Hacker 'NullBulge' Pledges Guilty to Stealing Disney's Slack Data

A California man who used the alias "NullBulge" has taken a plea deal, pleading guilty to illegally accessing Disney's internal Slack channels and stealing over 1.1 terabytes of internal company data.

Ryan Kramer, a 25-year-old man, created a malicious program in early 2024 that was promoted as an AI image generation tool on GitHub and other platforms. However, the U.S. Department of Justice says this program was actually malware that allowed Kramer to access the computer of those who installed it to steal data and passwords from the device.

According to the Wall Street Journal, one of the people who downloaded the program was a Disney employee, Matthew Van Andel, who executed it on his computer. This gave Kramer access to his device, including the passwords stored in his 1Password password manager.

Using Van Andel's stolen credentials, Kramer gained access to Disney's Slack channels, where he downloaded 1.1TB of corporate data. "By accessing M.V.'s Disney Slack account, defendant gained access to non-public Disney Slack channels, and in or around May 2024, defendant downloaded approximately 1.1 terabytes of confidential data from thousands of Disney Slack channels," reads a plea agreement seen by BleepingComputer.

The Department of Justice says that Kramer then contacted Van Andel, posing as a Russian hacktivist group called "NullBulge," warning that his personal information and Disney's stolen Slack data would be published if he didn't cooperate. After receiving no response, NullBulge posted a message on the BreachForums hacking forum on July 12, 2024, titled "DISNEY INTERNAL SLACK," where he claimed to have breached Disney and leaked the 1.1TB of stolen data, including Van Andel's personal info.

"1.1TiB of data. almost 10,000 channels, every message and file possible, dumped. Unreleased projects, raw images and code, some logins, links to internal api/ web pages, and more! Have fun sifting through it, there is a lot there," reads the forum post.

Kramer has pleaded guilty to one count of accessing a computer and obtaining information and one count of threatening to damage a protected computer. Each charge carries a statutory maximum sentence of five years in federal prison. He has also confirmed that two additional people downloaded his malware, allowing him to gain access to their computers. The FBI is currently investigating these additional people.

His initial court appearance in Los Angeles federal court is expected to be in the coming weeks.

What Happened?

In May 2024, Ryan Kramer created a malicious program that was promoted as an AI image generation tool. However, this program was actually malware that allowed Kramer to access the computer of those who installed it, to steal data and passwords from the device.

One of the people who downloaded the program was Matthew Van Andel, a Disney employee. When Van Andel executed the program on his computer, Kramer gained access to his device, including the passwords stored in his 1Password password manager.

Kramer then used Van Andel's stolen credentials to gain access to Disney's Slack channels and downloaded 1.1TB of corporate data.

What Did Kramer Do Next?

After downloading the stolen data, Kramer contacted Van Andel, posing as a Russian hacktivist group called "NullBulge." He warned that Van Andel's personal information and Disney's stolen Slack data would be published if he didn't cooperate.

However, Van Andel did not respond to Kramer's message. Therefore, NullBulge posted a message on the BreachForums hacking forum on July 12, 2024, titled "DISNEY INTERNAL SLACK," where he claimed to have breached Disney and leaked the 1.1TB of stolen data, including Van Andel's personal info.

What Are the Charges?

Kramer has pleaded guilty to one count of accessing a computer and obtaining information and one count of threatening to damage a protected computer. Each charge carries a statutory maximum sentence of five years in federal prison.

He has also confirmed that two additional people downloaded his malware, allowing him to gain access to their computers. The FBI is currently investigating these additional people.