The Ghost With a Grudge: How the Impact Team Destroyed Ashley Madison and Vanished
July 12, 2015. Employees at Ashley Madison powered on their computers. AC/DC’s “Thunderstruck” blasted from their speakers. A ransom message filled their screens.
The Impact Team had arrived.
Their demand was simple. Shut down Ashley Madison and Established Men within 30 days. Or the personal data of 37 million users gets dumped on the internet.
Ashley Madison refused. The hackers followed through. Then they vanished.
No arrests. No charges. A $500,000 bounty went unclaimed. The identity of the Impact Team remains unknown.
The Platform Built on Lies
Ashley Madison launched in 2001 as a dating site for married people seeking affairs. By 2014, the company reported $115 million in revenue and claimed 37 million users across 40 countries. CEO Noel Biderman was preparing for an IPO on the London Stock Exchange.
Behind the slick marketing sat a fraud operation.
The FTC later revealed Ashley Madison created over 70,000 fake female profiles called “engager profiles” or “fembots.” These automated chatbots converted 75% of all paying users. Analysis of leaked data showed only 1% of the 5.5 million female accounts were active. The rest were created once and abandoned. Meanwhile, 84% of all profiles belonged to men.
The worst fraud was the “Full Delete” feature. Users paid $19 to permanently scrub their data from the system. This feature generated $1.7 million in 2014 alone.
It was a complete lie.
Credit card details, real names, and addresses were never deleted. The Impact Team used this fraud as their justification for the attack.
30 Days
July 19, 2015. The hackers posted their manifesto to Pastebin and started the countdown. Security journalist Brian Krebs received a direct message through his website. The Impact Team sent him stolen documents, server maps, employee credentials, and salary information.
Krebs called Noel Biderman. The CEO answered immediately and confirmed the breach. “We’re on the doorstep of confirming who we believe is the culprit,” Biderman said. “It was definitely a person here that was not an employee but certainly had touched our technical services.”
Ashley Madison called it “cyber-terrorism” and claimed they had secured their sites. They released 2,500 customer records as proof the threat was real.
August 18, 2015. Exactly 30 days later, the Impact Team posted “Time’s up!” along with 9.7 gigabytes of compressed data on Tor. The data was cryptographically signed. Within hours, it spread to the open web.
Two days later, another 19 gigabytes dropped. This dump included Ashley Madison’s source code and three years of Biderman’s personal emails.
In a Vice interview, the Impact Team described Ashley Madison’s security as “nonexistent.” They said, “We worked hard to make a fully undetectable attack, then got in and found nothing to bypass. Nobody was watching.”
The Human Cost
Toronto police announced two unconfirmed suicides on August 24. A pastor and seminary professor took his life days after the leak. More suicides followed.
Extortionists targeted exposed users immediately. They demanded over $200 in Bitcoin to keep the information from reaching spouses and employers. Fake “search engine” sites harvested more data while pretending to check if emails appeared in the leak.
The extortion never stopped. In 2020, a new wave of blackmail emails resurfaced using details from the original breach. The leaked data still circulates on dark web forums today.
The leak exposed email addresses from U.S. government and military domains. It revealed 1,200 Saudi Arabian addresses. Adultery is punishable by death in Saudi Arabia.
Reality TV star Josh Duggar appeared in the data. Transaction records showed nearly $1,000 in charges. Internet vigilantes organized shaming campaigns. Employers fired workers whose company emails appeared in the dump. Divorce filings spiked.
The Company Falls Apart
Journalists examined 200,000 emails from Biderman’s inbox. Multiple outlets reported evidence of affairs conducted by the CEO of a company that profited from infidelity.
Biderman resigned on August 28, 2015.
Users filed a $567 million class-action lawsuit in Canada. The company, renamed Ruby Corporation, settled for $11.2 million in July 2017.
The FTC and 13 states reached a separate settlement in December 2016. They imposed a $17.5 million judgment. Most of it was suspended because the company could not pay.
The FTC investigation confirmed Ashley Madison had no written security policy. No reasonable access controls. No employee security training. No monitoring of third-party vendors.
The Hunt Goes Nowhere
Toronto Police, the RCMP, Ontario Provincial Police, FBI, and Homeland Security all investigated. No arrests were ever made.
The Impact Team used Tor exclusively. They signed data with PGP keys. They left almost no forensic trace.
Several suspects emerged over the years.
William Brewster Harrison worked as a contractor for Ashley Madison in 2010. He created fake female profiles. The company fired him in November 2011. He immediately launched a harassment campaign against executives, sending hundreds of threatening emails.
His admin access was not revoked until August 2012. Nine months after termination.
In a final email to Biderman, Harrison wrote, “Just remember I outsmarted you last time and I will outsmart you and out maneuver you this time too, by keeping myself far far away from the action and just enjoying the sideline view.” He signed it “We are legion.”
Harrison died by suicide on March 5, 2014. More than 15 months before the Impact Team announced the breach.
Biderman did not know Harrison was dead when he named him as the prime suspect.
Hours after Krebs published his initial story, a Twitter user named Thadeus Zu posted a link to Ashley Madison’s source code. Krebs discovered Zu had a history of hacking government sites and playing AC/DC music after intrusions.
Zu denied involvement but repeatedly used “we” when discussing the Impact Team. Krebs concluded, “If Zu wasn’t involved in the Ashley Madison hack, he almost certainly knows who was.”
Zu’s real identity remains unknown.
Jordan Evan Bloom was hired as a developer at Ashley Madison in late 2014. He resigned in June 2015, weeks before the hack. Three months after the breach, Bloom launched LeakedSource.com, a service selling access to billions of stolen credentials.
In 2019, his company pleaded guilty to running the site. Bloom denied involvement in the Ashley Madison hack.
A user named “Brutium” advertised 32 million Ashley Madison records for sale on a Russian cybercrime forum in January 2015. Six months before the public hack. The connection remains unclear.
Lessons That Still Matter
The Ashley Madison breach is now taught in cybersecurity courses. The lessons remain relevant.
If you charge users to delete their data, you must actually delete it. The FTC settlement made this clear. Ashley Madison’s failure was both the hackers’ motivation and the basis for legal action.
Insider threats are real. Multiple suspects had legitimate access that was never properly managed. Harrison kept admin credentials for nine months after termination. Bloom had developer access until weeks before the breach. Basic offboarding procedures could have prevented this.
Sensitive data attracts disproportionate risk. The personal nature of Ashley Madison’s data made it uniquely destructive. Sexual preferences, GPS coordinates, affair-seeking behavior. This information weaponized shame and attracted extortionists.
Data breaches do not expire. Extortion campaigns using 2015 data continued five years later. Once sensitive information enters the wild, criminals monetize it indefinitely.
No Resolution
The Ashley Madison hack remains unsolved. The top suspect died before the hack happened. The Twitter lead vanished. The developer who quit before the breach built a credential empire but denied connection. The Russian forum user deleted their profile.
Ashley Madison still operates under Ruby Corp. The site claims to have implemented two-factor authentication, PCI compliance, and encrypted browsing.
For millions whose data was dumped online, there is no resolution. No courtroom reckoning. No face behind the mask.
The Impact Team delivered their ultimatum, executed their threat, and disappeared into the same shadows Ashley Madison promised would protect its users.
The ghosts won. They are still out there.
