For years, it was unknown if the online presence "Nullbulge" was a Russia-based group of hackers, an individual "hacktivist," or just a name used to provide cover while committing cybercrimes. After entering into a plea deal with the Justice Department after hacking into computers that allowed him access to, among other things, Disney's Slack account, it appears to be the work of a single person with unclear motives.
On May 1, 2025, Ryan Mitchell Kramer agreed to plead guilty to a pair of federal felony charges for using malware that allowed him to take control of other people's computers. After gaining access to a Disney employee's company Slack account, Kramer released 1.1 terabytes of confidential information he'd stolen online.
Was Kramer a lone hacktivist targeting Disney for their policies towards artists and artificial intelligence (AI), or was he part of a team seeking vengeance for, among other things, the company's termination of Club Penguin in 2017? The only thing certain at this point is that Kramer faces a maximum of five years each for the charges for which he's pleading guilty.
Hack the Planet
Whether Nullbulge is a collective of hackers or just Kramer's online alter ego, it claims to be fighting for the rights of artists against the unlawful encroachment of generative AI (GAI). Insisting that its hacks are "not those of malice," Nullbulge's stated goal is to punish those who are stealing, with special crosshairs aimed at those using GAI to do so.
Nullbulge's primary means of attack seems to be attaching malicious software, or malware, to existing programs. Acting as unwitting Trojan horses, the programs take the malware with them when downloaded, allowing it access to the victim's computer.
According to the Justice Department, in early 2024, Kramer, presenting himself as Nullbulge, posted copies of what appeared to be ComfyUI, a popular interface used with the AI image generator Stable Diffusion, on GitHub, a cloud-based platform popular with developers. This version, however, contained Nullbulge's malware. He also posted tainted versions of a mod for BeamNG, a game about vehicle physics and impacts.
In either April or May of 2024, a Disney manager of software development downloaded a program infected with Kramer's malware to his personal computer. Once granted access, Kramer began gathering confidential data, including years' worth of messaging from Disney's Slack network. This included plans for future releases.
After the employee didn't respond to Kramer's threat to leak the data, Kramer published it online. Framing the hack as a way to protest AI-generated material, expose thefts Disney commits from artists, and extract revenge for the shuttering of a games site called Club Penguin in 2017, Kramer also posted the personal information about the person he'd hacked, known as doxxing. As Nullbulge, Kramer sent a message to the Wall Street Journal stating that Disney had been targeted due to how it handles artists, AI, and its consumers.
Activism, Avarice, or Ego?
Investigators discovered that the Nullbulge malware also compromised crypto wallets and stole personal data. Whether as a collective or just Kramer, Nullbulge had possibly engaged in ransomware in the past, which involves rendering someone's computer or system inoperable until they pay for its release. Some believe the underlying basis of the entire operation was to allow Kramer to raise his status in the hacking community, rather than any sort of intellectual property crusade.
An extensive investigation by the Federal Bureau of Investigation's (FBI) National Cyber Investigative Joint Task Force (NCIJTF) unmasked Kramer as the person behind the breach and subsequent sharing of Disney's confidential data. He has agreed to plead guilty to one count of accessing a computer and obtaining information and one count of threatening to damage a protected computer. Each carries a maximum of five years in federal prison. Kramer is expected to appear in the United States District Court in downtown Los Angeles in either May or June of 2025.
Related Resources
- Identity Theft (FindLaw's Learn About the Law)
- Cyber Crimes (FindLaw's Criminal Charges)
- Hacking Laws and Punishments (FindLaw's Criminal Law)
