Ransomware hackers threaten to feed stolen art to AI companies

Alfonso Maruccia

Posts: 2,587   +973
Staff
In context: Criminal organizations running ransomware operations are experimenting with new scare tactics to pressure victims into paying. Now, one particular group has taken it a step further, targeting AI training as a potential threat when it comes to commissioned artwork.

The Artists&Clients website was recently compromised by the LunaLock ransomware group, putting users at risk of a significant privacy breach if the company does not pay the ransom. Even more concerning, the criminals warned that the stolen content could be sold directly to "AI companies" for training large language models.

Artists&Clients presents itself as a platform where human artists can connect with potential clients and manage commissions, but explicitly excludes AI involvement. The site was hacked around August 30, when a threatening message appeared on its homepage.

The message confirmed that all files had been encrypted and the site breached, a standard tactic for ransomware attacks. The criminals demanded a payment in Bitcoin or Monero, starting at $50,000. They promised that, once paid, the data would be deleted and the files decrypted.

If the ransom is not paid, the criminals vow to leak the files and personal data. This could result in privacy violations and potential GDPR breaches in the EU. Additionally, the LunaLock gang explicitly claims that all the artwork stored on Artists&Clients' servers will be submitted to AI companies' training datasets.

LunaLock has not detailed how this submission would occur. In practice, the criminals could simply place an open database online, leaving it vulnerable to AI crawlers. According to security researcher Tammy Harper, this is the first known instance of a ransomware group explicitly using AI training as a threat to extort victims.

The Artists&Clients website is currently offline, and users are understandably concerned about the potential consequences of the breach. Hackers could have access to artwork, client messages, and even payment information. So far, the platform has issued no official statement regarding the incident. Harper noted that LunaLock's scare tactic could be particularly effective on creators, many of whom are strongly opposed to their work being used for AI training without compensation.

Permalink to story:

 
"Additionally, the LunaLock gang explicitly claims that all the artwork stored on Artists&Clients' servers will be submitted to AI companies' training datasets."

Why would hackers "gift" stolen artwork to companies, for "training data"?

One of two things is happening here. Either A) these hackers are working for companies looking for AI training data and this is simply a front to distract from that fact or B) these hackers are grey hats. Up to now, there was no way to hold AI companies responsible for the stolen data used in their LLMs, because there was never a way to prove that the data was actually stolen. Simply by mass aggregating information, it's almost impossible to separate the legally-acquired assets from the ill-gotten gains, thereby allowing AI companies to feign ignorance.

If a hacker group attempts to a give an AI company a massive dataset of stolen artwork, then the company will have to legally refuse to accept it. If they take it, they will be implicitly admitting that at least some portion of their training data is stolen. That would set a precedent that "some companies ingest stolen data", which will taint the idea that no training set has ever used stolen data, which was the assumption, thus far―not because it's true, but because it couldn't be proven otherwise.

On the other hand, if it turns out that these hackers are working for AI companies (plural), then that could indict every company currently trying to build its own AI models in a RICO case. Let's be real: these companies have to ingest petabytes (1,000 TB or 1,000,000 GB) of data, for their model to work. What are the odds that even 1% of that data was paid for? Probably "next to nothing", would be my guess. You'd have to contact each and every single author (or group) of a work or works, enter into a licensing agreement acceptable to all parties, and then provide payouts for a set period of time or give a lump sum. AI companies don't even have to conspire with each other, for a case like this to be brought against them. It just has to be proven that the very basis of their business model requires theft, to even entertain profitability. They would pay far more in royalties, then they could ever hope to make, in subscription fees, if everything was "above board".

In a cruel world such as this, I kind of hope it's option B. Nobody should have to have their life's work stolen, but someone needs to sacrifice, if we are going to prevent these digital monstrosities from rendering human effort worthless.
 
Last edited:
Back