California Man Admits Guilt in Disney Data Breach Using Malicious AI

A man from California has pleaded guilty to charges related to hacking a Disney employee by utilizing a deceptive version of a popular open-source AI image generation tool. Ryan Mitchell Kramer, aged 25, faced accusations of accessing a computer illegally and threatening to damage a protected computer, as announced by the U.S. Attorney for the Central District of California.

In a plea agreement, Kramer acknowledged that he published an application on GitHub that was designed for creating AI-generated artwork. However, unbeknownst to users, the application contained harmful code that allowed unauthorized access to the computers of those who downloaded it. Operating under the alias NullBulge, Kramer misled potential users into believing they were using a legitimate tool.

Research conducted by VPNMentor identified the malicious program as ComfyUI_LLMVISION, which falsely claimed to be an extension for the authentic ComfyUI image generator. This fraudulent extension was equipped with functions that could capture passwords, payment card information, and other sensitive data from users' machines. The stolen data was then transmitted to a Discord server controlled by Kramer. To further conceal the malicious nature of the code, it was disguised within files labeled with the names of reputable companies like OpenAI and Anthropic.

In April 2024, a Disney employee downloaded the deceptive ComfyUI_LLMVISION application. Following the installation, Kramer illegally accessed the employee's computer and online accounts, which included private channels on Disney's Slack platform. By May, he had managed to download approximately 1.1 terabytes of confidential data from numerous channels.

Subsequently, in early July, Kramer contacted the employee while posing as a member of a hacktivist group. After receiving no response, he publicly released the stolen data later that month. This data breach not only included proprietary Disney information but also compromised the employee's banking, medical, and personal details.

As part of the plea agreement, Kramer revealed that two additional victims had also downloaded the malicious ComfyUI_LLMVISION, allowing him to gain unauthorized access to their computers and accounts as well. The Federal Bureau of Investigation (FBI) is currently investigating the case, and Kramer is scheduled to appear in court in the coming weeks.