Disney Slack attack wasn't Russian protesters, just a Cali dude with malware
(2025/05/02)
- Reference: 1746201835
- News link: https://www.theregister.co.uk/2025/05/02/disney_slack_hacker_revealed_to/
- Source link:
When someone stole more than a terabyte of data from Disney last year, it was believed to be the work of Russian hacktivists protesting for artist rights. We now know it was actually a 25-year-old California resident.
Ryan Mitchell Kramer has agreed to plead guilty to [1]one count of accessing a computer and obtaining information, and one count of threatening to damage a protected computer, the US Department of Justice [2]said Thursday. The [3]plea agreement [PDF] could see Kramer facing up to ten years in prison when he's eventually sentenced.
Last year, a person or group calling itself "Nullbulge" accessed Disney Slack channels, then stole and released 1.1 TB of internal Disney data online in a purported protest against artists not receiving fair compensation for their work. In an email exchange with entertainment news site Variety, Nullbulge [4]claimed to be a cyber-crime ring from Russia, and said they had intentionally targeted Disney due to how it handled artist contracts, approached the use of AI, and treated consumers.
[5]
"We released the data because we knew making demands would do jack shit," Nullbulge told Variety in July of last year.
A lie keeps growing until it's as plain as the nose on your face
The exchange turned out to be nothing but bluster, according to the DoJ, who said Kramer was the responsible party. He didn't even seem to be targeting Disney.
According to the DoJ, Kramer published a program online that purported to be an AI art generation app, but actually contained malware that gave him remote access to the victim's computer. An employee of the House of Mouse downloaded the program, allowing Kramer to nab login credentials for various accounts in their name, including their Disney Slack account. From there, he sifted through "thousands" of Slack channels, according to the DoJ, and grabbed all kinds of confidential information, including messages, internal project information, and the personal details of employees.
[6]Ex-Disney employee gets 3 years in the clink for goofy attacks on mousey menus
[7]Microsoft dials back Bing after users manage to recreate Disney logo in fake AI-generated images
[8]Disney claims agreeing to Disney+ terms waives man's right to sue over wife's death
[9]Proofpoint phishing palaver plagues millions with 'perfectly spoofed' emails from IBM, Nike, Disney, others
Per the DoJ, Kramer reached out to the victim via email and Discord with threats, and when he didn't get a response proceeded to spill the Disney data online. Kramer also leaked personal information about his victim, including their banking and medical data.
In addition to the Disney victim, Kramer admitted that he accessed the computers and accounts of at least two other victims who downloaded his AI art malware.
[10]
While Kramer could spend a decade behind bars for his crimes, Disney employees may end up paying a far greater price for his bad behavior. As we [11]reported last year, the incident prompted the entertainment juggernaut to ditch Slack for Microsoft Teams, much to the dismay of Disney employees. ®
Get our [12]Tech Resources
[1] https://regmedia.co.uk/2025/05/02/usa-v-kramer-charges.pdf
[2] https://www.justice.gov/usao-cdca/pr/santa-clarita-man-agrees-plead-guilty-hacking-disney-employees-computer-downloading
[3] https://regmedia.co.uk/2025/05/02/usa-v-kramer-plea-agreement.pdf
[4] https://variety.com/2024/film/news/disney-hack-data-breach-1236072729/
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aBVAdp7sa6JUvdGChK1aMgAAAEg&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[6] https://www.theregister.com/2025/04/29/former_disney_employee_jailed/
[7] https://www.theregister.com/2023/11/20/ai-in-brief/
[8] https://www.theregister.com/2024/08/15/disney_plus_death_lawsuit_waive/
[9] https://www.theregister.com/2024/07/30/scammers_spoofed_emails/
[10] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aBVAdp7sa6JUvdGChK1aMgAAAEg&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[11] http://theregister.com/2024/09/20/disney_slack_microsoft_teams/
[12] https://whitepapers.theregister.com/
Ryan Mitchell Kramer has agreed to plead guilty to [1]one count of accessing a computer and obtaining information, and one count of threatening to damage a protected computer, the US Department of Justice [2]said Thursday. The [3]plea agreement [PDF] could see Kramer facing up to ten years in prison when he's eventually sentenced.
Last year, a person or group calling itself "Nullbulge" accessed Disney Slack channels, then stole and released 1.1 TB of internal Disney data online in a purported protest against artists not receiving fair compensation for their work. In an email exchange with entertainment news site Variety, Nullbulge [4]claimed to be a cyber-crime ring from Russia, and said they had intentionally targeted Disney due to how it handled artist contracts, approached the use of AI, and treated consumers.
[5]
"We released the data because we knew making demands would do jack shit," Nullbulge told Variety in July of last year.
A lie keeps growing until it's as plain as the nose on your face
The exchange turned out to be nothing but bluster, according to the DoJ, who said Kramer was the responsible party. He didn't even seem to be targeting Disney.
According to the DoJ, Kramer published a program online that purported to be an AI art generation app, but actually contained malware that gave him remote access to the victim's computer. An employee of the House of Mouse downloaded the program, allowing Kramer to nab login credentials for various accounts in their name, including their Disney Slack account. From there, he sifted through "thousands" of Slack channels, according to the DoJ, and grabbed all kinds of confidential information, including messages, internal project information, and the personal details of employees.
[6]Ex-Disney employee gets 3 years in the clink for goofy attacks on mousey menus
[7]Microsoft dials back Bing after users manage to recreate Disney logo in fake AI-generated images
[8]Disney claims agreeing to Disney+ terms waives man's right to sue over wife's death
[9]Proofpoint phishing palaver plagues millions with 'perfectly spoofed' emails from IBM, Nike, Disney, others
Per the DoJ, Kramer reached out to the victim via email and Discord with threats, and when he didn't get a response proceeded to spill the Disney data online. Kramer also leaked personal information about his victim, including their banking and medical data.
In addition to the Disney victim, Kramer admitted that he accessed the computers and accounts of at least two other victims who downloaded his AI art malware.
[10]
While Kramer could spend a decade behind bars for his crimes, Disney employees may end up paying a far greater price for his bad behavior. As we [11]reported last year, the incident prompted the entertainment juggernaut to ditch Slack for Microsoft Teams, much to the dismay of Disney employees. ®
Get our [12]Tech Resources
[1] https://regmedia.co.uk/2025/05/02/usa-v-kramer-charges.pdf
[2] https://www.justice.gov/usao-cdca/pr/santa-clarita-man-agrees-plead-guilty-hacking-disney-employees-computer-downloading
[3] https://regmedia.co.uk/2025/05/02/usa-v-kramer-plea-agreement.pdf
[4] https://variety.com/2024/film/news/disney-hack-data-breach-1236072729/
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aBVAdp7sa6JUvdGChK1aMgAAAEg&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[6] https://www.theregister.com/2025/04/29/former_disney_employee_jailed/
[7] https://www.theregister.com/2023/11/20/ai-in-brief/
[8] https://www.theregister.com/2024/08/15/disney_plus_death_lawsuit_waive/
[9] https://www.theregister.com/2024/07/30/scammers_spoofed_emails/
[10] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aBVAdp7sa6JUvdGChK1aMgAAAEg&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[11] http://theregister.com/2024/09/20/disney_slack_microsoft_teams/
[12] https://whitepapers.theregister.com/
Yet Another Anonymous coward
A protected computer is one that was hacked, an unprotected computer isn't hacked cos it has nothing on it worth hacking
Note to a Hack
cyberdemon
> Nullbulge claimed to be an hacking group from Russia
It's only "an" for a word beginning with H if you don't pronounce the 'H'
E.g. "An 'orrendous cyberattack"
But since Hack and Hacking are never pronounced 'ack or 'acker, you do not need the "an" article.
Re: Note to a Hack
Excused Boots
There's never a sub-editor around when you need one; is there?
Re: Note to a Hack
David 132
You're clearly not a Cockney.
"A" for 'orses, "B" for Mutton, etc etc...
Re: Note to a Hack
Anonymous Coward
Salute !
Grammatik Macht Frei !
Good think his name is not Slavic
martinusher
We allow all sorts in California so its quite likely that our 'acker could have had a Russian or Chinese name. (That would have made them a 'spy'.)
(Can't imagine why anyone would have bothered unless they were working indirectly for MSFT on a project to replace Slack with Teams.)
Anonymous Coward
Attribution is difficult. This is why serious outfits don't do it very much, and usually with other supporting evidence. Companies which are easy to provide attribution should lose any credibility that they have.
"Ryan Mitchell Kramer has agreed to plead guilty to one count of accessing a computer and obtaining information, and one count of threatening to damage a protected computer, the US Department of Justice said Thursday."
Just out of idle curiosity, what is a 'protected computer'?
It does strike me that if said computer is 'protected' then any threats are meaningless and can simply be ignored, or the threats are credible, in which case the computer isn't really protected at all?
Enquiring minds and all that......