six months—and ensuring the camera's firmware is kept up to date.

For a broader perspective, security experts warn that both individual vigilance and systemic corporate responsibility are required. "South Korea has seen a consistent rise in cyber incidents each year, with 2025 projected to record the highest number of attacks to date," said Vitaly Kamluk, founder of cybersecurity firm TitanHex.

As authorities continue their investigation and victim support efforts, this case serves as a stark, invasive reminder of the tangible privacy dangers in an increasingly connected world. It underscores the critical need for robust digital hygiene at the user level and much stronger data protection frameworks at the corporate and national levels.