Disney Hacker Who Leaked Internal Data Using a Hacktivist Ruse Pleads Guilty
Read also: Global DDoS-for-hire crackdown results in four arrests, domain seizure, a Nefilim affiliate extradited to the US from Spain, and more.
Thursday, May 8, 2025
Disney hacker who leaked internal data using a hacktivist ruse pleads guilty
A 25-year-old man from California has pleaded guilty to hacking into The Walt Disney Company’s internal systems and leaking over a terabyte of sensitive data. Ryan Mitchell Kramer admitted to two felony charges—unauthorized access to a protected computer and threatening to damage a protected system—each carrying a maximum sentence of five years in prison.
According to prosecutors, Kramer orchestrated the 2024 cyberattack on Disney while posing as a member of a supposed Russian-based hacktivist group called “NullBulge.” The group had publicly claimed responsibility for stealing 1.1 terabytes of internal Slack messages, unreleased project data, login credentials, and source code, all allegedly to support “artists’ rights.”
Kramer tricked a Disney employee into downloading malware disguised as a tool for generating AI art. When the victim downloaded the fake tool on a personal device, Kramer used access credentials linked to the company’s Slack system to infiltrate thousands of internal Slack channels and steal a massive trove of corporate data. When extortion attempts failed, Kramer published the stolen files online along with the employee’s private medical, financial, and personal details.
In addition to the Disney breach, Kramer admitted to compromising the accounts of at least two other unnamed victims.
Polish authorities arrest four in global DDoS-for-hire crackdown
Polish authorities have arrested four individuals accused of running a global DDoS-for-hire operation. The suspects allegedly operated six websites that enabled users to launch thousands of distributed denial-of-service (DDoS) attacks worldwide.
As part of the coordinated operation, involving law enforcement agencies from Poland, the United States, the Netherlands, and the United Kingdom, authorities seized nine internet domains connected to the illegal platforms, effectively shutting down access to the services. In a related effort, Dutch authorities launched decoy booter websites that served as traps, warning users and gathering intelligence. Information collected from the fake platforms was shared with international partners.
The dismantled sites (Cfxapi, Cfxsecurity, neostress, jetstress, quickdown, and zapcut) functioned as so-called ‘booter’ or ‘stresser’ services. These platforms allowed customers to pay as little as €10 to flood websites or servers with traffic, rendering them unusable.
According to investigators, the services were used between 2022 and 2025 to target a range of victims, including schools, businesses, government institutions, and gaming platforms.
A hacker behind Black Kingdom ransomware that targeted schools and hospitals charged in the US
US authorities have indicted a Yemeni national, Rami Khaled Ahmed, on three serious felony charges for allegedly masterminding a global ransomware campaign that compromised thousands of computer systems across the globe. Operating under the alias “Black Kingdom,” Ahmed is believed to have orchestrated a multi-year cyberattack campaign from Sana’a, Yemen, where he currently resides.
The indictment accuses Ahmed of conspiracy to commit computer fraud, intentional damage to a protected computer, and threatening to damage a protected computer. According to court documents, the malicious activity spanned from March 2021 to June 2023. During this period, Ahmed, allegedly working with unidentified co-conspirators, took advantage of a security vulnerability in Microsoft Exchange servers to gain unauthorized access to computer networks.
Once inside, they deployed the Black Kingdom ransomware, a software tool designed either to encrypt data and render it inaccessible or exfiltrate sensitive information, often to be used for extortion. It is estimated that nearly 1,500 computer systems worldwide have been affected.
In each instance, systems were either locked or data was stolen, followed by ransom demands of $10,000 in Bitcoin. Victims were instructed to send the cryptocurrency to a digital wallet associated with one of Ahmed's alleged co-conspirators and to confirm the payment by emailing a designated Black Kingdom address. If convicted on all charges, Rami Khaled Ahmed could face a maximum sentence of 15 years in federal prison.
A Nefilim affiliate extradited to the US from Spain
The US Department of Justice unsealed a superseding indictment charging Artem Stryzhak, a Ukrainian national, with conspiracy to commit computer-related fraud and extortion. These charges arise from his alleged role in a global cybercrime campaign involving the Nefilim ransomware, which caused widespread financial and operational damage to corporate victims around the world.
Stryzhak was arrested in Spain in June 2024 and extradited to the United States for prosecution. According to the indictment, beginning in or around June 2021, Stryzhak joined the Nefilim cybercrime operation, which specialized in targeting large, wealthy companies, particularly those based in the United States, Canada, and Australia with revenues exceeding $100 million. The attackers infiltrated computer systems, encrypted data, and then demanded large ransom payments in exchange for decryption keys. Victims who failed to comply were threatened with public exposure of their sensitive data on so-called “Corporate Leaks” websites.
Stryzhak allegedly gained access to the Nefilim ransomware source code in return for agreeing to share 20% of his ransom profits with the administrators of the operation. He then began conducting ransomware attacks using a web-based control panel. As part of the scheme, Stryzhak and his collaborators not only encrypted victim data but also exfiltrated confidential files, heightening the pressure on companies to pay.
Stryzhak faces a maximum sentence of five years in prison if convicted.
An alleged Nomad Bridge hacker arrested in Israel
Israeli authorities have arrested a dual Russian-Israeli national accused of stealing millions in cryptocurrency during the 2022 hack of US-based blockchain platform Nomad Bridge. Alexander Gurevich, 47, was taken into custody at Ben-Gurion Airport as he allegedly attempted to flee to Russia using a passport bearing a different last name.
Gurevich is suspected of exploiting a vulnerability in the Nomad Bridge system in August 2022, netting approximately $2.89 million in digital assets. He then allegedly demanded a $500,000 reward in exchange for returning the stolen funds and revealing the flaw in the platform’s code.
The Nomad Bridge hack was one of the most damaging crypto attacks of 2022, resulting in a total loss exceeding $190 million and sparking fears of the platform’s collapse.
According to a US extradition request, Gurevich is wanted for multiple offenses, including computer crimes, money laundering, and the transfer of stolen property. American authorities allege that he laundered millions of dollars in connection with the attack. Gurevich remains in custody as Israeli courts review the US extradition request.
What’s next:
- Join our upcoming webinars
- Follow ImmuniWeb on Twitter, LinkedIn and Telegram
- Explore 20 use cases how ImmuniWeb can help
- Browse open positions to join our great Team
- See the benefits of our partner program
- Request a demo, quote or special price
- Subscribe to our newsletter
Key Dutch has been working in information technology and cybersecurity for over 20 years, starting his first job with Windows 95 and dial-up modems. As the Editor-in-Chief of our Cybercrime Prosecution Weekly blog series, he compiles the most interesting news about police operations against cybercrime, as well as about regulatory actions enforcing data protection and privacy law.