A non-password-protected database that contained just under 100k records belonging to GenNomis by AI-NOMIS —was discovered by cybersecurity researcher Jeremiah Fowler, who reported his findings to vpnMentor.
GenNomis by AI-NOMIS is an AI company based in South Korea that provides face swapping and “Nudify” adult content as well as a marketplace where images can be bought or sold
The database was neither password-protected nor encrypted and contained 93,485 images and JSON files—in total 47.8 GB of data. A sample of the exposed records included a slew of pornographic images, some of which appeared to depict AI-generated pictures of ‘very young people’ raising serious ethical and legal concerns.
The database also logged command prompts and links to generated images, offering a rare glimpse into the back-end operations of an AI image generator. Although personally identifiable information (PII) was not found in the records, the exposure of such explicit content underscores the potential for abuse of AI-powered image generation.
“I immediately sent a responsible disclosure notice to GenNomis and AI-NOMIS, and the database was restricted from public access and no longer accessible. I did not receive any reply or acknowledgement to my notice. Although the records belonged to GenNomis by AI-NOMIS, it is not known if the database was owned and managed directly by them or by a third-party contractor. It is also not known how long the database was exposed before I discovered it or if anyone else may have gained access to it. Only an internal forensic audit could identify additional access or potentially suspicious activity,” Fowler explains.
Face Swapping Without Consent
GenNomis lets users generate images from text prompts, create AI personas, swap faces, and produce AI-driven videos. The platform supports over 45 artistic styles, including Realistic, Anime, Cartoon, Vintage, and Cyberpunk and features a marketplace where users can buy and sell AI-generated images. The majority of the exposed images were explicit adult content.
AI image generators that facilitate the creation of pornographic images pose serious risks, especially when they enable face-swapping without consent, and this technology has been linked to cases of extortion, reputation damage, and revenge porn. The rise of “deepfake pornography”—in which AI manipulates images to create realistic yet fabricated explicit content—has also led to growing concerns about privacy violations and criminal exploitation.
An estimated 96% of deepfake content online is pornographic, with 99% of cases involving women who did not consent to their likeness being used. Non-consensual deepfake content is a pressing issue, and global law enforcement agencies have begun cracking down on its creation and distribution.
“It should be noted that the Face Swap folder disappeared before I sent the responsible disclosure notice and was no longer listed in the database. Several days later the websites of both GenNomis and AI-NOMIS went offline and the database was deleted,” said Fowler.
“I am not saying these individuals did not give their consent when using the GenNomis platform, nor am I saying these individuals are at risk of extortion or harassment. I am only providing a real-world risk scenario of the broader landscape of AI-generated explicit images and the potential risks they could pose,” he added.
Law Enforcement Takes Action
Fortunately, he said authorities worldwide are recognizing the dangers posed by AI-generated explicit content. In March 2025, Operation Cumberland—a multi-national law enforcement effort led by Danish authorities and Europol—resulted in 23 arrests for the creation and distribution of AI-generated child sexual abuse material (CSAM). The same month, a US teacher was arrested for using AI to fabricate pornographic images of his students. South Korea has also taken action, sentencing a perpetrator of a deepfake sex crime to ten years in prison in October 2024.
GenNomis claims to prohibit the generation of explicit images of minors and other illegal activities, with policies stating that violations result in account termination and potential legal consequences, but questionable content in the exposed database belies this.
Fowler said he saw AI-generated explicit images of minors and manipulated images of celebrities depicted as children, including Ariana Grande, the Kardashians, Beyoncé, Michelle Obama, and Kristen Stewart. As an ethical researcher, he refrained from downloading or capturing illicit images, adding that this is only the second time in his decade-long career that he has encountered such disturbing content in a publicly exposed database.
Curbing Deepfake Abuse
Cases of sextortion and deepfake manipulation have led to severe consequences for victims, including psychological distress and, in tragic instances, suicide. Fowler encourages individuals who suspect their likeness has been used without consent to report the incident to law enforcement and seek assistance removing the content.
“I imply no wrongdoing by GenNomis, AI-NOMIS, or any contractors, affiliates, or related entities,” Fowler adds. “I do not claim that internal, customer, or user data was ever at imminent risk. The hypothetical data-risk scenarios I have presented in this report are strictly and exclusively for educational purposes and do not reflect, suggest, or imply any actual compromise of data integrity or illegal activities.”
This report, he says, should not be construed as an assessment of, or a commentary on any organization’s specific practices, systems, or security measures, but rather aims to raise awareness of AI-generated content’s ethical and security challenges and encourage responsible AI development.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.