Naked TikTok challenge exploited by hackers

But wait! It's not what you think...
2 December 2022

This just in: digital consent is as important as physical consent.

Getting your Trinity Audio player ready...

A TikTok “Invisible Challenge” hack has caused thousands of users to accidentally download malware. Platforms like TikTok, where media can go viral in an afternoon, are ideal for hackers who want to exploit the instant gratification of a fast-paced social media app to spread a lot of malware with minimal effort and in a short space of time. But this hack creates its own moral maze.

Getting naked on the internet!

The #invisiblefilter on TikTok, which currently has 27.3M views, is a new trend that uses the Invisible Body effect. The filter, which replaces users’ bodies with a blurred contour image, is being used by creators to post videos of themselves naked, while protecting their real body from view.

The comment sections of these videos are frequently full of users asking how to remove the filter – a question that attackers promptly answered.

Now-deleted accounts promoted an app that would remove the Invisible Body filter, available through a Discord server called “Space Unfilter.” Once the server is joined, viewers will see videos of nude women that have supposedly been obtained using the software.

That means that when users receive a private message containing a link that points to a GitHub repository, its legitimacy is rarely questioned. Instead, the repository hosts malware containing a file that installs a malicious Python package called “WASP Stealer (Discord Token Grabber).”

The malware steals device passwords, Discord account credentials and has the potential to take card details and cryptocurrency wallets. Because the malware authors keep relocating the server and software as fast as it is shut down, the threat remains active.

The world’s smallest violin?

The malware presents a huge threat, as proved by the number of users joining the server – but how far do we sympathize with its victims? After all, they join the server specifically with the intention of violating the consent of the Challenge participants to be seen naked.

TikTok’s algorithm prioritizes viral content, but even this is somewhat tailored to the user. Videos using the Invisible Body hashtag will be shown to an audience who’ve proven themselves to be receptive to risqué media, a group of users who will likely have read the comment-section tips on how to view the bodies behind the filter.

Videos promising “unfilter” software will be promoted to the same TikTok accounts – a fact relied upon by the cybercriminals behind the attack.

The ‘victims’ of the TikTok Invisible Challenge hack want to see behind the filter and undress creators who haven’t consented to that (although their curiosity may be encouraged by the post).

This also feels darker than a hormone-fuelled need to see a naked girl at all costs. We needn’t comment on how easy it is to access NSFW content online – girls’ and women’s nudity is commoditized everywhere. Those falling prey to the malware must be at least partially motivated by the power of outwitting the creators using the filter to tease nudity. The power of transgressing the consent of the content creators.

Further, a quick Google search demonstrates that the filter can’t even be removed from a video by the creator after it’s been posted, much less by a third party. So, those falling prey to the scam are probably less tech-savvy than they’d choose to believe. But the idea that someone super-savvy has created a filter removal tool that lets them gawp at naked women who would not in normal circumstances allow them to do so makes them join the server – and fall prey to the malware.

While highlighting how TikTok can be harnessed for dangerous cyberattacks, the TikTok Invisible Challenge hack is also an illustration of the exploitation of human frailty. We might feel better for the victims if they were downloading software that helped save abandoned puppies, for sure, but the malware and its victims are a perfect case in point: humans are always the weakest link in any cybersecurity picture.