Mar 11, 2026
3 min read
DJI will pay Sammy Azdoufal $30,000 after he used Claude Code to accidentally access a network of 7,000 robot vacuum cleaners.
On Valentine's Day, I'm bringing you a story that's making headlines around the world: how a man trying to control a DJI robot vacuum cleaner with a PlayStation gamepad found an entire network of 7,000 remote-controlled DJI robots to look into other people's homes.
DJI to pay $30,000 to man who accidentally hacked 7,000 space slaves
$30,000 to whoever hacked DJI's robot network.
$30,000 for anyone who hacked DJI's robotic network.
To be clear, the man, Sammy Azdoufal, started finding some relative vulnerabilities before DJI showed how penetrating he could be.But it's unclear whether DJI will pay him for his discovery, especially after how it treated security researcher Kevin Finisterre in 2017 — or how quickly DJI can patch additional vulnerabilities discovered by Azdoufal.
Today, we have some answers.
DJI will pay Azdoufal $30,000 for a single discovery, according to an email shared with The Verge, without specifying which discovery he is being paid for.While DJI did not name Azdoufal, it confirmed to Verge that it had “paid” an unnamed security researcher for his work.
DJI also did not disclose which discoveries it is paying for, but said Azdoufal has already addressed an additional vulnerability that may have allowed someone to watch video streams on a DJI Romo without a secure pin."I can confirm that the PIN security monitoring was addressed in late February," DJI spokeswoman Daisy Kong said.
You might ask: What about the vulnerability that looked so bad we refused to cover it in our original story?DJI tells me it's working on that, too: "We've also started updating the entire system. This includes a number of updates, which we expect to be fully implemented within a month."
DJI also published a public blog post today about the DJI Romo's security tightening, crediting "two independent security researchers" for discovering the same issue, while continuing to claim that it discovered the original issue itself.
There, DJI seems to suggest that everything is already with Romo: "We have made updates to address the issue fully."But again, there's no downside, and DJI told The Verge that it could take up to another month.
In the blog post, DJI also said that Romo already has ETSI, EU, and UL certifications for security—which could raise questions about how useful those certifications really are if someone with the Claude Code can access an entire network full of robovacs!—and that it will continue to test, fix, and subject Romo and its app to independent third-party security audits.
DJI writes that it is "committed to deepening our engagement with the security research community, and we will soon introduce new ways for researchers to collaborate and collaborate with us."
