A Lead in the Ashley Madison Hack or Merely Another AC/DC Fan?

Ashley Madison
A photo illustration shows the Ashley Madison app displayed on a smartphone in Toronto, August 20, 2015. Mark Blinch/Reuters

On Wednesday, Brian Krebs, the security blogger who had the exclusive on hackers breaking into the infidelity-focused website Ashley Madison last month, connected Twitter user Thadeus Zu (@deuszu) to the crime. "One thing is clear," Krebs writes in a post titled "Who hacked Ashley Madison?," "If Zu wasn't involved in the hack, he almost certainly knows who was." But hours after his accusatory post, some journalists and technology experts began to pick apart his evidence.

Following the breach of Ashley Madison, the Impact Team—the mysterious hacker or hackers responsible for the Ashley Madison breach—posted a warning of an impending data dump if the site was not taken down, accompanied by a small sampling of the data they stole. Krebs says his first clue was that Zu tweeted a link to the cache of data that had been confidentially shared with him hours earlier by the Impact Team. "Initially, that tweet startled me," wrote Krebs. "I couldn't find any other sites online that were actually linking to that source code cache."

But the "whoever linked it leaked it" logic is flawed, according to Melbourne-based journalist Asher Wolf. On Thursday morning, Wolf tweeted a screenshot from Seclists.org, which archives top security mailing lists. The image showed that the link, which supposedly implicated Zu, was publicly available on the site prior to Zu's tweet.

A month after the first information dump, Impact Team made good on their threat and leaked sensitive data of more than 30 million Ashley Madison customers. A full 24 hours before news media picked up the story, Krebs notes, Zu had tweeted the now infamous Impact Team posting, which linked to the stolen bounty of customer information. Again, the early tweet isn't enough to implicate Zu, according to Wolf.

Anyway, the definitive way to prove attribution about a hack is to ID who posted about it first on Twitter. Right? Right?

— Asher Wolf (@Asher_Wolf) August 27, 2015

Krebs's case against Zu continues.

Toronto cops, he notes, said employees of Avid Life Media, Ashley Madison's parent company, learned of the breach on July 12 (seven days before Krebs broke the story). "[T]hey came into work, turned on their computers and saw a threatening message from the Impact Team accompanied by the anthem "Thunderstruck" by Australian rock band AC/DC playing in the background," he wrote. Curious to see if Zu had tweeted about AC/DC, Krebs downloaded all five years worth of Zu's tweets.

And sure enough, Zu had. On August 4, 2012, Zu tweeted at CERT Netherlands, an Internet security incidents- response organization, with a screenshot of their hacked site, which displays a video of AC/DC's "Thunderstruck." And again, "nearly 12 hours before" Krebs had been contacted by Impact Team, Zu tweeted a screenshot of his computer screen. One of his open tabs: AC/DC's "Thunderstruck." Some of Krebs's fellow journalists were unconvinced that having AC/DC on Zu's hands (or Internet history) was proof of involvement:

I, too, am not convinced that Tweets and liking AC/DC are proof enough to hang blame for the Ashley Madison hack https://t.co/i9qpgl1ZmW

— Matthew Panzarino (@panzer) August 27, 2015

Thursday afternoon, Zu maintained his innocence on Twitter.

I have NO contact with Impact Team and I am NOT the ' Ashley Madison ' hacker.

— Thadeus Zu (@deuszu) August 27, 2015

I am just an avid follower of news.

— Thadeus Zu (@deuszu) August 27, 2015