Last year, a hacker used a fake AI tool and a password to access Disney’s Slack channel. Now, he’s pleading guilty.
What happened
A California man using the alias “NullBulge” has pleaded guilty to hacking Disney’s internal Slack channels and stealing over a terabyte of confidential company data. The U.S. Department of Justice identified the hacker as 25-year-old Ryan Kramer, who developed and distributed malware disguised as an AI image generation tool in early 2024. Once installed, the program gave Kramer remote access to victims' devices, enabling him to harvest credentials and sensitive data.
Going deeper
One of the victims, Disney employee Matthew Van Andel, unknowingly ran Kramer’s malware on his device. This gave Kramer access to Van Andel’s saved credentials, including those in his 1Password vault. Using the stolen login details, Kramer infiltrated Disney’s internal Slack workspace and downloaded approximately 1.1TB of corporate communications, files, and proprietary content from nearly 10,000 channels.
Kramer later contacted Van Andel while impersonating a Russian hacktivist group named “NullBulge.” He issued threats demanding cooperation, warning that Disney’s data and Van Andel’s personal information would be released online. When Van Andel didn’t respond, Kramer followed through, posting a message on BreachForums on July 12, 2024, announcing the breach and releasing the stolen material, including sensitive details about unreleased projects, internal APIs, logins, and Van Andel’s financial and medical information.
What was said
Court documents quoted Kramer’s July 8, 2024, message to Van Andel: “We will drop our data publicly and loudly without so much as a warning.” Another email sent just before the leak warned, “Do what we want, or end up on the net… Your choice.”
The DOJ confirmed that Kramer has pleaded guilty to one count of unauthorized access to a computer and one count of threatening to damage a protected system, each charge carrying a maximum five-year sentence. He also admitted that at least two other victims had downloaded his malware, and the FBI is continuing to investigate those cases.
The big picture
The breach shows how a single compromised employee can lead to the exposure of massive volumes of corporate data, especially through platforms like Slack. It points to the growing risk of social engineering attacks disguised as legitimate tools, along with a trend of hackers using public forums and extortion to maximize impact. Kramer’s guilty plea adds to the pressure on U.S. authorities to take stronger action against cyber extortion, even when attackers pose as foreign hacktivist groups.
FAQs
How was the malware distributed to victims?
The malware was promoted on platforms like GitHub as an AI image generation tool, enticing users to download and run it under false pretenses.
Why is Slack a common target for corporate breaches?
Slack often contains unstructured but sensitive data, like internal discussions, files, credentials, and project links, making it a goldmine for attackers once accessed.
What can companies do to prevent similar breaches?
Implement stricter endpoint security, monitor credential use, restrict third-party app downloads, and educate employees about social engineering risks.
How do cybercriminals use public forums like BreachForums?
They use these forums to publicize breaches, release stolen data, and increase pressure on victims through public exposure or extortion threats.
Is impersonating foreign hacktivist groups a common tactic?
Yes, cybercriminals sometimes pose as foreign actors to mislead investigators, obscure their identity, or exploit geopolitical tensions to gain an added advantage.
Farah Amod
