When someone stole more than a terabyte of data from Disney last year, it was believed to be the work of Russian hacktivists protesting for artist rights. We now know it was actually a 25-year-old California resident.
Ryan Mitchell Kramer has agreed to plead guilty to one count of accessing a computer and obtaining information, and one count of threatening to damage a protected computer, the US Department of Justice said Thursday. The plea agreement could see Kramer facing up to ten years in prison when he’s eventually sentenced.
Last year, a person or group calling itself “Nullbulge” accessed Disney Slack channels, then stole and released 1.1 TB of internal Disney data online in a purported protest against artists not receiving fair compensation for their work. In an email exchange with entertainment news site Variety, Nullbulge claimed to be an hacking group from Russia, and said they had intentionally targeted Disney due to how it handled artist contracts, approached the use of AI, and treated consumers.
“We released the data because we knew making demands would do jack shit,” Nullbulge told Variety in July of last year.
A lie keeps growing until it’s as plain as the nose on your face
The exchange turned out to be nothing but bluster, according to the DoJ, who said Kramer was the responsible party. He didn’t even seem to be targeting Disney.
According to the DoJ, Kramer published a program online that purported to be an AI art generation app, but actually contained malware that gave him remote access to the victim’s computer. An employee of the House of Mouse downloaded the program, allowing Kramer to nab login credentials for various accounts in their name, including their Disney Slack account. From there, he sifted through “thousands” of Slack channels, according to the DoJ, and grabbed all kinds of confidential information, including messages, internal project information, and the personal details of employees.
Per the DoJ, Kramer reached out to the victim via email and Discord with threats, and when he didn’t get a response proceeded to spill the Disney data online. Kramer also leaked personal information about his victim, including their banking and medical data.
In addition to the Disney victim, Kramer admitted that he accessed the computers and accounts of at least two other victims who downloaded his AI art malware.
While Kramer could spend a decade behind bars for his crimes, Disney employees may end up paying a far greater price for his bad behavior. As we reported last year, the incident prompted the entertainment juggernaut to ditch Slack for Microsoft Teams, much to the dismay of Disney employees. ®