A 25-year-old hacker, identified as Ryan Mitchell Kramer, alias ‘NullBulge,’ has agreed to plead guilty to two felony charges related to hacking the Disney Corporation. The breach occurred through a compromised tool for AI-generated art, specifically targeting users of ComfyUI, a popular graphical interface for the Stable Diffusion AI image generator.
Kramer compromised ComfyUI by embedding a trojan horse in an extension distributed on Github. This malicious code allowed him to access the computers of users who installed the compromised extension, including a Disney employee. By gaining access to the employee’s computer, Kramer was able to infiltrate Disney’s Slack channel and download 1.1 terabytes of sensitive data.
In July 2024, Kramer contacted the Disney employee using his NullBulge alias, threatening to leak the personal information he had obtained unless his demands were met. When the employee failed to respond, Kramer followed through on his threat and published the stolen data.
The Department of Justice announced Kramer’s decision to plead guilty to the charges related to the hack. This case highlights the growing threat of cyberattacks targeting AI tools and the potential for significant data breaches through compromised software extensions.
