It’s downright strange how little we know about the hacker or hackers who exposed the identities of over 30 million Ashley Madison users in 2015. They leaked incredibly sensitive data about millions of people, did not profit in any obvious way, turned “Ashley Madison” into a punchline throughout the English speaking world, and rode off into the sunset.
You probably remember the hack, but it’s doubtful you remember the culprit: some entity called “The Impact Team.” A reward of $500,000 was offered for information leading to their arrest and prosecution, but no such arrest has ever been made.
Noel Biderman, the CEO at the time of Ashley Madison’s parent company, claimed that he knew exactly who did it, and that they were an insider. But that turned out to have been a former employee who had died by suicide before the hack.
One possible culprit discovered by researchers at the time was an enigmatic figure calling himself Thadeus Zu. A Berkley researcher named Nicholas Weaver found the circumstantial evidence against Zu compelling enough to call upon law enforcement to get a warrant, crack open Zu’s social media accounts and find out more. That evidently never happened.
But Brian Krebs, the security researcher who initially reported the hack, and initially made the case against Thadeus Zu, uncovered an equally compelling person of interest earlier this year: Evan Bloom, a former Ashley Madison employee who was convicted in 2019 of selling hacked internet account information. In an interview with Krebs, Bloom denied involvement.
Without a guilty party able to give us the inside story on what happened, has the Ashley Madison hack been mis-shelved in the library of internet history? Have we all, in a sense, been swindled into accepting “LOL” as our collective response to something ugly and insidious?
Ashley Madison had long been an attractive target for hackers
To refresh your memory, Ashley Madison is (yep, is, not was) a paywalled dating website, founded in 2001, and marketed to people who are already in relationships — which is to say it’s ostensibly for linking would-be cheaters with would be co-cheaters.
You probably remember the bumper-sticker bluntness of the tagline: “Life is short. Have an affair.” So if you were a partnered person wishing for a place online to simply browse for someone to have secret sex with, and make the necessary arrangements to have that sex, Ashley Madison was made to look like just the one-stop shopping service you were looking for.
Ashley Madison was also allegedly leveraging the paranoia of its users around data security for extra revenue. A feature called “Full Delete” claimed to remove all traces of a user from the site’s internal system for the low low price of $19, and netted the company millions. ArsTechnica ran a story about the sketchiness of this practice in the months before the hack. The Impact Team would later claim that the feature didn’t even work, and analysts who examined the site’s database would find evidence that the hackers were right.
Miriam Gottfried of the Wall Street Journal wrote in May of 2015, almost two months before the attack, that in light of a similar hack at AdultFriendFinder.com, which in part exposed cheating spouses, “the parent company of AshleyMadison.com, a dating site that specifically caters to cheating spouses, may want to take note.” And that very parent company, Avid Life Media, was unwisely making noise that spring by taking steps toward becoming a publicly traded company.
So even before it was hacked, Ashley Madison was a loudly ticking time bomb.
And then it went off.
What the hack exposed
The incident itself is legendary. Heavy internet users had already known Ashley Madison as a disreputable and vaguely untrustworthy website, but the hack made it a household name, at least for a time. Consequently, Ashley Madison is now a universally understood shorthand term for digital infidelity.
A whole lot of data leaked, including a giant database of user information that included users’ first and last names, email addresses, street addresses, and dates of birth.
So were these leaked users all cheaters? Well, probably not successful ones in many cases. In terms of convenience and reliability, the site didn’t live up to its Amazon-Prime-but-for-infidelity promise.
The Impact Team would later claim that 90-95 percent of the female profiles were fake. This was almost certainly an exaggeration, but examinations of the structure of the site soon made it clear that Ashley Madison had been connecting a vast number of male users with supposedly female users who were actually chatbots, and that it had no comparably scaled system for mollifying lonely female users.
To be clear, there were real female users — and after the hack, some of them even wrote about their sexual adventures — but the gender imbalance in the user base was clearly a known problem inside Ashley Madison.
A supposed act of ‘hacktivism’ that blew up lives
It appears a hack was suspected in early July of 2015, and then it was investigated until a post on an undisclosed hacker forum was finally reported on July 15 by security researcher Brian Krebs. The initial release of information included a manifesto headlined — somewhat bafflingly to outsiders — “AM and EM must shut down immediately permanently.” AM refers to Ashley Madison, and EM refers to Established Men, another dating site owned by Avid Life Media. This one is for age-gapped relationships between ingenues and older rich dudes.
The news was a late night TV monologue waiting to happen, and the TV personalities delivered:
Not much in James Corden’s standup routine about the hack is all that outlandish. He asks us to imagine a desperate, guilt-ridden husband trying to wriggle out of being caught, scrambling and shrugging off the hack like it’s nothing. Extensive reporting after the fact shows that Corden was simply describing the reality in countless troubled marriages at the time.
But the Impact Team manifesto simply did not voice disapproval about cheating, and in fact, it made for baffling reading if anyone actually took the time.
The author addresses the CTO of Avid Life Media by name, saying “Well Trevor, welcome to your worst fucking nightmare,” and thumps their chest about the Impact Team’s amazing hacking abilities. Their actual complaints are directed at the company itself, noting that “ALM management is bullshit and has made millions of dollars from complete 100% fraud.”
The manifesto then makes its claim about the full delete feature being both dishonest and non-functional, noting that the company “will be liable for fraud and extreme personal and professional harm from millions of their users,” a seeming appeal to the sympathies of the cheaters. But for good measure, it also tacks on the personal information of two users (which is why Mashable will not be linking to it).
“If you profit off the pain of others, whatever it takes, we will completely own you,” the manifesto reads. In the ensuing months, the hack would be used as a case study in hacktivism. Forbes, for instance branded it as hacktivism, noting that Ashley Madison, “no doubt, took a public approach to a semi-taboo subject (adultery) in American society, and arguably courted controversy as part of their marketing scheme.” But nothing in their manifesto, nor their apparent only media appearance, an interview with Vice, gave any evidence that facilitating infidelity in and of itself was the actual impetus for the hack. Their allegations of fraud, poor site management, and poor security, are the extent of their reasoning. “Avid Life Media is like a drug dealer abusing addicts,” they told Vice’s Joseph Cox.
In terms of logic, it was like breaking into an arms factory purely to punish the company for making faulty bombs, stealing all the bombs, and then dropping them on the Pentagon. No matter the human cost, and no matter the stated motives of the attackers, some Pentagon opponents would surely applaud, and some might not even be curious why any of it happened.
Public reaction was unsympathetic to the victims
The leak of information that followed the hack exposed millions of humiliated spouses to the wrath of the families they betrayed, and the social circles they disappointed. While there was ample handwringing about the moral ambiguities of the data dump, some commentators nonetheless took the opportunity to let fly their cruelest verbal arrows.
Writing in The Observer shortly after the exposure of the data, commentator Barbara Ellen pronounced this batch of cheaters guilty of “stupidity,” and deserving of no pity. One might assume she was arguing for conventional morality, but in fact, Ellen found Ashley Madison users “too wussy, miserly and/or timid to either have a proper, full-blown affair or hire a sex worker.” In other words, these cheaters were exceptionally lowly, and deserved everything they got.
Regardless, it looks like the hack made no lasting impact on norms and online behavior, or perhaps it made everything worse.
And anyone who does regard the hackers as heroic certainly wouldn’t be in a rush to unmask them and bring them to justice. That’s increasingly looking like the wrong instinct.
What was the Impact Team’s real motive?
I contacted cybercrime experts to learn more about possible motives, but none wanted to speculate. Cybercrime researcher Kevin Steinmetz of Kansas State University, for instance, was hesitant to talk to me about this befuddling case. Steinmetz did say some details of the case strike him as “not something you see pop up as being ‘hacktivist.'”
If their muddled and self-contradictory hacktivism wasn’t their real motive, the other obvious possibility is monetary gain, something they vehemently denied to Vice.
But even if these hackers were after money, they blew their profit opportunity by giving away the valuable personal details to anyone and everyone a little over a month after the initial hack. They made all the data available over bittorrent via a link available on the dark web. (It’s worth noting that Bloom, who denied involvement in the hack, did sell the leaked Ashley Madison data as part of a larger data sales operation). In an accompanying statement, Impact Team was characteristically sympathetic to the people whose information had been leaked — “too bad for those men” — but also came across as judgmental toward them for the first time, saying “they’re cheating dirt bags and deserve no such discretion.”
Some party or parties used the leak data to carry out a series of blackmail incidents that carried on until at least 2020, but there’s no evidence that the Impact Team directly perpetrated any of the blackmail it enabled.
Speaking generally about hackers throughout history, Steinmetz was quick to note that “There were actors that were doing it ‘for the lulz’,” referring to the familiar, Joker-style practice of causing destruction for its own sake, just to laugh at the victims. But he added, “There’s no reason why a genuine political motivation can’t coexist with doing it for thrills and kicks.”
Steinmetz pointed to a helpful parallel example: Cult of the Dead Cow, the group that made the term “hacktivism” famous — and briefly made headlines in 2019 due to the sudden rise to prominence of former member Beto O’Rourke. Cult of the Dead Cow once publicized a security flaw in Microsoft’s Windows 98 by releasing a piece of software that allowed systems to be remotely controlled, theoretically against the will of the owner of the system. As an added flourish, they gave their piece of software the anatomical name “Back Orifice” for extra media oomph.
“Back Orifice is going to be made available to anyone who takes the time to download it,” the Cult’s publicity statement says. “So what does that mean for anyone who’s bought into Microsoft’s Swiss cheese approach to security?” Microsoft shrugged it off, despite receiving plenty of media attention, and Back Orifice was made available to users, according to Wired. The corporation they targeted didn’t respond, so they made good on their threat, potentially putting all Windows 98 users in danger. The incident’s echoes can indeed be heard in the Ashley Madison breach.
Hackers, it would seem, gonna hack. And in truth, there might be nothing more to it than this.
Ashley Madison is a lightning rod for extremism
Krebs, who originally reported the hack on his blog and has covered it relentlessly ever since, wasn’t satisfied to let the Ashley Madison story end with such a shrug, and, last year, he dug around in the absolute seediest parts of the internet looking for clues about Impact Team’s motives.
While he didn’t find anything conclusive, Krebs did find things sure to leave a bad taste in the mouth of anyone who praised the hack as moral.
Using a cybercrime and extremism research tool called Flashpoint, Krebs uncovered old posts about Ashley Madison not so much on the cybercrime side of things, but on the extremism side.
Specifically, an unsettling animosity among internet antisemites in 2015 toward Biderman (who you’ll recall was the CEO of Avid Life Media at the time). He describes posts calling Ashley Madison a “Jewish owned dating website promoting adultery,” and writings from prominent neo-Nazi Andrew Anglin referring to Biderman as the “Jewish King of Infidelity.” These, and other, similar remarks, were posted in the months leading up to the hack.
Biderman, for his part, resigned amid the leaks in 2015. But the site has carried on without Biderman, and a promoted post on the Chicago Reader website in which the site has been reviewed favorably, is one of the Google results that comes to the top when Google searching for information about Ashley Madison. The publication date on that review changes regularly, making it appear recent.
Using Ashley Madison these days, however, is probably just as unwise as it ever was. That’s because of the obvious moral reason, but also because its notoriety seems to be making it a magnet for blackmail schemes. One Reddit user claims an Ashley Madison conversation last year took a turn when they gave the other party their phone number. Soon, they received “a screen shot of my Facebook my wifes Facebook and a few other relatives telling me that they will all see what im doing unless i send them 3000 in Nordstrom giftcards.”
A few months later, that same Reddit user reported that they hadn’t paid the $3,000 but that they had also never had their information exposed. The blackmailer must not be from the Impact Team, because past evidence suggests they don’t go around making empty threats.