A 25-year old hacker has agreed to plead guilty to hacking the Disney Corporation by compromising a tool for AI-generating art. According to a Department of Justice press release, the hacker, Ryan Mitchell Kramer—aka “NullBulge”— will admit to two felony charges related to the offense.
As we reported last year, NullBulge specifically targeted AI users by compromising ComfyUI, a very popular graphical user interface for the open-weights AI image generator Stable Diffusion that’s distributed on Github. The extension contained a trojan horse that allowed Kramer to access the computer of whoever used it, including one Disney employee.
By leveraging access to that employee’s computer, Kramer was able to access the company’s Slack and download 1.1 terabytes of data. Kramer pinged the employee in July of 2024 and, using the alias NullBulge, threatened to leak all the personal information in the data he obtained from Disney. The employee didn’t respond and Kramer followed through with the threat and published the information.