August 26, 2015

AshleyMadison.com, a site that helps married people cheat and whose slogan is “Life is Short, have an Affair,” recently put up a half million (Canadian) dollar bounty for information leading to the arrest and prosecution of the Impact Team — the name chosen by the hacker(s) who recently leaked data on more than 30 million Ashley Madison users. Here is the first of likely several posts examining individuals who appear to be closely connected to this attack.

zu-launchpad-july-20It was just past midnight on July 20, a few hours after I’d published an exclusive story about hackers breaking into AshleyMadison.com. I was getting ready to turn in for the evening when I spotted a re-tweet from a Twitter user named Thadeus Zu (@deuszu) who’d just posted a link to the same cache of data that had been confidentially shared with me by the Impact Team via the contact form on my site just hours earlier: It was a link to the proprietary source code for Ashley Madison’s service.

Initially, that tweet startled me because I couldn’t find any other sites online that were actually linking to that source code cache. I began looking through his past tweets and noticed some interesting messages, but soon enough other news events took precedence and I forgot about the tweet.

I revisited Zu’s tweet stream again this week after watching a press conference held by the Toronto Police (where Avid Life Media, the parent company of Ashley Madison, is based). The Toronto cops mostly recapped the timeline of known events in the hack, but they did add one new wrinkle: They said Avid Life employees first learned about the breach on July 12 (seven days before my initial story) when they came into work, turned on their computers and saw a threatening message from the Impact Team accompanied by the anthem “Thunderstruck” by Australian rock band AC/DC playing in the background.

After writing up a piece on the bounty offer, I went back and downloaded all five years’ worth of tweets from Thadeus Zu, a massively prolific Twitter user who typically tweets hundreds if not thousands of messages per month. Zu’s early years on Twitter are a catalog of simple hacks — commandeering unsecured routers, wireless cameras and printers — as well as many, many Web site defacements.

On the defacement front, Zu focused heavily on government Web sites in Asia, Europe and the United States, and in several cases even taunted his targets. On Aug. 4, 2012, he tweeted to KPN-CERT, a computer security incident response team in the Netherlands, to alert the group that he’d hacked their site. “Next time, it will be Thunderstruck. #ACDC” Zu wrote.

The day before, he’d compromised the Web site for the Australian Parliament, taunting lawmakers there with the tweet: “Parliament of Australia bit.ly/NPQdsP Oi! Oi! Oi!….T.N.T. Dynamite! Listen to ACDC here.”

I began to get very curious about whether there were any signs on or before July 19, 2015 that Zu was tweeting about ACDC in relation to the Ashley Madison hack. Sure enough: At 9:40 a.m., July 19, 2015 — nearly 12 hours before I would first be contacted by the Impact Team — we can see Zu is feverishly tweeting to several people about setting up “replication servers” to “get the show started.” Can you spot what’s interesting in the tabs on his browser in the screenshot he tweeted that morning?

Twitter user ThadeusZu tweets about setting up replication servers. Note which Youtube video is playing on his screen.

Twitter user ThadeusZu tweets about setting up replication servers. Did you spot the Youtube video he’s playing when he took this screenshot?

Ten points if you noticed the Youtube.com tab showing that he’s listening to AC/DC’s “Thunderstruck.”

A week ago, the news media pounced on the Ashley Madison story once again, roughly 24 hours after the hackers made good on their threat to release the Ashley Madison user database. I went back and examined Zu’s tweet stream around that time and found he beat Wired.com, ArsTechnica.com and every other news media outlet by more than 24 hours with the Aug. 17 tweet, “Times up,” which linked to the Impact Team’s now infamous post listing the sites where anyone could download the stolen Ashley Madison user database.

ThadeusZu tweeted about the downloadable AshleyMadison data more than 24 hours before news outlets picked up on the cache.

ThadeusZu tweeted about the downloadable Ashley Madison data more than 24 hours before news outlets picked up on the cache.

WHO IS THADEUS ZU?

As with the social networking profiles of others who’ve been tied to high-profile cybercrimes, Zu’s online utterings appear to be filled with kernels of truth surrounded by complete malarkey– thus making it challenging to separate fact from fiction. Hence, all of this could be just one big joke by Zu and his buddies. In any case, here are a few key observations about the who, what and where of Thadeus Zu based on information he’s provided (again, take that for what it’s worth).

Zu’s Facebook profile wants visitors to think he lives in Hawaii; indeed, the time zone set on several of his social media accounts is the same as Hawaii. There are a few third-party Facebook accounts of people demonstrably living in Hawaii who tag him in their personal photos of events on Hawaii (see this cached photo, for example), but for the most part Zu’s Facebook account consists of pictures taken from stock image collections and do not appear to be personal photos of any kind.

A few tweets from Zu — if truthful and not simply premeditated misdirection — indicate that he lived in Canada for at least a year, although it’s unclear when this visit occurred.

thad-canada Zu’s various Twitter and Facebook pictures all feature hulking, athletic, and apparently black male models (e.g. he’s appropriated two profile photos of male model Rob Evans). But Zu’s real-life identity remains murky at best. The lone exception I found was an image that appears to be a genuine group photo taken of a Facebook user tagged as Thadeus Zu, along with an unnamed man posing in front of a tattoo store with popular Australian (and very inked) model/nightclub DJ Ruby Rose.

That photo is no longer listed in Rose’s Facebook profile, but a cached version of it is available here. Rose’s tour schedule indicates that she was in New York City when that photo was taken, or at least posted, on Feb. 6, 2014. Zu is tagged in another Ruby Rose Facebook post five days later on Valentine’s Day. Update, 2:56 p.m.: As several readers have pointed out, the two people beside Rose  in that cached photo appear to be Franz Dremah and Kick Gurry, co-stars in the movie Edge of Tomorrow).

Other clues in his tweet stream and social media accounts put Zu in Australia. Zu has a Twitter account under the Twitter nick @ThadeusZu, which has a whopping 11 tweets, but seems rather to have been used as a news feed. In that account Zu is following some 35 Twitter accounts, and the majority of them are various Australian news organizations. That account also is following several Australian lawmakers that govern states in south Australia.

Then again, Twitter auto-suggests popular accounts for new users to follow, and usually does so in part based on the Internet address of the user. As such, @ThadeusZu may have only been using an Australian Web proxy or a Tor node in Australia when he set up that account (several of his self-published screen shots indicate that he regularly uses Tor to obfuscate his Internet address).

Even so, many of Zu’s tweets going back several years place him in Australia as well, although this may also be intentional misdirection. He continuously references his “Oz girl,” (“Oz” is another word for Australia) uses the greeting “cheers” quite a bit, and even talks about people visiting him in Oz.

Interestingly, for someone apparently so caught up in exposing hypocrisy and so close to the Ashley Madison hack, Zu appears to have himself courted a married woman — at least according to his own tweets. On January 5, 2014, Zu ‏tweeted:

“Everything is cool. Getting married this year. I am just waiting for my girl to divorce her husband. #seachange

MARRIEDzu

A month later, on Feb. 7, 2014, Zu offered this tidbit of info:

“My ex. We were supposed to get married 8 years ago but she was taken away from me. Cancer. Hence, my downward spiral into mayhem.”

DOWNwardspiral

To say that Zu tweets to others is a bit of a misstatement. I have never seen anyone tweet the way Zu does; He sends hundreds of tweets each day, and while most of them appear to be directed at nobody, it does seem that they are in response to (if not in “reply” to) tweets that others have sent him or made about his work. Consequently, his tweet stream appears to the casual observer to be nothing more than an endless soliloquy.

But there may something else going on here. It is possible that Zu’s approach to tweeting — that is, responding to or addressing other Twitter users without invoking the intended recipient’s Twitter handle — is something of a security precaution. After all, he had to know and even expect that security researchers would try to reconstruct his conversations after the fact. But this is far more difficult to do when the Twitter user in question never actually participates in threaded conversations. People who engage in this way of tweeting also do not readily reveal the Twitter identities of the people with whom they chat most.

Thadeus Zu — whoever and wherever he is in real life — may not have been directly involved in the Ashley Madison hack; he claims in several tweets that he was not part of the hack, but then in countless tweets he uses the royal “We” when discussing the actions and motivations of the Impact Team. I attempted to engage Zu in private conversations without success; he has yet to respond to my invitations.

It is possible that Zu is instead a white hat security researcher or confidential informant who has infiltrated the Impact Team and is merely riding on their coattails or acting as their mouthpiece. But one thing is clear: If Zu wasn’t involved in the hack, he almost certainly knows who was.

KrebsOnSecurity is grateful to several researchers, including Nick Weaver, for their assistance and time spent indexing, mining and making sense of tweets and social media accounts mentioned in this post. Others who helped have asked to remain anonymous. Weaver has published some additional thoughts on this post over at Medium.


361 thoughts on “Who Hacked Ashley Madison?

  1. Mike

    That was really interesting. ‘Cheers’ is common in the whole Commonwealth, I have NEVER heard ‘churs’ outside Australia/New Zealand, and I lived in both countries for a few years. It’s interesting to note he spent a year in Canada. From my experience, a year abroad (OE) is common for both countries.

    Has Brian Fanning responded about who he is?

    1. Brian B again

      My bad, I thought you meant left of the person in the middle, but now I’m reading it differently.

      Still, I googled Bernard Fanning, and I’m convinced the guy on the photo’s-right is Kick Gurry, not Fanning. Look at the hairlines on those two.

  2. More

    This whole thing is a complete waste of time. Whether we like it or not, they will never get caught. Just look at the past examples of Sony Hack, AdultFriendfinder.. nobody knows who did it still.

    1. Mark

      I’m sorry, but the Sony hack didn’t create the level of enemies, or those who would like to see these people caught. There are a lot of highly motivated people out there.

      Also, it hit me the other day that the Impact Team were likely made up of at least one disgruntled Ashley Madison user. I think this person, if they did court a married person, would fit well into the profile of someone who actively used AM at one point themselves. If you really look at the semantics and language patterns of the spokesperson for this group, they appear to have had some direct/close involvement with AM, and the way they talk reminds me of a disgruntled employee or customer.

      Just a thought. I am hoping someone can take the database that’s out there and do a ‘diff’ against an earlier version that perhaps AM can restore. It might be interesting to find out who/what may be in an earlier database that was Not in the Tor database posted online.

      I’m sure the hackers made sure their info was not out there, or they may have put some misleading info in its place. I’ll bet money on this, that when they are caught, they will fit into this, or a similar profile.

      Often the self-righteous are, or have been, very heavily into the activities they are claiming to call others out on.

  3. Second

    John Mcfee was right all along. It was a FEMALE hacker.

  4. Paul

    I don’t think this guy has anything to do with the dump itself. His more recent tweets suggest that he’s just now going through the data from the email dump. Obviously, if he had this info earlier on he could have used it to stir up all kinds of trouble without releasing the data.

    I disagree that he’s part of Impact Team, I believe he just has an insider view and well, that makes him wanted regardless.

    1. Brian B

      I was just posting that, but now I realize why they all look familiar: they’re all in Edge of Tomorrow!

      Duh.

  5. Davis

    Would i be completely out of line in thinking that AM’s DB was stolen and published as retaliation for AM allegedly stealing Nerve.com’s DB? How easy would it be to contract a set of people with the right skill set to retaliate against a competitor?

    1. Mark

      Very interesting point. I think the question also deals with the context of the emails: whether they were talking about security in terms of how to evaluate it for a possible merger between AM amd Nerve, or of actual hacking. I wouldnt rule out someone who got upset over it. That could explain why the Impact Team seem so personally involved. At the same time, would Nerve want to risk that their own user base, who they rely on for their profits, would be destroyed or scared away from using any sites like AM or Nerve.

  6. Gr

    Ruby must know who Thadeus is because she tagged him in her photo.

    1. o. nate

      Seems more likely this Zu hacked into her Facebook and tagged his handle to an actor’s picture as a joke.

  7. Tim Stephenson

    I’m pretty sure the guy on the left in the Ruby Rose photo is actor Franz Drameh.

    1. Anthony

      Yeah – I think you’re right. Sure looks like him.

  8. SpeckledPants

    This is very interesting — but I’m going to wager this: while he/they indeed may be the real hacker, there is nothing of worth on the twitter feed.

    Putting myself in their shoes, if I had varried out the hack and wanted to trumpet a bit, I would have set up an account ages ago, and filled it with complete misdirection, from top to bottom, so that nothing was clear.

    I would have tagged myself in geographically misleading pictures, commented on a few random groups, just created a complete haze of misdirection. That seems to be what’s been done here.

    1. NowWhat$uckers

      Ever heard about hackers bragging? Smartest of people make most stupid mistakes.

  9. Kevin

    Brian do you have insight into what the ominous conversation is about with respect to the next info people will be blown away and etc

  10. fnoberz_

    He’s participated in this event somehow. Still, a bit differently than most of us think. He’s become a ‘face’ of the attack, a mere personification of attackers. Someone who is more real to the community. Being involved into hacking group does not mean literally cracking websites and being a underworld nerd. They’ve got PR ppl aswell. Social engineering, public relations etc. Our community needs someone they can link to the outside world; not only anonymous, hidden, coding somewhere in the basement geniuses. D’you remember Barrett Brown and the Anonymous? Cheers and g’day mates.

  11. c3p0

    Mr. or Mrs. Thadeus aka prolific twit… has gone silent in his twitsphere the last 4 hours…wonder what he/she is up to? Great work as always Brian. Hope you get the bounty.

  12. Jetzt

    Doesn’t it all seem a bit too convenient? Sounds like purposely misleading info being thrown about. Unless he really is that stupid…oh please don’t be that stupid…

  13. Jetzt

    “It is possible that Zu is instead a white hat security researcher or confidential informant who has infiltrated the Impact Team and is merely riding on their coattails or acting as their mouthpiece. But one thing is clear: If Zu wasn’t involved in the hack, he almost certainly knows who was.”

    Wow there, Brian. That’s a heck of a jump…

  14. Fred

    As I read these comments I have to remind myself: “Some of these commenters may be trying to misdirect readers and Brian.”

  15. Tara Marie

    “Everything is cool. Getting married this year. I am just waiting for my girl to divorce her husband. #seachange

    Unless his ‘girl’ had no intent of Divorcing her Husband and just wanted to play, as the whole premise of ‘Ashley Madison’ was set upon……and when one realizes they are being played, they set out to destroy.

    Excellent article. I am fascinated.

  16. Bill

    He’s not the hacker. Prob in the circle of nerds though. The funny thing about these nerds is they want to release private information, yet keep themselves private #irony.

  17. Steve

    Sounds like you are closing in on that $500K reward Brian. Good Luck, you deserve it!

  18. Caught up

    Ruby Rose has known Zu for at least four and a half years. This was the earliest tagged photo from Facebook I could find. Before that, he was just commenting on photos. He is all over Ruby Rose’s Facebook. She’s gotta know him fairly well.

    https://www.anony.ws/image/DvZ9

  19. The Boss

    His new favorite song should be Born to Run. 40 years old yesterday.

  20. J. Tate

    For those interested in pulling the Twitter Archives I have one of the few Firehose Api query licenses. There are many ways to pull these data points.

    On another topic, per State Law victims (if we should call them that) have rights to ensure they have conducted the appropriate Post Data Spillage protections that should surpass the advertised Credit Monitoring offering. We (bits&digits) will be developing solutions for both the victims but solutions for the other sites that will be surely looking for immunization solutions.

    Its a crazy situation, but its also one that I share low empathy for . Trust But Verify.

  21. Hamburglar

    Methinks Mr Krebs might be getting 500K Canadian soon

  22. Tim Ferris

    Brian,
    Important Clue/Observation:

    In the last screen shot that deuszu has uploaded on Twitter, where he is apparently uploading 4th dump, the webmaster is named as Krieg. Look closely.

    Krieg is also someone he refers to in some of his tweets.
    “Krieg’s a hard man, my friend.” , “I’ve been manscaping my beard and not fully aware. I’m surprised that Krieg’s got emotional, bro.”

    Something I noticed while going through stuff.

  23. whitehatinvestigator

    What if they are using the same Twitter account to communicate with each other? In this case, they would just send messages to each other back and forth on the same twitter account. That remains a possibility. You will notice that “he/they” often reply to previous messages posted on the same account (https://twitter.com/deuszu)

    Unless this person is schizophrenic and talks to an imaginary friend, these posts suggest that he is talking to someone:

    Example1: https://twitter.com/deuszu/status/628771719612731393
    Example 2: https://twitter.com/deuszu/status/628718873445953537
    Example 3: https://twitter.com/deuszu/status/628711732232388608

    Also a simple google image reverse search points that he is stealing his twitter profile images from a model named “Willy Monfret” http://www.willymonfret.com

    This is a mirror of the model’s instagram profile
    http://yooying.com/monfretwilly
    http://yooying.com/p/1053788509894064630_302907029

    As the photos suggest, this model was in Barcelona in early August and it appears that the impact team hackers were at Defcon since they posted many interesting posts about Defcon on the same twitter account @deuszu
    https://twitter.com/deuszu/status/629898711460528128
    https://twitter.com/deuszu/status/629897602926903296

    In any event, this Twitter account definitely points to one fact: the impact team is most probably behind these hacks but it is difficult to distinguish between reality and fiction and trace who they really are. Hopefully the RCMP or FBI will be able to figure out if they left any cyberfingerprints on their twitter and facebook profiles.

    1. Prebeta

      Does appear it is a group communicating in between randomness and misdirection. Reading through, there is directed speech at what appear to be codenames: Amigo, Hombre, Hussy, Redneck.

  24. fascinated

    He’s now taunting you on twitter krebs. go get this a hole!

Comments are closed.