Timothy Justen French of NullCrew Sentenced in Cyber-Attack Case

Timothy Justen French, a 22-year-old from Morristown, Tennessee, was sentenced today to 45 months in federal prison for his role in a relentless cyber-attack campaign that targeted corporations, universities, and government agencies worldwide. As a core member of the hacking collective known as “NullCrew,” French exploited security flaws to breach protected computer systems and steal sensitive data, including encrypted personal information belonging to thousands of individuals.

The attacks, carried out between 2012 and 2014, caused at least $792,000 in documented financial losses across multiple victim organizations. French admitted to participating in at least seven major intrusions, including an attack on a major Canadian telecommunications provider and a U.S. state government system. He used aliases like “Orbit,” “@Orbit_g1rl,” “crysis,” “rootcrysis,” and “c0rps3” to conceal his identity while conducting and bragging about the breaches online.

U.S. District Judge Gary Feinerman handed down the sentence in federal court in Chicago, where French pleaded guilty last year to one count of intentionally damaging a protected computer without authorization. Prosecutors emphasized the widespread harm caused by the attacks, particularly the public exposure of usernames, email accounts, and passwords, which left victims vulnerable to identity theft and financial fraud.

As part of their campaign, NullCrew members operated Twitter accounts—including @NullCrew_FTS and @OfficialNull—to taunt victims and broadcast stolen data. These public disclosures were not just acts of vandalism but deliberate violations of personal privacy, according to the government’s sentencing memorandum. Assistant U.S. Attorney William Ridgway, who prosecuted the case, called French a central figure in a destructive and coordinated hacking operation.

“The defendant played a central role in an extensive, deliberate, and destructive hacking campaign that inflicted widespread and serious harm to businesses, governments, non-profits, and thousands of individuals,” Ridgway wrote. “He disseminated online the usernames, email accounts, and passwords for thousands of individuals, which not only violated their privacy and sense of online security, it exposed them to financial fraud and identity theft.”

The sentencing was announced by Zachary T. Fardon, United States Attorney for the Northern District of Illinois, and Michael J. Anderson, Special Agent-in-Charge of the FBI’s Chicago office. French’s conviction marks another blow against international hacking groups that operate with impunity across digital borders, but also underscores the growing threat posed by cybercriminal collectives targeting critical infrastructure and personal data.