Prepare to be Thunderstruck: What if 'deuszu' ISN'T the Ashley Madison hacker?

Attribution is harder than a taste in music


Security researcher Brian Krebs last week named whoever is behind the Twitter account deuszu as likely having had a hand in the Ashley Madison hack. But has Krebs named the right entity?

Attribution isn't that easy and Krebs has gone out on a limb.

Take, for example, Krebs' belief that a fondness for the AC/DC tune Thunderstruck links deuszu to the Ashley Madison attack in July.

A screen-cap posted by Krebs – sourced from deuszu’s Twitter account – shows a 2012 tweet referencing AC/DC's Thunderstruck: the tweet shows a defaced security website playing a video of the hard-rock hit.

On August 19, 2015, deuszu tweeted a screen-cap showing a tab open playing AC/DC's Thunderstruck. And in 2015 the Ashley Madison hackers made the company’s work computers play the song Thunderstruck as well.

The image below shows deuszu's tweet from August 4, 2012. Might it indicate guilt in the Ashley Madison hacking? Or is there something else tying deuszu, Thunderstruck, and later events?

To form a counter-argument, consider the other news grabbing global attention in late July 2012?

Iranian nuke plants rocked in midnight "heavy metal blast" – a tale of something odd going on in Iran emerged in late July of that year.

It’s not really too much of a stretch to think that in early August 2012, deuszu might have been listening to Thunderstruck, based on his interest in infosec news and the level of media attention mentioning the song at the time.

Even deuszu's later use of the tune in defacements he tweeted seems like simple imitation of what had happened in Iran.

The claim that the Impact Team hackers managed to make Ashley Madison employees' computers play AC/DC’s Thunderstruck in 2015, and a screenshot showing deuszu once listened to the same song in 2012, is hardly forensic proof deuszu was responsible for the Ashley Madison hack.

Who knew what, first?

The second point that bothers me is to attribute this hack to deuszu based on a belief that Twitter provides the best – or only – timeline for the hack.

Krebs' assertion that Twitter account deuszu appears “to be closely connected” to the Ashley Madison hack appears to rest on this tweet:

Thaddeus Zu Ashley Madison Tweet

Krebs wrote that deuszu’s tweet, on 19 July 2015 (containing a link to hacked Ashley Madison data), “startled” him, because he “... couldn’t find any other sites online that were actually linking to that source code cache.”

Yet the news was already spreading over on Full Disclosure:

Full Disclosure Ashley Madison Post

Thadeus Zu may well have been the first to post about it on Twitter on 17 July (without linking to the dumps), but frankly, tweeting about a breaking story – already announced online for more than 48 hours – seems a pretty crummy indication of potential guilt in perpetrating the original hack.

Impact Team publicly announced the hack on 15 July 2015 — two whole days before deuszu first tweeted about the breach on 17 July. It’s only strange nobody tweeted about the hack sooner.

Where in the world is deuszu?

Evidence about Zu's location, based on his tweet-stream, is also equivocal.

Krebs has made a number of claims about Thadeus Zu’s potential location, based on social media open source intelligence (OSINT) garnered from Facebook and Twitter.

“Zu’s Facebook profile wants visitors to think he lives in Hawaii,” Krebs wrote, basing his claim on stock photos and a time zone posted by Zu.

Yet evidence Zu actually lives in Hawaii is scant, as Krebs noted: it's limited to time zone information and tags from other people. It's not hard to change time zone settings, or to misinform.

One of Zu's Twitter accounts follows Australian news and political accounts (as Krebs spotted), but it's also worth stating that Zu is a member of a number of Facebook groups with links to Italy and Australia; and that ThadeusZu has previously posted links mentioning Brisbane, Australia.

Over the past few days, Krebs' article has kicked off a Twitter spat with Zu and the researcher's claims were widely reported.

But there’s two particular details that are just as indicative of Zu's identity and association as Krebs' observations:

  • The website linked on ThadeusZu’s Twitter account profile points at nsa.gov; and
  • One of the small number of ThadeusZu's followers includes the Twitter account ArmyCIOG6 – the official Twitter account for the US Army's Chief Information Officer/G-6 news.

It would be just as easy (although outrageously conspiratorial) to paint Zu as an Army psy-ops cointel-pro Twitter account, partly-human-manned, part-bot script account, scraping and scanning social media, trying to gather intel by tweeting tantalising snippets in almost gibberish tweet-speak and perpetrating small defacements on a regular basis in an attempt to appear legitimate to other hackers. An intelligence organisation-funded Twitter account, that potentially jumped the gun and tweeted a link about a hack it was tracking just a little too early, gaining international media interest.

Of course, such claims are utterly unfounded (for now), but Krebs' theories about deuszu and the Ashley Madison hack are little stronger. For all we know, Zu may be a dog on the internet.

Zu's potential involvement in previous website defacements seems like a fairly low-value target for a legal prosecutor to chase.

Although linking to dumped data has landed others in jail before, based on the actual evidence at hand it seems there's little evidence in the public realm that Zu is behind the Ashley Madison hack.

Of course, the Ashley Madison hack has generated huge public interest, fuelled by a $500,000 reward offered by Avid Life Media for information leading to the prosecution of the hackers.

And Zu is unlikely to mount any legal challenge, since that would expose his identity, and his numerous screen-caps over the years of various website defacements would certainly bring unwanted attention from law enforcement.

Zu looks like an easy target – but probably the wrong one. ®

Editor's note: This article was updated after publication to switch the first screenshot to the correct one.

Similar topics

Broader topics


Other stories you might like

  • A peek into Gigabyte's GPU Arm for AI, HPC shops
    High-performance platform choices are going beyond the ubiquitous x86 standard

    Arm-based servers continue to gain momentum with Gigabyte Technology introducing a system based on Ampere's Altra processors paired with Nvidia A100 GPUs, aimed at demanding workloads such as AI training and high-performance compute (HPC) applications.

    The G492-PD0 runs either an Ampere Altra or Altra Max processor, the latter delivering 128 64-bit cores that are compatible with the Armv8.2 architecture.

    It supports 16 DDR4 DIMM slots, which would be enough space for up to 4TB of memory if all slots were filled with 256GB memory modules. The chassis also has space for no fewer than eight Nvidia A100 GPUs, which would make for a costly but very powerful system for those workloads that benefit from GPU acceleration.

    Continue reading
  • GitLab version 15 goes big on visibility and observability
    GitOps fans can take a spin on the free tier for pull-based deployment

    One-stop DevOps shop GitLab has announced version 15 of its platform, hot on the heels of pull-based GitOps turning up on the platform's free tier.

    Version 15.0 marks the arrival of GitLab's next major iteration and attention this time around has turned to visibility and observability – hardly surprising considering the acquisition of OpsTrace as 2021 drew to a close, as well as workflow automation, security and compliance.

    GitLab puts out monthly releases –  hitting 15.1 on June 22 –  and we spoke to the company's senior director of Product, Kenny Johnston, at the recent Kubecon EU event, about what will be added to version 15 as time goes by. During a chat with the company's senior director of Product, Kenny Johnston, at the recent Kubecon EU event, The Register was told that this was more where dollars were being invested into the product.

    Continue reading
  • To multicloud, or not: Former PayPal head of engineering weighs in
    Not everyone needs it, but those who do need to consider 3 things, says Asim Razzaq

    The push is on to get every enterprise thinking they're missing out on the next big thing if they don't adopt a multicloud strategy.

    That shove in the multicloud direction appears to be working. More than 75 percent of businesses are now using multiple cloud providers, according to Gartner. That includes some big companies, like Boeing, which recently chose to spread its bets across AWS, Google Cloud and Azure as it continues to eliminate old legacy systems. 

    There are plenty of reasons to choose to go with multiple cloud providers, but Asim Razzaq, CEO and founder at cloud cost management company Yotascale, told The Register that choosing whether or not to invest in a multicloud architecture all comes down to three things: How many different compute needs a business has, budget, and the need for redundancy. 

    Continue reading

Biting the hand that feeds IT © 1998–2022