Do Son 
At the beginning of 2024, a California-based programmer developed a malicious application disguised as an artificial intelligence tool for image generation. Though it was publicly distributed via GitHub and other platforms, the program was, in fact, a vehicle for malware that granted unauthorized access to victims’ devices.
The creator of the malicious software was identified as 25-year-old Ryan Cramer. Once installed on a victim’s computer, his application intercepted stored data, including passwords. One of the victims was a Disney employee, whose device had unknowingly executed the malware. Through it, Cramer gained access to login credentials, including sensitive information stored in the 1Password password manager.
Armed with the stolen credentials, the attacker infiltrated Disney’s internal Slack channels and exfiltrated approximately 1.1 terabytes of confidential data. Thousands of channels were compromised, exposing details of unreleased projects, source code, media files, and internal documentation links.
Subsequently, Cramer attempted to blackmail the Disney employee, posing as a member of a fictitious hacking group known as “NullBulge.” Using Discord and email, he demanded “cooperation,” threatening to release personal and corporate data. After the threats were ignored, a post appeared on the hacking forum BreachForums on July 12, 2024, under the name “NullBulge,” announcing the Disney breach and publishing portions of the stolen data, including personal details of the affected employee.
The message claimed that over one terabyte of files had been leaked from nearly 10,000 Slack channels, encompassing messages, images, code snippets, and internal links. Also exposed were the employee’s banking and medical records, accessed via the compromised credentials.
The U.S. Department of Justice has not disclosed the circumstances of Cramer’s arrest, how his identity was confirmed, or the methods used to link him to the “NullBulge” alias. Nonetheless, Cramer has pleaded guilty to two federal charges: unauthorized access to a protected computer and making threats intended to damage such a system.
Each charge carries a potential sentence of up to five years in prison. Cramer also admitted that at least two other individuals had installed his malware, thereby granting him access to their devices—cases now under investigation by the FBI.
A hearing in Cramer’s case is scheduled to take place in the coming weeks in the U.S. District Court in Los Angeles.
