26
Aug 15

Who Hacked Ashley Madison?

AshleyMadison.com, a site that helps married people cheat and whose slogan is “Life is Short, have an Affair,” recently put up a half million (Canadian) dollar bounty for information leading to the arrest and prosecution of the Impact Team — the name chosen by the hacker(s) who recently leaked data on more than 30 million Ashley Madison users. Here is the first of likely several posts examining individuals who appear to be closely connected to this attack.

zu-launchpad-july-20It was just past midnight on July 20, a few hours after I’d published an exclusive story about hackers breaking into AshleyMadison.com. I was getting ready to turn in for the evening when I spotted a re-tweet from a Twitter user named Thadeus Zu (@deuszu) who’d just posted a link to the same cache of data that had been confidentially shared with me by the Impact Team via the contact form on my site just hours earlier: It was a link to the proprietary source code for Ashley Madison’s service.

Initially, that tweet startled me because I couldn’t find any other sites online that were actually linking to that source code cache. I began looking through his past tweets and noticed some interesting messages, but soon enough other news events took precedence and I forgot about the tweet.

I revisited Zu’s tweet stream again this week after watching a press conference held by the Toronto Police (where Avid Life Media, the parent company of Ashley Madison, is based). The Toronto cops mostly recapped the timeline of known events in the hack, but they did add one new wrinkle: They said Avid Life employees first learned about the breach on July 12 (seven days before my initial story) when they came into work, turned on their computers and saw a threatening message from the Impact Team accompanied by the anthem “Thunderstruck” by Australian rock band AC/DC playing in the background.

After writing up a piece on the bounty offer, I went back and downloaded all five years’ worth of tweets from Thadeus Zu, a massively prolific Twitter user who typically tweets hundreds if not thousands of messages per month. Zu’s early years on Twitter are a catalog of simple hacks — commandeering unsecured routers, wireless cameras and printers — as well as many, many Web site defacements.

On the defacement front, Zu focused heavily on government Web sites in Asia, Europe and the United States, and in several cases even taunted his targets. On Aug. 4, 2012, he tweeted to KPN-CERT, a computer security incident response team in the Netherlands, to alert the group that he’d hacked their site. “Next time, it will be Thunderstruck. #ACDC” Zu wrote.

The day before, he’d compromised the Web site for the Australian Parliament, taunting lawmakers there with the tweet: “Parliament of Australia bit.ly/NPQdsP Oi! Oi! Oi!….T.N.T. Dynamite! Listen to ACDC here.”

I began to get very curious about whether there were any signs on or before July 19, 2015 that Zu was tweeting about ACDC in relation to the Ashley Madison hack. Sure enough: At 9:40 a.m., July 19, 2015 — nearly 12 hours before I would first be contacted by the Impact Team — we can see Zu is feverishly tweeting to several people about setting up “replication servers” to “get the show started.” Can you spot what’s interesting in the tabs on his browser in the screenshot he tweeted that morning?

Twitter user ThadeusZu tweets about setting up replication servers. Note which Youtube video is playing on his screen.

Twitter user ThadeusZu tweets about setting up replication servers. Did you spot the Youtube video he’s playing when he took this screenshot?

Ten points if you noticed the Youtube.com tab showing that he’s listening to AC/DC’s “Thunderstruck.”

A week ago, the news media pounced on the Ashley Madison story once again, roughly 24 hours after the hackers made good on their threat to release the Ashley Madison user database. I went back and examined Zu’s tweet stream around that time and found he beat Wired.com, ArsTechnica.com and every other news media outlet by more than 24 hours with the Aug. 17 tweet, “Times up,” which linked to the Impact Team’s now infamous post listing the sites where anyone could download the stolen Ashley Madison user database.

ThadeusZu tweeted about the downloadable AshleyMadison data more than 24 hours before news outlets picked up on the cache.

ThadeusZu tweeted about the downloadable Ashley Madison data more than 24 hours before news outlets picked up on the cache.

WHO IS THADEUS ZU?

As with the social networking profiles of others who’ve been tied to high-profile cybercrimes, Zu’s online utterings appear to be filled with kernels of truth surrounded by complete malarkey– thus making it challenging to separate fact from fiction. Hence, all of this could be just one big joke by Zu and his buddies. In any case, here are a few key observations about the who, what and where of Thadeus Zu based on information he’s provided (again, take that for what it’s worth).

Zu’s Facebook profile wants visitors to think he lives in Hawaii; indeed, the time zone set on several of his social media accounts is the same as Hawaii. There are a few third-party Facebook accounts of people demonstrably living in Hawaii who tag him in their personal photos of events on Hawaii (see this cached photo, for example), but for the most part Zu’s Facebook account consists of pictures taken from stock image collections and do not appear to be personal photos of any kind.

A few tweets from Zu — if truthful and not simply premeditated misdirection — indicate that he lived in Canada for at least a year, although it’s unclear when this visit occurred.

thad-canada Zu’s various Twitter and Facebook pictures all feature hulking, athletic, and apparently black male models (e.g. he’s appropriated two profile photos of male model Rob Evans). But Zu’s real-life identity remains murky at best. The lone exception I found was an image that appears to be a genuine group photo taken of a Facebook user tagged as Thadeus Zu, along with an unnamed man posing in front of a tattoo store with popular Australian (and very inked) model/nightclub DJ Ruby Rose.

That photo is no longer listed in Rose’s Facebook profile, but a cached version of it is available here. Rose’s tour schedule indicates that she was in New York City when that photo was taken, or at least posted, on Feb. 6, 2014. Zu is tagged in another Ruby Rose Facebook post five days later on Valentine’s Day. Update, 2:56 p.m.: As several readers have pointed out, the two people beside Rose  in that cached photo appear to be Franz Dremah and Kick Gurry, co-stars in the movie Edge of Tomorrow).

Other clues in his tweet stream and social media accounts put Zu in Australia. Zu has a Twitter account under the Twitter nick @ThadeusZu, which has a whopping 11 tweets, but seems rather to have been used as a news feed. In that account Zu is following some 35 Twitter accounts, and the majority of them are various Australian news organizations. That account also is following several Australian lawmakers that govern states in south Australia.

Then again, Twitter auto-suggests popular accounts for new users to follow, and usually does so in part based on the Internet address of the user. As such, @ThadeusZu may have only been using an Australian Web proxy or a Tor node in Australia when he set up that account (several of his self-published screen shots indicate that he regularly uses Tor to obfuscate his Internet address).

Even so, many of Zu’s tweets going back several years place him in Australia as well, although this may also be intentional misdirection. He continuously references his “Oz girl,” (“Oz” is another word for Australia) uses the greeting “cheers” quite a bit, and even talks about people visiting him in Oz.

Interestingly, for someone apparently so caught up in exposing hypocrisy and so close to the Ashley Madison hack, Zu appears to have himself courted a married woman — at least according to his own tweets. On January 5, 2014, Zu ‏tweeted:

“Everything is cool. Getting married this year. I am just waiting for my girl to divorce her husband. #seachange

MARRIEDzu

A month later, on Feb. 7, 2014, Zu offered this tidbit of info:

“My ex. We were supposed to get married 8 years ago but she was taken away from me. Cancer. Hence, my downward spiral into mayhem.”

DOWNwardspiral

To say that Zu tweets to others is a bit of a misstatement. I have never seen anyone tweet the way Zu does; He sends hundreds of tweets each day, and while most of them appear to be directed at nobody, it does seem that they are in response to (if not in “reply” to) tweets that others have sent him or made about his work. Consequently, his tweet stream appears to the casual observer to be nothing more than an endless soliloquy.

But there may something else going on here. It is possible that Zu’s approach to tweeting — that is, responding to or addressing other Twitter users without invoking the intended recipient’s Twitter handle — is something of a security precaution. After all, he had to know and even expect that security researchers would try to reconstruct his conversations after the fact. But this is far more difficult to do when the Twitter user in question never actually participates in threaded conversations. People who engage in this way of tweeting also do not readily reveal the Twitter identities of the people with whom they chat most.

Thadeus Zu — whoever and wherever he is in real life — may not have been directly involved in the Ashley Madison hack; he claims in several tweets that he was not part of the hack, but then in countless tweets he uses the royal “We” when discussing the actions and motivations of the Impact Team. I attempted to engage Zu in private conversations without success; he has yet to respond to my invitations.

It is possible that Zu is instead a white hat security researcher or confidential informant who has infiltrated the Impact Team and is merely riding on their coattails or acting as their mouthpiece. But one thing is clear: If Zu wasn’t involved in the hack, he almost certainly knows who was.

KrebsOnSecurity is grateful to several researchers, including Nick Weaver, for their assistance and time spent indexing, mining and making sense of tweets and social media accounts mentioned in this post. Others who helped have asked to remain anonymous. Weaver has published some additional thoughts on this post over at Medium.

Tags: , , , , , , , , , , ,

360 comments

  1. They are doing affiliate advertising on the site. Basically partners with the guy sharing stolen data and making money. It is a common marketing tactic. In this case they are likely unaware. We need to make them aware. Their legal team will not like it. The scenario to throw out is “if I stole cars for a living and sold them on line would you want to advertise on my site and join me in making money off stolen cars?” Their answer would be no. Should be the same with stolen data.

  2. Glad you are calling. Me too. They are doing affiliate advertising on the site. Basically partners with the guy sharing stolen data and making money. It is a common marketing tactic. In this case they are likely unaware. We need to make them aware. Their legal team will not like it. The scenario to throw out is “if I stole cars for a living and sold them on line would you want to advertise on my site and join me in making money off stolen cars?” Their answer would be no. Should be the same with stolen data.

  3. I find it amusing that most people are just jumping to one overly-simplistic extreme or another: either the hackers are the only party in the wrong because of the consequences of releasing the AM member database, or the AM users are the only party in the wrong because they’re all cheaters.

    Frankly, I think both groups are in the wrong. The hackers are clearly just the latest example of the naiive, “shoot first, consider the consequences never” mentality & Ivory-tower radicalism that typifies most “hacktivism.” As for the AM users: if you sign up for a service that’s designed to help you commit something that you yourself consider a transgression, AND you provide that service with contact information that can be tied/traced back to you, then you’re an idiot – no ifs, ands, or buts about it. And that’s completely regardless of ones feeling on the morality of cheating – in the same way that, if you live in jurisdiction where use of marijuana is illegal and you’re stupid enough to post photos/videos online showing you using it & get busted as a result, then it’s your own damn fault, regardless of how strongly you may support legalization.

  4. > ” what is being done with our PII is, in fact, illegal.”

    Incompetent and ignorant.

    Cite title and chapter, or even define “PII.”

    Or just read https://en.wikipedia.org/wiki/Bartnicki_v._Vopper, which was decided on 1st Amendement grounds.

    Rather than fight the existence of the 1st Amendment and the existence of the dumped data, it would be a lot smarter to sue AM for scamming you to spend your money to message fembots.

  5. Many of us made a mistake, to varying degrees, by being on that site. I for one live with regret daily for visiting the site. It is what is and my only wish is to protect my family. Towards that end, all we can do is the following:

    1) While note sharing the site name, do share the domain provider and server provider via WhoIs searches. We can then contact them as we have been.

    2) Hope that folks like Sanji and others can continue to identify the folks behind the sites to expose them to the world. Turning the spotlight on these misguided individuals.

    If we do these two things we will be able to protect many families. I realize the the information will be “out there” forever, but for the sake of the innocent family members of our collective, we must fight the good fight and hope that decency prevails. Ultimately, I still believe in the human spirit and that if given the opportunity, folks may make mistakes, but will ultimately do the right thing.

  6. Thanks Nick. Just reported the fictitious data to ICANN. Very easy form to fill out. I encourage others to do the same!

  7. I just got a response from shareasale and they said that they don’t have an account with a*******.cr. Did I do something wrong? As anyone else heard from them?

  8. I emailed shareasale and they said they don’t have any account for a****.cr. Did anyone else get a response?

  9. Folks – go to the comments section on this site under the heading “Extortionists Target AM…” The .xyz site is back up under a new site. Help is needed there…

  10. Guys what can we do about the site that is only accepting bitcoins? That site is using blackmail as a form of advertisement on their front page. See the “I saw my boss” story.

    • The guy is an extortionist. He has posted on other boards and I have warned him numerous time that he’s playing a VERY dangerous game but he obviously believes he’s clever. The fact that all 3 sites shill for bitcoins and have been announced on other boards in the same exact way lead me to believe this is the same fool over and over again. Sanji…if you have info on him I suggest you “reach-out” to him and set him straight.

      • Dd,
        Was that message for me? Sorry went back to real life for a while. Whoever the owner is should be mailed. He only accepts Bitcoin? Maybe someone should start a site that if you put in your email you get his info. Lol. He is trying to capture the tail end of this imo more than likely people looking are people looking for themselves. Either way can someone state what we can do to stop him? I sent an email to ftc. Hope you guys are having a good day. Mr krebs and mr sanji we appreciate all you guys are doing to level this playing field.

  11. I just got a response from shareasale. They stated that they have no account with a******.cr. Has anyone else gotten anywhere with this?

  12. Thunderstruck!!!! Excerpt from an interesting article: ” According to Navalny’s investigation, the Night Wolves received 12 million rubles ($237,000) over the past two years to stage bombastic children’s New Year’s shows aimed at frightening kids about the menace of a U.S.-led global conspiracy to bring Russia to its knees.One of the conspirators is a woman representing the Statue of Liberty who at one point appears in tight-fitting studded biker leather and wielding a whip as the song “Thunderstruck” by legendary Australian hard rock band AC/DC plays. http://www.rferl.org/content/russia-night-wolves-terrifying-kids-shows-putin-public-funds/26996590.html

  13. I emailed sharease and they said that they don’t an account with a******.cr. has anybody had any success?

  14. Gentleman, DO NOT give up! Keep reporting and shut these sites down! We are winning! Just need to keep the fight up until the FTC formally announces.

  15. Does it seem plausible that the seemingly monolouge-ish, undirected posts could be some sort of digital dead drop, meant to be a coded go between for others to watch for and act on when discovered?

    Fascinating work, Mr. Krebs! A true wilderness of mirrors.

  16. http://www.ted.com/talks/monica_lewinsky_the_price_of_shame?language=en

    Might I suggest you watch this, before your witch hunt begins.

    This goes for everything…people using (or thought to be using) Ashley Madison, as well as this identified person thought to be linked to the hack.