Thunderstruck: AC/DC clue could identify first Ashley Madison hacker

The identity of someone with intimate knowledge of the hack on Avid Life Media's Ashley Madison website may be revealed thanks to a track by AC/DC, the Australian rock band famous for pioneering heavy metal and lead singer Angus Young's school uniform stage outfit.

What has this to do with the highly damaging leak of the Ashley Madison customer database? In a press conference this week the Toronto police department investigating the attack revealed a previously unknown fact about the day the company was breached. Acting staff superintendent Bryce Evans said that when Ashley Madison staff logged on to their PCs on 12 July, they were greeted with the hackers' manifesto accompanied by the song Thunderstruck by AC/DC.

While this may not seem particularly significant, it did strike a chord with the investigative journalist who broke the Ashley Madison story in July. Following the press conference Brian Krebs remembered a mysterious Twitter account he had encountered soon after he published his exclusive story last month.

Within hours of Krebs publishing his exclusive story on 19 July, the Thadeus Zu account tweeted a link to the Ashley Madison source code, the same cache of data that had been confidentially shared with Krebs by the hackers, known as the Impact Team. The account was the only one that Krebs could find linking to the specific cache of data.

"If Zu wasn't involved, he knows who was"

Having revisited Zu's prolific Twitter account in the wake of the Toronto police press conference on Monday, 24 August, Krebs found multiple mentions of AC/DC – and Thunderstruck specifically – in Zu's timeline, as well as key indicators which led him to claim that "if Zu wasn't involved in the hack, he almost certainly knows who was".

There are two key pieces of evidence that suggest Zu knew about the attack and subsequent data dump before anyone else. The first was a tweet on 19 July posted before Krebs was contacted by Impact Team about the breach, which said it was "time to get the show started", accompanied by a picture of a browser with a tab open in which AC/DC's Thunderstruck was playing on YouTube.

The second key piece of evidence from Zu's timeline appears a month later on 17 August when Impact Team published the massive customer database from Ashley Madison. Zu's tweet, linking to the dark web listing for the data dump, was posted 24 hours before any media outlet reported the leak, indicating that Zu was intimately aware of the hackers' actions.

Zu's identity remains a mystery with few clues to his or her true identity. Typically, Zu uses stock images of male models as his profile picture, though in the wake of Krebs' article, he changed this to the AC/DC logo for a time.

The owner of the account has promised to sue Krebs if he cannot produce more concrete evidence, claiming that the evidence about the original link to the source code was "made up". Zu also said that the version of Thunderstruck being listened to was that of Finnish band Steve'n'Seagulls, though that doesn't explain the mention of AC/DC in the browser tab.

Attribution is notoriously difficult in cyber attacks, as was the also case with the recent attack on Sony Pictures. Even with the Toronto police appealing for help from hackers, as well as Avid Life Media offering a £240,000 reward, it seems that identifying Impact Team will not be easy.

Mark James, IT security specialist at ESET told IBTimes UK: "At the current time it's all hearsay and whispers. This particular breach is attracting a very high amount of media attention and the authorities will want to get the culprits apprehended, or at least be in the process of making enquiries with suspects. Every day that goes by the trail gets colder, but I am sure this is one of those breaches that will see an arrest or two. In these cases the public needs to see that the authorities have the resources and knowledge to make an arrest."