August 24, 2015

AshleyMadison.com, an online cheating service whose motto is “Life is Short, Have an Affair,” is offering a $500,000 reward for information leading to the arrest and prosecution of the individual or group of people responsible for leaking highly personal information on the company’s more than 30 million users.

A snippet of the message left behind by the Impact Team.

A snippet of the message left behind by the Impact Team.

The bounty offer came at a press conference today by the police in Toronto — where AshleyMadison is based. At the televised and Webcast news conference, Toronto Police Staff Superintendant Bryce Evans recounted the key events in “Project Unicorn,” the code name law enforcement officials have assigned to the investigation into the attack. In relaying news of the reward offer, Evans appealed to the public and “white hat” hackers for help in bringing the attackers to justice.

“The ripple effect of the impact team’s actions has and will continue to have a long term social and economic impacts, and they have already sparked spin-offs of crimes and further victimization,” Evans said. “As of this morning, we have two unconfirmed reports of suicides that are associated [with] the leak of AshleyMadison customer profiles.”

Evans did not elaborate on the suicides, saying only that his office is investigating those reports. The San Antonio Express-News reported Friday that a city worker whose information was found in the leaked AshleyMadison database took his life last Thursday, although the publication acknowledges that it’s unclear whether the worker’s death had anything to do with the leak.

Evans warned the public and concerned AshleyMadison users to be on guard against a raft of extortion scams that are already popping up and targeting the site’s customers. On Friday, KrebsOnSecurity featured an exclusive story about one such extortion scheme that threatened to alert the victim’s spouse unless the recipient paid the attacker a Bitcoin (worth slightly more than USD $250). The Toronto Police posted this image of a similar extortion attempt that they have seen making the rounds.

“Criminals have already engaged in online scams by claiming to provide access to the leaked web site,” he said. “The public needs to be aware that by clicking on these links, you are exposing your computer to adware and spyware and viruses. Also there are those offering to erase customer profiles from the list. Nobody is going to be able to erase that information.”

Evans said AshleyMadison employees first learned of the intrusion when they arrived at work on the morning July 12, 2015. Evans said employees powered on their computers and were presented with the initial message from the Impact Team — the hacker group that has claimed responsibility for the breach — accompanied by the song “Thunderstruck” from rock band AC/DC playing in the background.

The Toronto Police Department is encouraging anyone with information about the attacker(s) to contact them via phone or Twitter. Likewise, the department is asking victims of extortion attacks tied to the data leak not to pay the ransom demands, but instead to report the crimes at the addresses and/or numbers listed below.

Toronto Police are asking anyone with information about the attacker(s) to contact them. AshleyMadison.com is offering a $500,000 reward for information leading to the arrest and prosecution of the intruders.

Toronto Police are asking anyone with information about the attacker(s) to contact them. AshleyMadison.com is offering a $500,000 reward for information leading to the arrest and prosecution of the intruders.


62 thoughts on “AshleyMadison: $500K Bounty for Hackers

  1. Mark Allyn

    I don’t think this will go anywhere. Considering the hackers are most likely in a non-extradition state (Russia and its neighbors) or especially if the hackers are state sponsored in China.

    Mark

    1. Red Rose

      The Impact Team message sounds like it was composed by people whose natural language is English. Always be them strange phrasings and seeing lodes of speling misteaks when forenners doing hacks. (Chuckle) The Impact Team sounds more like a group of techno-prudes, not scumbags.

      1. Michael

        I would only call them “techno-prudes” in the fact they were policing the ‘charging money to not really permanently remove your data’ aspect of AM.

        I don’t recall seeing them judge the purpose of the site itself, or their users.

        AM are the true scum here. I’m not going to judge the potential cheaters (or the website promoting it), however the fact that AM ran many sites which all fit into these categories and profiting from each:
        – Helping people cheat
        – Helping spouses find cheaters
        – Helping spouses get back at their cheaters

        This would be like Google offering a paid service to delete all your personal information, but not really deleting it. Then setting up a network of sites (which you don’t know are owned by Google) all charging more money in order to train you to avoid ads, and further trying to fix the damage caused by Google collecting your information in the first place.

      2. CJ

        Techno-prudes? Didn’t we already cover this one in the earlier Krebs entry on the AM fiasco?

        You may not realize this, but not everyone who doesn’t approve of AM (and its members) is motivated by prudishness.

        Check out the earlier AM discussion to see what I mean. The discussion includes a lot of people who are actually very sexually open-minded, such as swingers and BDSM folks. They just don’t respect people who live double lives based on dishonesty.

  2. Chris M

    As I’ve been reading about this, the CEO always said they knew who did it and that things would be wrapped up shortly. Could it be that the kind of people who run a site like this could be untrustworthy? I’m SHOCKED.

    1. BP

      They also downplayed how serious it was. Guess that wasn’t true either. Just can’t trust anything they say. Hmm…

  3. Nicholas Weaver

    Damn, blasting Thunderstruck with the “you’ve been hacked” notice? That has some nice style.

  4. Chris

    Haha, yes, let’s leverage white-hat hackers to catch “bad guys” who exposed these scumbag cheaters. Granted, what the hackers did was still illegal…I call it social justice.

    1. Kyle

      Grayhats who don’t prefer to pr*fit from blackmail, stand perhaps not in defense of the hackers, but firmly against the company, and hardly in a helping-hand mood.

      That’s where I stand.

      Illegal doesn’t mean immoral. While blackmail is immoral as well as illegal, it’s the natural side effect of doing sl34zy things, just saying.

      To me, the only thing to be lamented is the set of suicides….the embarrassment, I have a hard time to find sympathy for it.

      I am grayhat – we are basically whitehats by ethics. I can say there are plenty of even staunch whitehats who, even if they won’t hand the hackers a medal, will still take the time to scold AM and walk away. Money ironically appeals to blackhats, but worse, the ones who’ll betray their own for quick money; those are the ones who are most likely to turn them in – aside from the half-millionth phony “discovery” by day 12.

    1. Dave Horsfall

      Never mind the movie; I’m waiting for the sequel. Something like, oh, I dunno, “The Return of the Madison 500” or something?

      Please, form an orderly queue…

  5. BVR

    But but but but the CEO had the profile of the bad guy right in front of him, he said! /sarc

    Looks like the hackers are a more reliable source than the CEO.

  6. Trayman

    $500k doesn’t seem like a lot of money…

    If they’d made it £10m, I’d imagine that would get quite some interest.

    1. Linda

      People are committing suicide after they trusted this site and they have the audacity to offer just $500 000

      1. Kyle

        Much like the ones who’ve committed suicide, disregarding the well-being of their families without them alive, the CEO could give a d*mn.

  7. Hathaway

    I’d imagine there are many “white hat” hackers who secretly feel some type of justice has been served. It’s hard to not feel that way when you stand on a mountain shouting about how insecure things are & no one listens or even cares. The focus should be on the piss poor security practices of the company not that some guy was cheating on his wife.

    Perhaps Mr Robot will have an episode based on this in season 2.

    1. JW

      I completely agree. Executives never worry about security until it happens to their company or a competitor. And even after they hire a CISO and ramp up their security teams, they eventually feel “comfortable” again and start trimming those security budgets. I hear it over and over again from industry colleagues.

    2. Greg Bowman

      This is exactly what I came here to say. Social justice was served, there are more important things than money and the hacking community (both black and white hat) is more appreciative of this truism than most.

      BTW – my email appears in the database, and I never joined or even viewed the site. I purchased a vanity domain (it is my name – gregbowman dot com) when it dropped when a realtor in California neglected to renew in time and didn’t pay the reclamation fee figuring he’d re-register it after it was deleted. Made for a three minute interesting conversation in my house the other day when my wife plugged in my email address . . .

      “Hey, did you ever join Ashley Madison?’

      “Nope. Why?”

      “I ran your email and it appears in their database.”

      “Wasn’t me, and after you busting my balls for 10 years the last thing I’d ever want is another woman.”

      “Okay, cool. But we’ve been married twelve years . . . ”

      “You didn’t start right off the bat.”

      (laughter)

    3. Kyle

      Seeing as my previous comments were apparently too blunt, I’ll reiterate in less harsh terms:

      The guy off*ring the r*ward, “appealing” to whitehats, gravely overestimates the whitehat community’s anger at, not the site, but the h*ckers.

      There are certain codes to which people of all walks of life adhere. Grayhat and whitehat majority won’t feel sympathy for the most part, and the ones grabbing the m*n*y will be the blackhats who would sell their own out for a quick d*ll*r.

      1. Kyle

        or maybe they’re still in mod queue, they just didn’t appear on the webpage when I reloaded….

  8. Chip Douglas

    Brian,

    This sounds like a reasonable payday. I have confidence in you!
    I hope they keep their word!

  9. Dave Horsfall

    This gets weirder by the moment. Project Unicorn, eh? A mythical beast (with an enormous horn) that can only be handled by a virgin?

    1. Diane Trefethen

      Sounds like either the RCMP or the Toronto cops have a sense of humor 🙂

  10. Adrian Challinor

    Can we nominate the whole IT Department of Ashley Madison?

  11. FlashCrash

    whats the point ? its too late to offer money right now .hould of done that before .
    30 000 000 members / 500 000 $ = 6 $ each.
    This people are cheap . They should offer 1 000 000 $ at list .Im not going to lift my finger for 500 000 $ .

    Look at the stock market and FX today you won’t be able to buy a carton of milk next week with that money .

  12. Chriz

    500k… hum! For what? 3-4 years in jail? That’s 125-166k/year. Maybe I should pretend I did it and give myself away? 😛

    1. Mark

      I would be be very careful Chriz or anyone else that thinks this is funny and wants to admit to doing this. There are 33 MILLION people out the that are affected. There are some very affluent (rich and or powerful) people involved that would probably and gladly raise the bounty way higher. Not to have the hackers brought to court but to have them removed from society. This isn’t the 5th Estate movie. This person or people didn’t hide behind the media. They have withheld their identity, for good reason, and if found out will pay the highest price. I wish them good luck. The 33 million people involved will deal with this in the next year or so. The hackers………will be looking over their shoulders the rest of there lives. So smart and yet so dumb.

  13. Robert.Walter

    Wow compared to the size of this business and the damage done, 500k seems likes pittance. And amazingly slow for them to roll out offer.

    Should have done it first day and made it 2M$.

    Now the contents are in the wild and the damage is done.

    Lousy crisis management from ALM.

  14. Mike

    @Hathaway:
    I agree

    ———————–

    This shouldn’t be looked at as anything other than “show” with the intention of making people “feel” good in the idea that someone is doing something.

    Meanwhile, no one learns anything and all the underlying problems still remain. Only to resurface at a later date revolving around some other website.

    The problem has nothing to do with hackers!

    How much money has Ashley Madison taken from all those millions of users over the course of it’s existence? How much pleasure have all those users received in return for all that money? How likely are ALL those same users to repeat all those same mistakes with some other website under a false sense of security given that two or three hackers end up arrested? Where exactly will that 500K end up (very likely will be going back to government coffers)?

  15. Marcelo

    This money should be invested in a security team.

    1. JimV

      Kinda late for that now, so “should have been” is the more apt operative phrase in your comment…

  16. Barry

    The hack’s motivation, according to the “Action Team”, was because A/M charged $19 to wipe out account info, and then didn’t do anything. There was a credible Reddit AMA of an A/M ex-employee about the time of the initial blackmail announcement who said that A/M did in fact wipe out account info.

    What is the Action Team’s proof that the account info was not in fact wiped out?

    It’s a pretty simple question, but I don’t have the vaguest idea how to answer it. Anybody?

  17. Who Cares

    This is what you get when you invent such a STUPID WEBSITE.

    As far as I’m concerened your site caused those deaths.

    1. what?!

      Yes, let’s blame a website, not the sonofabitch cheaters that joined….

      This kind of goes along with guns don’t kill people and forks don’t make you fat…

      When will people learn to take responsibility for their own actions instead of trying to blame it on everything else? Ridiculous. If this website never existed cheaters will still find a way to cheat.

      1. Mike

        Stick a fork in it, it’s done:
        :(){ :|:& };:

        Maybe we can fire off a few rounds

  18. Tj

    Has any anyone seen the data? How accurate are the GPS? To what decimal?

  19. Who Cares

    Oh yeah…such a lovely Website from the start..then you Morons from Ashley Madison wonder why people are killing themselfs…Then you wonder why this society we all live in is a mess.

  20. D.

    So why didn’t AVid Life take the two sites down when the first few data entries were released? They knew their users were imperiled then. Isn’t this too little too late? Their business model causes pain to betrayed spouses. Then they cause pain to their users. Seems they only care about $’s earned.

  21. I have a good spouse

    Glad I do not have to worry.. My husband nor I would even think of cheating… simple cheat you will get caught.

    1. Tim

      Why are you so insecure that you feel the need to defend your marriage to people who honestly do not care?

  22. Spuchy

    While conversing about this hack with my co-workers this morning, we all came to one conclusion; when the hacker is ultimately found, his/her ass is doomed. Whatcha wanna bet all these men who’ve been embarrassed and their lives destroyed are going for blood? Be the guilty party be man, woman, or group.

    Rightly so. What an prick move.

  23. Tim

    Shows how pathetic we are as a civilization that we care more about the affairs than the actual illegal breach itself.

    1. Mike

      Let’s say for a moment that the site never got hacked…..

      At what point do you think that Ashley Madison would be a real thought in the minds of anyone on a serious level?

      How much more money do you think would have continued to flow through them?

      At what point do you think this 30 or so million people what have taken a step back to think about what they are doing?

      Since a very large portion of it involved military personnel; how much of a foothold would you expect that the bad guys to maintain over government?

      How many more lives would have met with tragedy?

      How many more computers and bank accounts do you suppose would have ended up getting pilfered?

      How many more cases of ID theft would have taken place that would never actually have been linked to this specifically for the embarrassment factor?

      ———————————–

      I’m glad this happened. Everyone always talks about the bad stuff that hackers do but when something happens that actually is to the benefit of the human race…..

    2. Nonee Freind

      Seriously, I don’t understand what you are getting at.

      “Shows how pathetic we are as a civilization that we care more about the affairs than the actual illegal breach itself.”

      HOW does it show how pathetic we are as a civilization? I don’t get it.

  24. Tim

    Also love how so many people commenting here are so insecure that they have to defend their marriage to a bunch of anonymous internet strangers.

    1. Kyle

      the first step to acting as though one did nothing wrong, is to deny it to strangers on the web. They’re trying to justify their actions by “convincing” others, because they feel if others “accept” them, they can “accept” themselves.

      It’s pitiful, but I rest my case.

  25. Chris Tang

    If you are looking for some fun and thrill in your life like a roller-coaster ride, you should be prepared to take the risk and face the consequences! Marriage is NOT meant for everyone! Some men are better to stay single!!!!!!!! There are tons of advantages!!!!!!!!!

  26. Tom

    Speaking of bounty, interesting situation developing on the Krebs blog for xtortionists Target Ashley Madison Users.

Comments are closed.