The Curious Case of @deuszu, the Ashley Madison Hack, and an American Journalist

As word has trickled out on the Internet of the massive breach of adultery website Ashley Madison, one Twitter user, @deuszu, has been conspicuously ahead of the curve.

On July 19, journalist Brian Krebs revealed that Ashley Madison’s servers had been hacked. That report was based on a link to a cache of Ashley Madison data he was provided by the Impact Team, the group claiming to be behind the hack. Shortly after his story posted, @deuszu tweeted the same link. And when the Impact Team posted Ashley Madison’s user date, @deuszu beat the news cycle again, scooping tech outlets Wired and Ars Technica.

Zu’s ability to advance news of the hack has led Krebs, arguably today’s most prominent chronicler of cybercrime, to a simple conclusion: The person or people behind the @deuszu Twitter account either carried out the Ashley Madison hack or know those who did. “Here’s a person who has the inside track of what the Ashley Madison hackers have been doing,” Krebs said in an interview with Foreign Policy. “He’s been tripping over himself to tell the world.” Krebs laid out the case against Zu in a post on his personal blog Wednesday.

Thadeus Zu, as the Twitter user has named itself, says he’s just “an avid follower of news” and vehemently denies any connection to the hack, which has spilled 36 million dating profiles onto the Internet, sparked an FBI investigation, and resulted in countless uncomfortable conversations in homes across the country.

Since Krebs published his allegations against Zu, the @deuszu Twitter account has been carrying out a crusade against the Virginia-based journalist. FP asked Zu for an interview, but he has not responded.

In a case that has exposed the most privately held secrets of millions of people, Krebs’s investigation is notable for its total reliance on open-source material. If Zu is in fact connected to the breach, he has been astoundingly arrogant in the amount of information he has posted online, given the ease with which it has been collected by Krebs. The investigation itself is a fascinating case study in how morsels of online information can be pieced together to make a basically convincing case that a social media profile and those who have access to it are connected to a hacking affair that has captivated the world.

It’s not the first time Krebs has carried out such an investigation. Following the widespread theft of credit card data from Target, Krebs identified the Ukrainian hacker Andrew Hodirevski as one of the people responsible for selling the stolen credit card information on the Internet underground.

“One thing that I find with these malicious or criminal hackers is that they just can’t help themselves,” Krebs said, referring to their proclivity for broadcasting information about their exploits. “They have tremendous egos, and they end up digging their own graves.”

Before Krebs revealed the Ashley Madison hack on July 19, for example, Zu tweeted about setting up replication servers, a way to ensure delivery of a large database to downloading users. In a screenshot accompanying that tweet, one tab in Zu’s browser is opened to the rock band AC/DC’s song “Thunderstuck.” When employees at Ashley Madison’s parent company showed up for work earlier that month, they had found messages from the Impact Team, the group that has claimed responsibility for the hack, along with “Thunderstruck” playing on their computers.

But with the evidence in the Ashley Madison case freely available for any to scrutinize, some have questioned whether Krebs really has his man. While Zu was an early distributor of the Ashley Madison source code, the link that he tweeted had appeared earlier on a public email forum called Full Disclosure.

Krebs isn’t claiming to have solved this case. “These are my observations. Are they 100 percent right? I’m sure they’re not,” he said. “Is there a pattern here that deserves more scrutiny? Yes.”

The Impact Team, for example, has argued in its public statements that it attacked Ashley Madison in part because of its promotion of infidelity, and in his Twitter posts, Zu has echoed that kind of rhetoric.

Deepening the mystery, it’s possible that the Zu Twitter persona is used by more than one person. The account posts prolifically and with significant changes in tone. It appears that the account is engaged in conversation with someone, but it does not use Twitter’s “@” reply function. If the @deuszu account belongs to the hackers who breached Ashley Madison, it is possible that they use it as a form of communication with one another, posting on its page as a kind of public message board.

Social media searches for the persona behind the name Thadeus Zu reveal little information. That person’s Facebook page is an escapist fantasy that has appropriated photographs of the male model Rob Evans for its profile pictures. Various social media posts indicate that Zu may have lived in Australia for a time and also in Canada. The latter place of residence is certainly intriguing given that Ashley Madison is a Toronto-based company, and its executives have said that the hackers likely “touched” its security systems at some point.

The Ashley Madison hack has generated intense public interest and is fairly unprecedented in the recent history of massive data breaches. Stealing credit cards or social security numbers can certainly be damaging, but exposing a spouse’s desire to have an affair is a far more personal matter. Reports have surfaced of hackers trying to blackmail those whose account information has been leaked. There are even reports of suicides connected to the breach.

Thanks to his coverage of the breach, Krebs’s blog set a traffic record this month. He says his investigation into Thadeus Zu will continue.

Top image: Facebook/Thadeus Zu