August 26, 2015

AshleyMadison.com, a site that helps married people cheat and whose slogan is “Life is Short, have an Affair,” recently put up a half million (Canadian) dollar bounty for information leading to the arrest and prosecution of the Impact Team — the name chosen by the hacker(s) who recently leaked data on more than 30 million Ashley Madison users. Here is the first of likely several posts examining individuals who appear to be closely connected to this attack.

zu-launchpad-july-20It was just past midnight on July 20, a few hours after I’d published an exclusive story about hackers breaking into AshleyMadison.com. I was getting ready to turn in for the evening when I spotted a re-tweet from a Twitter user named Thadeus Zu (@deuszu) who’d just posted a link to the same cache of data that had been confidentially shared with me by the Impact Team via the contact form on my site just hours earlier: It was a link to the proprietary source code for Ashley Madison’s service.

Initially, that tweet startled me because I couldn’t find any other sites online that were actually linking to that source code cache. I began looking through his past tweets and noticed some interesting messages, but soon enough other news events took precedence and I forgot about the tweet.

I revisited Zu’s tweet stream again this week after watching a press conference held by the Toronto Police (where Avid Life Media, the parent company of Ashley Madison, is based). The Toronto cops mostly recapped the timeline of known events in the hack, but they did add one new wrinkle: They said Avid Life employees first learned about the breach on July 12 (seven days before my initial story) when they came into work, turned on their computers and saw a threatening message from the Impact Team accompanied by the anthem “Thunderstruck” by Australian rock band AC/DC playing in the background.

After writing up a piece on the bounty offer, I went back and downloaded all five years’ worth of tweets from Thadeus Zu, a massively prolific Twitter user who typically tweets hundreds if not thousands of messages per month. Zu’s early years on Twitter are a catalog of simple hacks — commandeering unsecured routers, wireless cameras and printers — as well as many, many Web site defacements.

On the defacement front, Zu focused heavily on government Web sites in Asia, Europe and the United States, and in several cases even taunted his targets. On Aug. 4, 2012, he tweeted to KPN-CERT, a computer security incident response team in the Netherlands, to alert the group that he’d hacked their site. “Next time, it will be Thunderstruck. #ACDC” Zu wrote.

The day before, he’d compromised the Web site for the Australian Parliament, taunting lawmakers there with the tweet: “Parliament of Australia bit.ly/NPQdsP Oi! Oi! Oi!….T.N.T. Dynamite! Listen to ACDC here.”

I began to get very curious about whether there were any signs on or before July 19, 2015 that Zu was tweeting about ACDC in relation to the Ashley Madison hack. Sure enough: At 9:40 a.m., July 19, 2015 — nearly 12 hours before I would first be contacted by the Impact Team — we can see Zu is feverishly tweeting to several people about setting up “replication servers” to “get the show started.” Can you spot what’s interesting in the tabs on his browser in the screenshot he tweeted that morning?

Twitter user ThadeusZu tweets about setting up replication servers. Note which Youtube video is playing on his screen.

Twitter user ThadeusZu tweets about setting up replication servers. Did you spot the Youtube video he’s playing when he took this screenshot?

Ten points if you noticed the Youtube.com tab showing that he’s listening to AC/DC’s “Thunderstruck.”

A week ago, the news media pounced on the Ashley Madison story once again, roughly 24 hours after the hackers made good on their threat to release the Ashley Madison user database. I went back and examined Zu’s tweet stream around that time and found he beat Wired.com, ArsTechnica.com and every other news media outlet by more than 24 hours with the Aug. 17 tweet, “Times up,” which linked to the Impact Team’s now infamous post listing the sites where anyone could download the stolen Ashley Madison user database.

ThadeusZu tweeted about the downloadable AshleyMadison data more than 24 hours before news outlets picked up on the cache.

ThadeusZu tweeted about the downloadable Ashley Madison data more than 24 hours before news outlets picked up on the cache.

WHO IS THADEUS ZU?

As with the social networking profiles of others who’ve been tied to high-profile cybercrimes, Zu’s online utterings appear to be filled with kernels of truth surrounded by complete malarkey– thus making it challenging to separate fact from fiction. Hence, all of this could be just one big joke by Zu and his buddies. In any case, here are a few key observations about the who, what and where of Thadeus Zu based on information he’s provided (again, take that for what it’s worth).

Zu’s Facebook profile wants visitors to think he lives in Hawaii; indeed, the time zone set on several of his social media accounts is the same as Hawaii. There are a few third-party Facebook accounts of people demonstrably living in Hawaii who tag him in their personal photos of events on Hawaii (see this cached photo, for example), but for the most part Zu’s Facebook account consists of pictures taken from stock image collections and do not appear to be personal photos of any kind.

A few tweets from Zu — if truthful and not simply premeditated misdirection — indicate that he lived in Canada for at least a year, although it’s unclear when this visit occurred.

thad-canada Zu’s various Twitter and Facebook pictures all feature hulking, athletic, and apparently black male models (e.g. he’s appropriated two profile photos of male model Rob Evans). But Zu’s real-life identity remains murky at best. The lone exception I found was an image that appears to be a genuine group photo taken of a Facebook user tagged as Thadeus Zu, along with an unnamed man posing in front of a tattoo store with popular Australian (and very inked) model/nightclub DJ Ruby Rose.

That photo is no longer listed in Rose’s Facebook profile, but a cached version of it is available here. Rose’s tour schedule indicates that she was in New York City when that photo was taken, or at least posted, on Feb. 6, 2014. Zu is tagged in another Ruby Rose Facebook post five days later on Valentine’s Day. Update, 2:56 p.m.: As several readers have pointed out, the two people beside Rose  in that cached photo appear to be Franz Dremah and Kick Gurry, co-stars in the movie Edge of Tomorrow).

Other clues in his tweet stream and social media accounts put Zu in Australia. Zu has a Twitter account under the Twitter nick @ThadeusZu, which has a whopping 11 tweets, but seems rather to have been used as a news feed. In that account Zu is following some 35 Twitter accounts, and the majority of them are various Australian news organizations. That account also is following several Australian lawmakers that govern states in south Australia.

Then again, Twitter auto-suggests popular accounts for new users to follow, and usually does so in part based on the Internet address of the user. As such, @ThadeusZu may have only been using an Australian Web proxy or a Tor node in Australia when he set up that account (several of his self-published screen shots indicate that he regularly uses Tor to obfuscate his Internet address).

Even so, many of Zu’s tweets going back several years place him in Australia as well, although this may also be intentional misdirection. He continuously references his “Oz girl,” (“Oz” is another word for Australia) uses the greeting “cheers” quite a bit, and even talks about people visiting him in Oz.

Interestingly, for someone apparently so caught up in exposing hypocrisy and so close to the Ashley Madison hack, Zu appears to have himself courted a married woman — at least according to his own tweets. On January 5, 2014, Zu ‏tweeted:

“Everything is cool. Getting married this year. I am just waiting for my girl to divorce her husband. #seachange

MARRIEDzu

A month later, on Feb. 7, 2014, Zu offered this tidbit of info:

“My ex. We were supposed to get married 8 years ago but she was taken away from me. Cancer. Hence, my downward spiral into mayhem.”

DOWNwardspiral

To say that Zu tweets to others is a bit of a misstatement. I have never seen anyone tweet the way Zu does; He sends hundreds of tweets each day, and while most of them appear to be directed at nobody, it does seem that they are in response to (if not in “reply” to) tweets that others have sent him or made about his work. Consequently, his tweet stream appears to the casual observer to be nothing more than an endless soliloquy.

But there may something else going on here. It is possible that Zu’s approach to tweeting — that is, responding to or addressing other Twitter users without invoking the intended recipient’s Twitter handle — is something of a security precaution. After all, he had to know and even expect that security researchers would try to reconstruct his conversations after the fact. But this is far more difficult to do when the Twitter user in question never actually participates in threaded conversations. People who engage in this way of tweeting also do not readily reveal the Twitter identities of the people with whom they chat most.

Thadeus Zu — whoever and wherever he is in real life — may not have been directly involved in the Ashley Madison hack; he claims in several tweets that he was not part of the hack, but then in countless tweets he uses the royal “We” when discussing the actions and motivations of the Impact Team. I attempted to engage Zu in private conversations without success; he has yet to respond to my invitations.

It is possible that Zu is instead a white hat security researcher or confidential informant who has infiltrated the Impact Team and is merely riding on their coattails or acting as their mouthpiece. But one thing is clear: If Zu wasn’t involved in the hack, he almost certainly knows who was.

KrebsOnSecurity is grateful to several researchers, including Nick Weaver, for their assistance and time spent indexing, mining and making sense of tweets and social media accounts mentioned in this post. Others who helped have asked to remain anonymous. Weaver has published some additional thoughts on this post over at Medium.


361 thoughts on “Who Hacked Ashley Madison?

  1. JT

    Excellent article. You would have to think that someone would rather take a reward rather than become an accessory. Just as many people wished they could have had a second chance, the same will go for the people involved. A nice hefty paycheque and immunity would be a lot more pleasant than years in prison.

  2. Mike Virus

    After a worm hit a nuclear facility in Iran that played “Thunderstruck” somebody released a payload that replicated it here https://cyberarms.wordpress.com/2015/02/09/recreating-iran-acdc-thunderstruck-worm-with-powershell-metasploit/ – perhaps he was just a script kiddie who recycled the payload and happened to like the song? Or mayhap he’s the worms author? Or maybe he’s creating a diversion? I’ve intentionally taken screen shots with stuff in the background myself in order to divert attention. And have altered log timestamps etc. Diverionary tactics to mislead security ‘researchers’ is very common.

  3. Whitehatinvestigator

    I meant to write “the impact team is most probably behind the twitter account @deuszu”

    Apology for the typo above

  4. Joe Shmoe

    Wait for it…..Ruby Rose IS Thadeus Zu (queue inception music…)

  5. Krebs Fan

    After only a short time examining this Twitter Feed…

    On the 23rd of August, Thadeus Zu appears to be bragging about 3 images which he was able to obtain from an MX-4101N printer.

    None of these images show up in Google image search, and he seemed to have had them in his possession BEFORE Noel Biderman was doxxed on the 24th.

    If these images hadn’t been released before the 24th, and even if they were only released in the 3rd dump, this would provide conclusive proof of Kreb’s theory.

    The first two images were posted on the 23rd of August. One shows Noel and his wife under a billboard with the caption ‘Hi, Noel’… while the second shows the Billboard with the caption ‘What did I tell you about storing pics in devices connected to the internet. Protect your privacy.’

    The third image released on the 24th but obviously obtained with the first two, shows Noel’s wife alone under the billboard with the caption, ‘Mrs. Madison is kinda hot.’

    I’m unaware of the exact AM dump timeline. However, it’s clear that there is plenty of information to mined in this Twitter feed.

  6. sup

    Thadeus Zu sounds funny to me because I’m polish and in polish there is a name “Tadeusz” and it looks like this fellow might be called just like that 😉

  7. Tim Ferris

    deuszu also appears on a lot of website, in support of wikileaks and Bradley manning.
    Google search on deuszu shows lot of links where he has tried html changes to webpages

  8. Zaid

    Thanks for such an informative and exciting explanation, even if it turns out to be incorrect it’s still a great piece of investigative work

  9. Will

    Really great work Brian. You know the worst part is that literally millions of kids will be harmed by this. Ya ya I know. Their fathers shouldn’t have been on that site. But the hackers could have just released the data necessary to harm the company and merely taunted the users. Probably would have scared them straight. Now unfortunately families are ruined and so many children will never have a normal life again. Regardless of your moral compass there’s no reason to hurt those kids. So sad.

    1. Brandon

      Will, I agree with you about how sad it is for the kids, Its heartbreaking it truly is. But don’t blame the Fathers alone. EVERYONE Is talking abut how the father is to blame. In all fairness it’s the sneaky, cowardly individuals who are intentionally trying to have sex with strangers behind spouses back who are at fault. Men and Women, not just the fathers. Men and women alike are equally at fault. I’m not saying that sex with strangers is a good thing or a bad thing, I am just saying that when you dedicate your life to someone by asking them to marry you there should be love.respect.honor.

      If a Man or women looses that love respect or honor for their partner for what ever reason good or bad, they should have courage to say so and just get a divorce. Life is too short to live under false pretenses anyway.

      Its not the affairs that are the full issue. it’s about lying about who you are not only to your wife but also to your kids. The hacker did not make a commitment to anyone.

      Why didn’t these individuals think of their kids and how much disappointment and turmoil it would bring to them to learn that their own parent is not who they say they are.. Why… because they are selfish self centered cowards who have over time, accumulated an over inflated sense of self entitlement and blatant disregard for the people that should be at the forefront of their thoughts. I can not hold empathy for a Mother or father who does not put their own kids needs first.

      In my humble opinion I think they deserve to be caught as it is the only way they can understand that it is not acceptable behavior in today’s society. Will, I honestly think there is no way to “scare” them straight.

      If a Man or women is not happy in a relationship they should have enough moral fiber or at the very least a enough respect for the person to whom they are married too to be honest to them and speak truthfully.

      1. Tanus

        Wow.
        John 8:7
        So when they continued asking him, he lifted up himself, and said unto them, He that is without sin among you, let him first cast a stone at her

      2. Nobody

        I love how people who have never spent 15 years being exclusively loyal to ONE person like to preach about how marriage and love “should” be. Guess what, people lead very complicated lives. Your clear cut view of morality is childish. I can’t hear a word you say, and I won’t listen until you are faithful to one person for 15 years–then you can preach to me.

        1. Hmmm

          I’ve been with the same person or 15 years. It’s not that hard. Morality is simple really; it’s relativism and great concern with catering to yourself that complicates things. Sometimes the best that can happen to a person is exposure. Light has a way of bringing truth and reality into sharp focus. You can never create true happiness, joy, peace, dignity, or fulfillment from wrongdoing. Someday you will be thankful the light was turned on.

      3. NowWhat

        @Brandon.
        That’s what I said twenty years ago. That not easy in real life. Stay with one person for a long time, have kids and then write what you think? Like you said, there is only one life and people want the best of everything including Love, Security, and Sex. Unfortunately, sometimes they all don’t come in one package.

  10. timoty

    Impressive work again, Brian! Some of the picture links are already dead.

  11. C0d3 Kernel

    Hi Brian,

    How did you go about downloading Zu’s tweets for the past five years? As far as I know, the Twitter API only allows for 3200 of the latest tweets to be downloaded.

    c0d3

  12. Gail

    Amazing slothing Brian! Wonder if TZ was on AM as a user (“married girlfriend”).

    1. joeba

      “I promise I’ll be telling my husband about us… Soon”

  13. JJ

    Wow, great stuff Brian. Something tells me you’ll be in the movie someday and whoever decides to claim the bounty will be on the talk show circuit and be signing a huge book deal soon!

  14. Max

    Great article. His tweets are interesting. Can it be some cryptic way of communication? Anagrams and things like that? 🙂

  15. Hayton

    Nick Weaver’s thoughts on this are worth reading. This isn’t about guesswork, it’s all about the trail we all leave when we view web pages – and how that trail can strip away anonymity. For example, the ubiquitous “Like” button is treacherous …

    “The Like button and related elements don’t just track a person when they click “like”, they also record the pageview even if the user does nothing. Thus a request for the IP address, time, browser user-agent, and referrer of every view of the Like or Tweet This button for Thadeus Zu will reconstruct a huge amount of his browsing history.”

    I didn’t know that, but it’s one more reason to strip out web page trackers.

  16. Livius

    Here’s my take:

    That account has various people positing on the same account (a previous commenter noted this). Occasionally, they have identifiers (e.g., amigo, man, hombre, channel out ninjas). Some of these may be a theme word used to describe one poster (ie. man = amigo = hombre = user A). Don’t have enough time to do a more thorough analysis.

    So the question is if they are a couple of trolls, low level hackers, or really the impact team.

    If they are the impact team, then the big question is why the heck would they post on twitter? Well, let’s look at the personality characteristics of someone who would hack AM… among their group would be a bunch of narcissists. What does this mean? Shallow self-esteem requiring the need for attention/acknowledgement in order to feel good about them self/selves. It also begets grudges against specific people, like Noel (or users), with a disregard for the potential harm on others for what is perceived as a higher moral standard.

    Don’t get me wrong, anyone who would purposeful cheat on their spouse has their own issues. But the issues they have are not nearly as bad as whoever keeps this twitter account.

  17. White hat

    How do we know Brian Krebs network is secured and not compromised ? Maybe this was part of the design by the hackers. The hackers could be 2 steps ahead of everyone including Krebs.

  18. GoJoe

    THADEUS ZU…It’s not a guy it a group of People from all over

  19. Eamon Nelson

    Tried to reply but this is easier. My first reaction was also that the AM ex-CTO had something to do with it. He did to nerve.com what has been done to AM. he also expressed unwillingness to procede against nerve because he wanted to be able to look his son in the eye. perhaps his sense of ethics did not quite cover AM. thus leading to the fabrication of an aussie Impact Team. just a theory…let there be rock!

    1. Mike

      How much in ethics is required in an attempt to shut down a site like this?

  20. DG4L

    Just smoke on the water, the real intruder is from digitalgangster, not saying names but i can give you an account with PMs from THEM

  21. CW

    have been following deusZu on Twitter for at least 6 months. his acct is like an echo chamber. vaguely humorous. also seemed like a moralist about the AM users from the get go. constantly saying bro and redneck. bizarre at least, always wondered who his audience was. not qualified to comment on your technical analysis but truly a fascinating study!

  22. XR

    Notice this tweet shows a screen show of Noel Biederman e-mails that are NOT included in the incomplete torrent …. the 93.3% mailbox ends at “Tue, 10 Jan 2012 10:23:03 -0500” but this shows emails with attachments timestamped before that…. If he wasn’t the one person that got the 100% torrent (would be “lucky”) then he ABSOLUTELY knows who did this hack.
    https://twitter.com/deuszu/status/635485221027053569

    1. XR

      Alles klar herr kommissar?

      Personally i prefer Douglas Adams quotes to Falco 🙂 y tu zu?

  23. Maybe

    In the part that reads “Zu is tagged in another Ruby Rose Facebook post five days later on Valentine’s Day. ”

    Who would be with Rose on Valentines day? According to a google search, Ruby Rose is dating or engaged to “Phoebe Dahl” who is a woman. Could Thadeus Zu be a woman?” Could the person in the photo tagged as Thadeus Zu be Phoebe Dahl on Valentines day with Ruby Rose? Both are linked to Australia.

  24. Sorta

    True this is more than one handle we are talking about here. Different people log into that account and manage it. I don’t think there is one ‘Thadeus’.

  25. A. nomnus

    Have any body else recive phone call from 19856060307 with man saying times up

  26. Jullianregina@gmail.com

    What a STORY!!! I was on the edge of my seat the entire read. Awesome work!!
    The hack is such a monumental moment for the online world, we have no clue at to the repercussions!! Great read!

    Jullian

Comments are closed.