Ashley Madison – Whodunit?

Next story

The fallout following the dump of data from Ashley Madison rumbles on but the questions remains: whodunit?


The Impact Team, a mysterious hacker collective, claimed responsibility initially almost immediately but scepticism abounds.

Two high profile theories have surfaced from big names in the IT security industry: eccentric cyber celeb John McAfee and bringer of justice Brian Krebs.

McAfee posits that an ex, specifically female, employee with insider knowledge of AM’s systems is to blame. Whereas Krebs believes that a gent who goes by the name Thadeus Zu is closely linked, if not directly involved.


Lone Female Employee


McAfee’s theory is born of his “social engineering” skills as well as “over a week to finish analysis of the massive data dumps.”

He claims that “it was clear that the perpetrator had intimate knowledge of the technology stack of [Ashley Madison],” in particular citing the “actual MySQL database dumps.”

He continues that “the perpetrator’s two manifestos” and his experience in social engineering provided ample opportunity to “very quickly identify gender.”

McAfee’s analysis points out that “a few of the many strangely included files… would take even a top notch hacker years to gather, and seem to have little or no value.”

It’s certainly an interesting theory and you can read the full analysis here.


Thadeus Zu


Brian Krebs theory however is based on some interesting evidence he’s gathered by looking into the life and times of one “Thadeus Zu”.

He purports that “if Zu wasn’t involved in the hack, he almost certainly knows who was.”

Much of Krebs’ theory focuses on the timing of released data and tweets sent by Thadeus. He, for example, “posted a link to the same cache of data that had been confidentially shared with [him] by The Impact Team.”

In true crime story fashion, it’s the little details that count. One that Krebs picks up on is Thadeus’ penchant for popular rock music band ACDC.

Staff at Ashley Madison first discovered they had been hacked when they logged in and were greeted by the first manifesto threatening the release of data, with ACDC’s Thunderstruck playing in the background.

Who was also listening to Thunderstruck? You guessed it, Thadeus Zu in a screenshot he tweeted along with a tweet about getting “that show started”. “That show” could well be the hack itself.

Krebs raises some intriguing assertions and has clearly put in a lot of work and analysis. You can read his full article here.


Theory Crafting

Both theories have interesting insights but we have to remember that they are both theories and they are unlikely to be the last ones we hear before anyone actually gets caught.

Mark James, ESET IT security specialist, had this to say on the matter:

“At this current time it’s all hearsay and whispers. This particular breach is attracting a very high amount of media attention and the authorities will want to get the culprits apprehended, or at least be in the process of making enquiries with suspects.

“Every day that goes by the trail gets colder, but I am sure this is one of those breaches that will see an arrest or two. In these cases the public needs to see that the authorities have the resources and knowledge to make an arrest.

“No matter what site is hacked, or the data that was taken, theft is theft, pure and simple. We need to see results and the criminals need to understand if they break the law they will be punished.”

Join the ESET UK LinkedIn Group and stay up to date with the blog. If you’re interested in seeing where ESET has been featured in the news then check out our ‘In the news’ section.

Do you lend any credence to either theory? Do you have another theory?