Disney Slack Hack Suspect Pleads Guilty In Deal With Feds; Could Get 10 Years Behind Bars For 2024 Attack

The Walt Disney Company has breathed a sigh of relief as the hacker behind last year's devastating attack on its internal systems has made a deal with the Department of Justice. Ryan Mitchell Kramer, also known by his alias NullBulge, has agreed to enter a guilty plea over his mid-2024 attack on Disney's systems.

Kramer is facing one count of accessing a computer and obtaining information and one count of threatening to damage a protected computer. As part of the deal, he could be looking at up to 10 years in federal prison, with a maximum of five years on each count. The plea agreement was released by the U.S. Attorney's office for the Central District of California today.

“We are pleased that this individual has been charged and has agreed to plead guilty to federal charges,” Disney said in a statement. “We remain committed to working closely with law enforcement, as we did in this case, to ensure that cybercriminals are brought to justice.”

The Attack: A Look Back at How Kramer Snagged Disney's Confidential Info

In July 2024, Kramer used malicious files created to look like AI-generated art to gain control of an unsuspecting Disney staffer's personal computer. From there, he was able to access the company's internal Slack system and grab approximately 1.1 terabytes of confidential data from thousands of Disney Slack channels.

Kramer also reached out to M.V., a Disney employee, via email and Discord, pretending to be a member of a fake Russia-based hacktivist group called ‘NullBulge.’ He threatened to leak M.V.'s personal information and Disney's Slack data unless they cooperated. Despite the threats, Kramer ultimately released the stolen data on multiple online platforms.

The Consequences: What Can Be Expected for NullBulge

In the plea agreement, prosecutors have listed the severe digital restrictions that Kramer will face if he is sentenced to prison time. These restrictions include limits on his internet and phone use, as well as a ban on accessing certain websites or online platforms.

Assistant U.S. Attorneys Lauren Restrepo and Maxwell Coll led the prosecution, making it clear to Kramer that despite their recommendations, the court cannot guarantee an exact sentence. However, they assured him that any sentence would be at or below the statutory maximum of 10 years in prison.

A Look Back at the Sony Hack of 2014

The case against NullBulge bears some resemblance to the Sony hack of 2014, which had a significant impact on the entertainment industry. In that incident, hackers gained access to sensitive information and threatened to release it unless their demands were met.

What's Next for NullBulge?

Kramer is expected to make an appearance in U.S. District Court in DTLA in the coming months. As part of his plea agreement, he will also face additional charges related to the hacking of two other individuals.

In a statement, Disney expressed its commitment to working closely with law enforcement to ensure that cybercriminals like NullBulge are brought to justice. The company has taken steps to improve its cybersecurity measures and protect its employees' sensitive information.