Man Who Hacked Disney With Malicious AI Tool Pleads Guilty

A 25-year old hacker has agreed to plead guilty to hacking the Disney Corporation by compromising a tool for AI-generating art. According to a Department of Justice press release, the hacker, Ryan Mitchell Kramer—aka “NullBulge”— will admit to two felony charges related to the offense.

As we reported last year, NullBulge specifically targeted AI users by compromising ComfyUI, a very popular graphical user interface for the open-weights AI image generator Stable Diffusion that’s distributed on Github. The extension contained a trojan horse that allowed Kramer to access the computer of whoever used it, including one Disney employee.

By leveraging access to that employee’s computer, Kramer was able to access the company’s Slack and download 1.1 terabytes of data. Kramer pinged the employee in July of 2024 and, using the alias NullBulge, threatened to leak all the personal information in the data he obtained from Disney. The employee didn’t respond and Kramer followed through with the threat and published the information.

At the time, NullBulge said he targeted ComfyUI as an ideological protest against AI-generated art. “AI-generated artwork is detrimental to the creative industry and should be discouraged,” the hacker said on the Github for the ComfyUI extension. “Maybe check us out, and maybe think twice about releasing ai tools on such a weakly secured account.”

According to security researchers at vpnMentor, NullBulge’s version of the ComfyUI extension compromised crypto wallets, flooded users systems with malware, and stole their personal data. Researchers at SentinelOne dug a little more into the persona and uncovered a long history of NullBulge making money from hacking.

Kramer’s current plea deal is related only to the Disney hack. He’s been charged with two felony counts, according to the Department of Justice: “one count of accessing a computer and obtaining information and one count of threatening to damage a protected computer.” Each charge carries a maximum sentence of five years in federal prison.

Kramer’s legal troubles might not be over. “Kramer admitted in his plea agreement that, in addition to the victim, at least two other victims downloaded Kramer’s malicious file, and that Kramer was able to gain unauthorized access to their computers and accounts,” the Department of Justice said in its press release. “The FBI is investigating this matter.”