'admin123' opened 50,000 cameras: How brute force bots breached CCTVs, obscene clips sold for Rs 700–4,000; steps to prevent it
RAJKOT: A single factory-set password — “admin123” — and a chain of automated tools turned poorly secured CCTV systems into a lucrative criminal marketplace. Hackers breached the CCTV network at Payal Maternity Hospital in Rajkot and, over nine months, stole at least 50,000 clips from about 80 compromised CCTV dashboards nationwide, then sold the footage on Telegram and other channels for anything between Rs 700 and Rs 4,000 per clip.
Here's a plain‑spoken, step‑by‑step account of how they managed it
The method: An automated, multi-tool assault
Investigators say the operation combined weak credentials, mass scanning, credential extraction tools and automation:
Weak/default credentials opened the door
Many CCTV systems were left on factory-set usernames and passwords such as “admin123”, never changed during installation. That basic lapse allowed attackers to start probing systems at scale.
Mass discovery of targets
The lead hacker, Parit Dhameliya, first used a website called suIP.biz to obtain the public IP addresses of cameras in Gujarat. Those IPs were fed into Masscan, a high‑speed scanner that detects open ports — the network “doors” that allow remote access.
Credential extraction with SWC software
Once open ports or vulnerable devices were found, attackers ran SWC software, a specialized tool that can expose a camera’s ID, password and IP if the system is vulnerable.
Login and remote viewing via legitimate apps
Stolen credentials were then used in DMSS, a legitimate remote‑viewing mobile app, by accused Rohit Sisodiya and others to log into cameras just like authorised users would.
Automation to harvest footage at scale
Hackers did not watch the footage manually. They deployed scripts or bots to log in, download, or stream footage, and then log out — often in a matter of seconds. The primary method used was a brute-force attack, in which hackers use a program or bot to try every possible combination of letters and numbers to unlock access. Investigators recorded over 11,000 successful external sessions between January 2024 and early December 2024, indicating that the assault was highly automated.
Distribution and monetisation
The footage was marketed via teaser uploads to YouTube channels such as “Megha Mbbs” and “cp monda”, and paying customers were directed to private Telegram groups (examples investigators named include “Megha Demos Group” and “labour room”).
Pricing ranged from Rs 700 for access to up to Rs 4,000 for the most sought‑after clips. Alleged organisers named by investigators include Prajwal Teli (identified as an alleged mastermind), Vaibhav Mane, Praj Patil (financial facilitator), Chandraprakash Phoolchand, and others; arrests of core members followed within 39 hours of the FIR.
Location hiding and scale
To mask origins, attackers routed access through VPNs that made sessions appear to originate from cities such as Bucharest and New York. The campaign hit a wide swathe of targets — hospitals, schools, corporate offices, factories, cinema halls and private homes — across 20 states.
The human cost and scale
How to stop it: concrete, non‑technical and technical fixes
The breaches exposed predictable weaknesses — and that makes prevention straightforward if implemented.
Immediate (must‑do) steps
Eliminate direct internet access to DVR/NVR/CCTV devices. Don’t expose camera management interfaces to the public internet. If remote access is needed, restrict it to a dedicated corporate VPN or secure management network. Close open ports and block unused services. Use firewalls to prevent unauthorised scanning and access.
Essential cybersecurity steps to protect your CCTV systems
Segment networks. Place CCTV systems on a separate network or VLAN, isolated from corporate and guest Wi‑Fi. Use strong, unique admin accounts for each device. Avoid shared default accounts. Monitor logs and look for anomalous sessions. Automated scanning and thousands of short sessions should trigger alerts. Limit third‑party app access. Only use trusted management apps and restrict accounts that can download footage. Educate staff and installers. Installers must change credentials during setup and follow a secure‑by‑default checklist.
Why these steps work
This campaign succeeded because the attackers automated every stage: discovery (suIP.biz + Masscan), compromise (SWC), access (DMSS with stolen credentials), and exfiltration (bots/scripts). Remove the “low‑hanging fruit” — default passwords, open ports, unpatched firmware — and the automated pipeline collapses. Add network segmentation and MFA, and any remaining attack requires far more effort and bespoke capability, which deters mass‑scale theft.
The Rajkot case is not a one‑off — investigators found the same pattern across dozens of institutions. The technical recipe is alarmingly simple: default password → mass scan → credential harvest → automated download → monetise. The counter‑recipe is equally straightforward, but it requires institutions to adopt basic cybersecurity practices at installation and upkeep. Until that becomes standard, cameras intended to protect people will remain tempting targets for those who will exploit them for profit.
Here's a plain‑spoken, step‑by‑step account of how they managed it
The method: An automated, multi-tool assault
Investigators say the operation combined weak credentials, mass scanning, credential extraction tools and automation:
Weak/default credentials opened the door
Many CCTV systems were left on factory-set usernames and passwords such as “admin123”, never changed during installation. That basic lapse allowed attackers to start probing systems at scale.
Mass discovery of targets
The lead hacker, Parit Dhameliya, first used a website called suIP.biz to obtain the public IP addresses of cameras in Gujarat. Those IPs were fed into Masscan, a high‑speed scanner that detects open ports — the network “doors” that allow remote access.
Credential extraction with SWC software
Once open ports or vulnerable devices were found, attackers ran SWC software, a specialized tool that can expose a camera’s ID, password and IP if the system is vulnerable.
Login and remote viewing via legitimate apps
Stolen credentials were then used in DMSS, a legitimate remote‑viewing mobile app, by accused Rohit Sisodiya and others to log into cameras just like authorised users would.
Automation to harvest footage at scale
Hackers did not watch the footage manually. They deployed scripts or bots to log in, download, or stream footage, and then log out — often in a matter of seconds. The primary method used was a brute-force attack, in which hackers use a program or bot to try every possible combination of letters and numbers to unlock access. Investigators recorded over 11,000 successful external sessions between January 2024 and early December 2024, indicating that the assault was highly automated.
Distribution and monetisation
The footage was marketed via teaser uploads to YouTube channels such as “Megha Mbbs” and “cp monda”, and paying customers were directed to private Telegram groups (examples investigators named include “Megha Demos Group” and “labour room”).
Pricing ranged from Rs 700 for access to up to Rs 4,000 for the most sought‑after clips. Alleged organisers named by investigators include Prajwal Teli (identified as an alleged mastermind), Vaibhav Mane, Praj Patil (financial facilitator), Chandraprakash Phoolchand, and others; arrests of core members followed within 39 hours of the FIR.
Location hiding and scale
To mask origins, attackers routed access through VPNs that made sessions appear to originate from cities such as Bucharest and New York. The campaign hit a wide swathe of targets — hospitals, schools, corporate offices, factories, cinema halls and private homes — across 20 states.
The human cost and scale
- At least 50,000 indecent clips stolen over nine months.
- About 80 CCTV dashboards compromised nationwide, including Pune, Mumbai, Nashik, Surat, Ahmedabad and Delhi.
- Illegally obtained clips remained available in Telegram groups until at least June, despite arrests earlier in 2025.
- Investigators charged perpetrators under sections of the BNS Act and the IT Act, including cyber‑terrorism provisions.
How to stop it: concrete, non‑technical and technical fixes
The breaches exposed predictable weaknesses — and that makes prevention straightforward if implemented.
Immediate (must‑do) steps
- Change default passwords immediately. Replace factory credentials (e.g., admin/admin, admin123) with strong, unique passwords at setup.
- Use multi‑factor authentication (MFA) for any remote access where possible — require a password plus a code from a phone for remote logins.
Essential cybersecurity steps to protect your CCTV systems
- Keep firmware and software updated. Regularly install vendor patches — outdated firmware is a common attack vector.
Why these steps work
This campaign succeeded because the attackers automated every stage: discovery (suIP.biz + Masscan), compromise (SWC), access (DMSS with stolen credentials), and exfiltration (bots/scripts). Remove the “low‑hanging fruit” — default passwords, open ports, unpatched firmware — and the automated pipeline collapses. Add network segmentation and MFA, and any remaining attack requires far more effort and bespoke capability, which deters mass‑scale theft.
The Rajkot case is not a one‑off — investigators found the same pattern across dozens of institutions. The technical recipe is alarmingly simple: default password → mass scan → credential harvest → automated download → monetise. The counter‑recipe is equally straightforward, but it requires institutions to adopt basic cybersecurity practices at installation and upkeep. Until that becomes standard, cameras intended to protect people will remain tempting targets for those who will exploit them for profit.
Next Story