The cost of trusting AI. This guy learned it the hard way.
Marco van Hurne
AI & ML advisory | Author of The Machine Learning Book of Knowledge | Building AI skills & organizations | Data Science | Data Governance | AI Compliance Officer | AI Governance
Life. Ah, yes. Modern life, to be precise. It is that chaotic, and heart-pounding rollercoaster that we all find ourselves strapped onto, with no escape. One moment, we are cruising along and thinking that you’ve got it all figured out, and the next, everything unravels in a flash, and is leaving you gasping for air and wondering how the hell you got here. It is thrilling, yes, absolutely, but also sometimes a numbing experience because of the brutal reality you are confronted with. And the worst part is that you never see it coming. Just when you think that you are safe, freaking life hits you with a curveball, and you're left trying to piece together the wreckage.
And then there’s this poor guy…
A man, a real man, and not a fictional one. He once lived in blissful ignorance, and is now shredded to pieces by the unfeeling machinery of AI. I am talking about Matthew Van Andel. Former Disney employee, father, and a very decent human being (well, he was before all this).
He downloaded what he thought was a simple AI tool. On GitHub no less. A platform of which you would think that the stuff that’s on there is safe.
He downloaded the source of a little AI based image generator. He wanted a dash of creativity in his otherwise mundane life. But little did he know that the tool that he was downloading was not some friendly, algorithmic helper, but a ticking time bomb that was ready to destroy his existence. But hey, who doesn’t love a little thrill served up by a random download? We all had our share of playing with P2P networks when we were young, and playing with those networks is like having sex without a profilactic.
And so, in February, this unsuspecting man made the fateful decision. He clicked. He downloaded. And just like that, his life was torn apart. You know, this wasn’t just any AI that he got. No, no, no. This was an AI image generator that was impregnated with malware. And not the “friendly” kind of malware that gives you a little scare and then fades away after a quick antivirus scan.
Nah. . .
This was the kind of malware that burrows deep, finds your darkest secrets on your pc, and then broadcasts them to the world. And the guy behind it is laughing all the way.
Van Andel, the poor man, would soon learn that this wasn’t some kind of fluke.
It wasn’t a simple glitch.
No, this was an attack.
A planned attack, launched by a hacker who, going by the chillingly charming name of "Nullbulge". He decided to have some fun at Van Andel's expense. And trust me, "Nullbulge" wasn't about to leave this poor bastard in peace. The hacker had a message for him that he posted on Discord: “I see everything, and I’m about to ruin your life”.
Just a casual Tuesday for some don’t you agree.
The hacker, who really should have a fan club by now for sheer audacity, reached out to Van Andel via Discord, and not with some random spam.
Oh no, no, no, this was personal.
The hacker mentioned a conversation that Van Andel had with his colleagues on Slack.
Slack?
More rants after the commercial brake:
Het got access to his Slack account. That sacred ground where office small talk. But not for Nullbulge. This hacker read all of his conversations. The hacker referenced a conversation that Van Andel had with his colleagues on Slack. These messages contained chats about projects, and company matters, and internal comms. The hacker specifically referenced a conversation that Van Andel had with his colleagues, which alerted him that this wasn’t just a random attack.
And then the threats came.
"Pay up, or you’re going to regret it".
Only this wasn’t a simple scam. Nullbulge wasn’t interested in just stealing a few bucks from Van Andel’s bank account. No, he wanted to destroy him. The hacker threatened to expose Van Andel. And not only his private life. No, they went for the jugular. He threatened to expose Disney’s secret. He said that every secret van Andel knew about Disney was about to be spilled onto the internet, all because some guy thought it would be fun to download an AI tool.
The hacker made good on their promise.
Van Andel’s worst nightmare came to life as the hacker poored 1.1 terabytes of data onto the internet.
That’s not a typo.
Terabytes.
Terabytes of personal information, company secrets, and a glimpse into the tragic comedy of corporate life were leaked to the world. Everything from private customer data to Disney’s internal revenue numbers. Oh, and don’t forget Van Andel’s personal info. His credit card details. His social security number. His children’s Roblox logins.
Everything.
Everything.
A hacker's dream come true.
And let’s talk about the blog that Nullbulge posted about his heist. Honestly, it’s an exercise in cyberpunk nihilism. The hacker wasn’t in it to stealing data alone. No, he was toying with Van Andel. "I tried to hold off until I got deeper in", is what the hacker wrote in his post. "But our inside man got cold feet and kicked us out". Oh, how sweet. How charming. The hacker, who probably spends his days in a darkened basement, hacking, decides to mock the poor guy that he has just ruined. A true sadistic jerk.
Van Andel tried some futile attempts to salvage whatever shred of dignity he had left. He immediately reached out to Disney’s cybersecurity team. You know, the team that's supposed to prevent this kind of thing. They told him everything was fine. They couldn’t find anything on his work computer. But of course, the hacker had already struck. The damage was done. No amount of firewalls or antivirus software could undo what had already been unleashed. And it wasn’t the company data alone that had been compromised. Van Andel’s personal life was now an open book. Its pages were scattered across the internet for anyone with a Wi-Fi connection to read.
And here is where it gets even juicier.
It turns out, that van Andel’s password manager, 1Password, was the weak link in the chain.
The hacker didn’t need to be some hacking mastermind to crack the code. No, all they needed was access to Van Andel’s home computer, a keylogging Trojan, and a piece of AI software that acted like a Trojan horse. And once inside, the hacker had unrestricted access. No barriers. No walls. Just complete and utter freedom to pillage the poor guy’s entire existence. I mean, who needs two-factor authentication when you’ve got a hacker with a vendetta.
Eleven days after the attack, Disney did what Disney does best. They cut the cord. Van Andel was fired. Just like that. No compassion. No second chances. He was out, and had to deal with the fallout of a hacked life. And to make matters worse, Disney threw in a little insult to injury. They claimied that he had accessed pornographic material on his work computer.
Suuuuure. Obviously, that’s the real issue here.
Not the massive data leak. Not the fact that someone just crushed his entire life like a bug under a boot. Let’s make sure we focus on the fact that he might’ve watched some adult content at some point. A real priority for a company that just had its secrets exposed to the world.
Bravo, Disney.
Truly.
You’ve earned the “TTS Irony” award.
That actually is a good idea. . .
Note to self. . . .do something with an award.
And the man whose life has been completely obliterated by a single, stupid decision, tried to defend himself. He told the Disney rep on the phone, “I’m the one who got hacked”. But of course, that didn’t matter. He was out. The damage was done. His career was over. His family’s health insurance was gone. He missed out on $200k worth of bonusses. And all-o-that because he clicked on an AI tool that was supposed to help him.
He had no idea what was coming. This wasn’t a grand conspiracy. This wasn’t an epic battle between good and evil. This was just a random act of cyber-terrorism that happened to a guy who trusted technology a little too much.
It could’ve been you and me.
Maybe the guy is already logging your keystrokes, and prying on your personal and business information.
Van Andel’s life was destroyed by something that was supposed to make life easier. Some AI tool. Some image generator. And now? Now he has become a tale of caution to warn yall who dare to trust the machines.
What can you do about this?
If you want to defend yourself against this kind of violence, then one of the first steps you need to do is to make sure that your cybersecurity practices are airtight from the start. It sounds lame, and stale, but things like a strong, unique passwords and regular updates to your software, and a good anti-virus program, are the main things that reduce the risk of malware making its way into your system. But when you solely rely on these measures that is like leaving your door unlocked and hoping for the best.
So what you need is a multi-layered security approach. One of the most important steps is enabling two-factor authentication on all sensitive accounts. And yes, that includes password managers, email accounts, and work platforms like Slack. So, even if your password is compromised, there’s an additional barrier that can stop a hacker in their tracks. I use my phone for the second authentication. Something that is outside of the computer itself.
It is vital to stay alert for any unusual behavior, such as unexpected system slowdowns or strange pop-ups. Especially the pop-ups. For extra protection, especially against unknown or sophisticated malware, using a sandboxing approach works extremely good. A sandbox is an isolated environment where software can run without affecting the rest of your system. This allows you to test and interact with potentially risky files or applications, such as downloaded software.
A sandbox creates a virtual environment that mimics your real operating system, so even if malware is hidden within an application, it can’t access your personal files, passwords, or other sensitive data. Running suspicious files in a sandbox limits their scope, and is preventing a situation like Van Andel's, where malware gained full access to his system.
Two free sandbox tools you can use are Cuckoo Sandbox, an open-source malware analysis system that allows for in-depth file behavior monitoring in a controlled environment. It is cool, though it requires technical knowledge to set up. Another option is Sandboxie-Plus. Now, that’s a more user-friendly open-source tool that isolates programs from the rest of your system. It makes it easy to test software safely without much configuration. Both tools help to protect your system because they contain suspicious applications before they can cause damage.
Anyway - you can’t secure your schtuff for the full 100 percent, but try to get as close as possible.
Your life as you know it may depend on it.
Signing off from my 2FA account while clenching my peechy butt cheeks.
Marco
Well, that’s a wrap for today. Tomorrow, I’ll have a fresh episode of TechTonic Shifts for you. If you enjoy my writing and want to support my work, feel free to buy me a coffee ??
Think a friend would enjoy this too? Share the newsletter and let them join the conversation. Google appreciates your likes by making my articles available to more readers.
To keep you doomscrolling ??
Great reminder for everyone not to get carried away with fancy AI tools and forget basic security principles. MUST read for everybody that loves to play with new tools!
Expert Director "Intelligence, Analytics & Big Data" at Devoteam | Innovative Tech
1 天前This has nothing to do with AI. It is about downloading and using software from untrustworthy sources. The label "AI" may have been the final bait to actually do it, but there are also plenty of smartphone apps and little Windows utiities you should not place on your devices because they contain malware, trojans, backdoors, and what not. In the easiest case, it's just a Bitcoin miner making your mobile glow red. They mask as harmless, silly games and stay installed, get forgotten, but actually run in the background to do their devious work. ?? NEVER trust arbitrary download sources. ?? NEVER operate unknown software on sensitive systems. ?? NEVER run software without virus and malware protection. This is the kind of guy who finds a USB stick and plugs it into his computer to see what's on it. We need widespread Cybersecurity Literacy! Also, please read Articles 20ff of the EU NIS2 Directive. This regulation demands Cybersecurity trainings - at least in the EU.