Unmasking NullBulge: Disney’s Hacktivist Boogeyman Was Just One Guy?


The supposed Russian hacktivist collective behind Disney’s biggest breach turned out to be a lone Californian with a GitHub account and a grudge.

A Summer Breach, a Fabricated Persona

In mid-2024, The Walt Disney Company suffered one of its largest internal data leaks in history: over 1.1 terabytes of internal Slack data spilled online. The culprit? A mysterious group calling itself NullBulge, which claimed to be a Russian hacktivist collective fighting against AI-generated content on behalf of artists.

The media ate it up.

NullBulge was positioned as a kind of digital Robin Hood—striking back against Disney’s alleged reliance on AI to churn out content. But by May 2025, that myth crumbled. The group wasn’t a group at all. It was Ryan Mitchell Kramer, a 25-year-old from Santa Clarita, California, who pleaded guilty in court to orchestrating the breach.

LATEST PODCAST | ARTICLE CONTINUES BELOW



Selling the Myth: From Hacktivist to Hoax

NullBulge emerged online in spring 2024, claiming to be a pro-artist resistance movement. Social media posts and messages on hacker forums like BreachForums rallied support, painting the Disney breach as a moral crusade.

Major outlets—including CNN, The Wall Street Journal, and Infosecurity Magazine—ran headlines about Russian cyber threats and “ethical hacktivism.” Some even speculated NullBulge had ties to LockBit, a notorious ransomware group.

But security experts like SentinelLabs weren’t buying it. They flagged inconsistencies from the start: fluent English phrasing, ransom demands, and unsophisticated methods that didn’t match the supposed Russian origin. The so-called group also used ransomware—a tactic at odds with its claimed ideology.


The Real Story: Malware and a Single Mistake

The truth came out in court. Kramer wasn’t a hacktivist. He was a lone operator who crafted malware disguised as an AI art tool and uploaded it to GitHub. One Disney employee—Matthew Van Andel—downloaded the bogus program, giving Kramer access to his machine. From there, Kramer extracted login credentials stored in 1Password—credentials that opened the door to Disney’s internal Slack.

The result: 1.1 terabytes of internal data, from unreleased projects to sensitive HR records, all siphoned and eventually dumped on BreachForums after a failed extortion attempt.


Media Missteps and Missed Red Flags

Coverage of the breach quickly became a cautionary tale. Infosecurity Magazine and SiliconANGLE ran with narratives about insider threats and AI censorship motives. Even Eulerpool quoted researchers like Eric Parker, who correctly theorized that NullBulge might be a solo act.

While some skepticism existed, much of the early press portrayed the breach as a righteous rebellion. The @vxunderground and @H4ckManac accounts on X amplified NullBulge’s theatrical flair—posting cryptic countdowns and threats ahead of the leak. It looked calculated. And it worked.


Ties to LockBit? Maybe. Maybe Not.

Kramer’s malware reportedly used a LockBit builder, which led some, including HackRead, to speculate about deeper ties. But there’s no evidence he ever collaborated with LockBit or other cybercrime syndicates. The use of shared tools—common in hacking circles—was likely just that: opportunistic, not organizational.

Curiously, Kramer also experimented before the Disney breach. His earlier malware-laced mods targeted Stable Diffusion users and AI-themed indie games, suggesting he was testing the waters long before he made headlines.


Disney’s Fallout and the Bigger Lesson

After the breach, Disney quietly transitioned from Slack to Microsoft Teams. Internally, the damage was significant, but the company never fully disclosed the scope of the stolen data. That silence added fuel to media speculation.

Image: Reddit

What’s clear is that a lone actor successfully impersonated a Russian hacktivist cell, manipulated public perception, and exploited a single employee’s mistake to breach one of the most powerful media companies in the world.

And for a while, the world believed it.


Sources:

  • BleepingComputer, “Hacker ‘NullBulge’ pleads guilty to stealing Disney’s Slack data,” May 1, 2025

  • Adgully, “Disney probes data breach by Russian hacktivist group NullBulge,” July 20, 2024

  • Infosecurity Magazine, “Understanding NullBulge, the New AI-Fighting ‘Hacktivist’ Group,” July 17, 2024

  • SentinelOne, “NullBulge | Threat Actor Masquerades as Hacktivist Group Rebelling Against AI,” July 16, 2024

  • Eulerpool, “Hacker group NullBulge publishes internal Disney data,” July 16, 2024

  • HackRead, “Disney’s Internal Slack Breached? NullBulge Leaks 1.1 TiB of Data,” July 13, 2024

  • X posts by @vxunderground and @H4ckManac, July 12, 2024

News compiled and edited by Derek Gibbs and Edgar B. for D/REZZED News from Clownfish TV.


LATEST PODCAST EPISODE


ClownfishTV.com strives to be an apolitical, balanced and based pop culture news outlet. However, our contributors are entitled to their individual opinions. Author opinions expressed in this article do not necessarily reflect the views of our video hosts, other site contributors, site editors, affiliates, sponsors or advertisers. This website contains affiliate links to products. We may receive a commission for purchases made through these links. We disclaim products or services we have received for review purposes, as well as sponsored posts.

Discover a hidden easter egg

Steven Bubbles
Steven Bubbleshttp://clownfishtv.com
"Steven Bubbles" is the pen name used by the current junior editor at Clownfish TV. They are a good little fishy who gathers up news and leads from all over the internet. This little fish runs day-to-day operations on ClownfishTV.com. The true identity of this fish can and does change. In fact, it may be one fishy, or a school of fish, at any given time.

A word from our sponsor

spot_img

read more

explore

other articles

Close Subscribe Card