[This is Part III in a series on research conducted for a recent Hulu documentary on the 2015 hack of marital infidelity website AshleyMadison.com.]
In 2019, a Canadian firm known as Defiant Tech Inc. pleaded responsible to working LeakedSource[.]com, a service that offered entry to billions of passwords and different knowledge uncovered in numerous knowledge breaches. KrebsOnSecurity has discovered that the proprietor of Defiant Tech, a 32-year-old Ontario man named Jordan Evan Bloom, was employed in late 2014 as a developer for the marital infidelity web site AshleyMadison.com. Bloom resigned from AshleyMadison citing well being causes in June 2015 — lower than one month earlier than unidentified hackers stole knowledge on 37 million customers — and launched LeakedSource three months later.
Jordan Evan Bloom, posing in entrance of his Lamborghini.
On Jan. 15, 2018, the Royal Canadian Mounted Police (RCMP) charged then 27-year-old Bloom, of Thornhill, Ontario, with promoting stolen private identities on-line via the web site LeakedSource[.]com.
LeakedSource was marketed on quite a lot of widespread cybercrime boards as a service that might assist hackers break into invaluable or high-profile accounts. LeakedSource additionally tried to move itself off as a authorized, reputable enterprise that was advertising to safety companies and professionals.
The RCMP arrested Bloom in December 2017, and mentioned he made roughly $250,000 promoting hacked knowledge, which included data on 37 million person accounts leaked within the 2015 Ashley Madison breach.
Subsequent press releases from the RCMP concerning the LeakedSource investigation omitted any point out of Bloom, and referred to the defendant solely as Defiant Tech. In a authorized settlement that’s quintessentially Canadian, the matter was resolved in 2019 after Defiant Tech agreed to plead responsible. The RCMP declined to remark for this story.
A GREY MARKET
The Impact Team, the hacker group that claimed accountability for stealing and leaking the AshleyMadison person knowledge, additionally leaked a number of years price of e mail from then-CEO Noel Biderman. A assessment of these messages exhibits that Ashley Madison employed Jordan Evan Bloom as a PHP developer in December 2014 — despite the fact that the corporate understood that Bloom’s success as a programmer and businessman was tied to shady and legally murky enterprises.
Bloom’s advice got here to Biderman through Trevor Sykes, then chief expertise officer for Ashley Madison mother or father agency Avid Life Media (ALM). The following is an e mail from Sykes to Biderman dated Nov. 14, 2014:
“Greetings Noel,
“We’d like to offer Jordan Bloom the position of PHP developer reporting to Mike Morris for 75k CAD/Year. He did well on the test, but he also has a great understanding of the business side of things having run small businesses himself. This was an internal referral.”
When Biderman responded that he wanted extra details about the candidate, Sykes replied that Bloom was independently rich on account of his forays into the shadowy world of “gold farming” — the semi-automated use of enormous numbers of participant accounts to win some benefit that’s normally associated to cashing out sport accounts or stock. Gold farming is especially prevalent in massively multiplayer on-line role-playing video games (MMORPGs), corresponding to RuneScape and World of Warcraft.
“In his previous experience he had been doing RMT (Real Money Trading),” Sykes wrote. “This is the practice of selling virtual goods in games for real world money. This is a grey market, which is usually against the terms and services of the game companies.” Here’s the remainder of his message to Biderman:
“RMT sellers traditionally have a lot of problems with chargebacks, and payment processor compliance. During my interview with him, I spent some time focusing in on this. He had to demonstrate to the processor, Paypal, at the time he had a business and technical strategy to address his charge back rate.”
“He ran this company himself, and did all the coding, including the integration with the processors,” Sykes continued in his evaluation of Bloom. “Eventually he was squeezed out by Chinese gold farmers, and their ability to market with much more investment than he could. In addition the cost of ‘farming’ the virtual goods was cheaper in China to do than in North America.”
COME, ABUSE WITH US
The gold farming reference is fascinating as a result of in 2017 KrebsOnSecurity revealed Who Ran LeakedSource?, which examined clues suggesting that one of many directors of LeakedSource additionally was the admin of abusewith[.]us, a web site unabashedly devoted to serving to folks hack e mail and on-line gaming accounts.
An administrator account Xerx3s on Abusewithus.
Abusewith[.]us started in September 2013 as a discussion board for studying and instructing hack accounts at Runescape, an MMORPG set in a medieval fantasy realm the place gamers battle for kingdoms and riches.
The forex with which Runescape gamers purchase and promote weapons, potions and different in-game gadgets are digital gold cash, and lots of of Abusewith[dot]us’s early members traded in a handful of commodities: Phishing kits and exploits that might be used to steal Runescape usernames and passwords from fellow gamers; digital gold plundered from hacked accounts; and databases from hacked boards and web sites associated to Runescape and different on-line video games.
That 2017 report right here interviewed a Michigan man who acknowledged being administrator of Abusewith[.]us, however denied being the operator of LeakedSource. Still, the story famous that LeakedSource probably had multiple operator, and breached information present Bloom was a prolific member of Abusewith[.]us.
In an e mail to all workers on Dec. 1, 2014, Ashley Madison’s director of HR mentioned Bloom graduated from York University in Toronto with a level in theoretical physics, and that he has been an energetic programmer since highschool.
“He’s a proprietor of a high traffic multiplayer game and developer/publisher of utilities such as PicTrace,” the HR director enthused. “He will be a great addition to the team.”
PicTrace seems to have been a service that allowed customers to glean details about anybody who considered a picture hosted on the platform, corresponding to their Internet tackle, browser sort and model quantity. A replica of pictrace[.]com from Archive.org in 2012 redirects to the area qksnap.com, which DomainTools.com says was registered to a Jordan Bloom from Thornhill, ON that very same yr.
The road tackle listed within the registration information for qksnap.com — 204 Beverley Glen Blvd — additionally exhibits up within the registration information for leakadvisor[.]com, a site registered in 2017 simply months after Canadian authorities seized the servers working LeakedSource.
Pictrace, one in all Jordan Bloom’s early IT successes.
A assessment of passive DNS information from DomainTools signifies that in 2013 pictrace[.]com shared a server with only a handful of different domains, together with Near-Reality[.]com — a well-liked RuneScape Private Server (RSPS) sport primarily based on the RuneScape MMORPG.
Copies of near-reality[.]com from 2013 through Archive.org present the highest of the group’s homepage was retrofitted with a message saying Near Reality was not out there resulting from a copyright dispute. Although the positioning doesn’t specify the opposite get together to the copyright dispute, it seems Near-Reality bought sued by Jagex, the proprietor of RuneScape.
The message goes on to say the web site will not “encourage, facilitate, enable or condone (i) any infringement of copyright in RuneScape or any other Jagex product; nor (ii) any breach of the terms and conditions of RuneScape or any other Jagex product.”
A scene from the MMORPG RuneScape.
AGENTJAGS
Near Reality additionally has a Facebook web page that was final up to date in 2019, when its proprietor posted a hyperlink to a information story about Defiant Tech’s responsible plea within the LeakedSource investigation. That Facebook web page signifies Bloom additionally glided by the nickname “Agentjags.”
“Just a quick PSA,” reads a put up to the Near Reality Facebook web page dated Jan. 21, 2018, which linked to a narrative concerning the fees in opposition to Bloom and a photograph of Bloom standing in entrance of his lime-green Lamborghini. “Agentjags has got involved in some shady shit that may have compromised your personal details. I advise anyone who is using an old NR [Near Reality] password for anything remotely important should change it ASAP.”
By the start of 2016, Bloom was nowhere to be discovered, and was suspected of getting fled his nation for the Caribbean, in line with the folks commenting on the Near Reality Facebook web page:
“Jordan aka Agentjags has gone missing,” wrote a presumed co-owner of the Facebook web page. “He is supposedly hiding in St. Lucia, doing what he loved, scuba-diving. Any information to his whereabouts will be appreciated.”
KrebsOnSecurity ran the weird nickname “AgentJags” via a search at Constella Intelligence, a business service that tracks breached knowledge units. That search returned only a few dozen outcomes — and nearly all had been accounts at varied RuneScape-themed websites, together with a half-dozen accounts at Abusewith[.]us.
Constella discovered different “AgentJags” accounts tied to the e-mail tackle ownagegaming1@gmail.com. The advertising agency Apollo.io skilled a knowledge breach a number of years again, and in line with Apollo the e-mail tackle ownagegaming1@gmail.com belongs to Jordan Bloom in Ontario.
Constella additionally revealed that the password ceaselessly utilized by ownagegaming1@gmail.com throughout many websites was some variation on “niggapls,” which my 2017 report discovered was additionally the password utilized by the administrator of LeakedSource.
Constella found that the e-mail eric.malek@rogers.com comes up when one searches for “AgentJags.” This is curious as a result of emails leaked from Ashley Madison’s then-CEO Biderman present that Eric Malek from Toronto was the Ashley Madison worker who initially beneficial Bloom for the PHP developer job.
According to DomainTools.com, Eric.Malek@rogers.com was used to register the area devjobs.ca, which beforehand marketed “the most exciting developer jobs in Canada, delivered to you weekly.” Constella says eric.malek@rogers.com additionally had an account at Abusewith[.]us — beneath the nickname “Jags.”
Biderman’s e mail information present Eric Malek was additionally a PHP developer for Ashley Madison, and that he was employed into this place only a few months earlier than Bloom — on Sept. 2, 2014. The CEO’s leaked emails present Eric Malek resigned from his developer place at Ashley Madison on June 19, 2015.
“Please note that Eric Malek has resigned from this position with Avid and his last day will be June 19th,” learn a June 5, 2015 e mail from ALM’s HR director. “He is resigning to deal with some personal issues which include health issues. Because he is not sure how much time it will take to resolve, he is not requesting a leave of absence (his time off will be indefinite). Overall, he likes the company and plans to reach out to Trevor or I when the issues are resolved to see what is available at that time.”
A follow-up e mail from Biderman demanded, “want to know where he’s truly going….,” and it’s unclear whether or not there was friction with Malek’s departure. But ALM General Counsel Avi Weisman replied indicating that Malek most likely wouldn’t signal an “Exit Acknowledgment Form” previous to leaving, and that the corporate had unanswered questions for Malek.
“Aneka should dig during exit interview,” Weisman wrote. “Let’s see if he balks at signing the Acknowledgment.”
Bloom’s departure discover from Ashley Madison’s HR particular person, dated June 23, 2015, learn:
“Please note that Jordan Bloom has resigned from his position as PHP Developer with Avid. He is leaving for personal reasons. He has a neck issue that will require surgery in the upcoming months and because of his medical appointment schedule and the pain he is experiencing he can no longer commit to a full-time schedule. He may pick up contract work until he is back to 100%.”
A follow-up observe to Biderman about this announcement learn:
“Note that he has disclosed that he is independently wealthy so he can get by without FT work until he is on the mend. He has signed the Exit Acknowledgement Form already without issue. He also says he would consider reapplying to Avid in the future if we have opportunities available at that time.”
Perhaps Mr. Bloom damage his neck from craning it round blind spots in his Lamborghini. Maybe it was from a foul scuba outing. Whatever the ache in Bloom’s neck was, it didn’t cease him from launching himself absolutely into LeakedSource[.]com, which was registered roughly one month after the Impact Team leaked knowledge on 37 million Ashley Madison accounts.
Mr. Malek declined a request for remark. A now-deleted LinkedIn profile for Malek from December 2018 listed him as a “technical recruiter” from Toronto who additionally attended Mr. Bloom’s alma mater — York University. That resume didn’t point out Mr. Malek’s transient stint as a PHP developer at Ashley Madison.
“Developer, entrepreneur, and now technical recruiter of the most uncommon variety!” Mr. Malek’s LinkedIn profile enthused. “Are you a developer, or other technical specialist, interested in working with a recruiter who can properly understand your concerns and aspirations, technical, environmental and financial? Don’t settle for a ‘hack’; this is your career, let’s do it right! Connect with me on LinkedIn. Note: If you are not a resident of Canada/Toronto, I cannot help you.”
INTERVIEW WITH BLOOM
Mr. Bloom advised KrebsOnSecurity he had no position in harming or hacking Ashley Madison. Bloom validated his identification by responding at one of many e mail addresses talked about above, and agreed to discipline questions as long as KrebsOnSecurity agreed to publish our e mail dialog in full (PDF).
Bloom mentioned Mr. Malek did suggest him for the Ashley Madison job, however that Mr. Malek additionally obtained a $5,000 referral bonus for doing so. Given Mr. Malek’s acknowledged position as a technical recruiter, it appears probably he additionally beneficial a number of different workers to Ashley Madison.
Bloom was requested whether or not anybody on the RCMP, Ashley Madison or any authority wherever ever questioned him in reference to the July 2015 hack of Ashley Madison. He replied that he was known as as soon as by somebody claiming to be from the Toronto Police Service asking if he knew something concerning the Ashley Madison hack.
“The AM situation was not something they pursued according to the RCMP disclosure,” Bloom wrote. “Learning about the RCMP’s most advanced cyber investigative techniques and capabilities was very interesting though. I was eventually told information by a third party which included knowledge that law enforcement effectively knew who the hacker was, but didn’t have enough evidence to proceed with a case. That is the extent of my involvement with any authorities.”
As to his firm’s responsible plea for working LeakedSource, Bloom maintains that the decide at his preliminary inquiry discovered that even when all the things the Canadian authorities alleged was true it might not represent a violation of any regulation in Canada with respect the fees the RCMP leveled in opposition to him, which included unauthorized use of a pc and “mischief to data.”
“In Canada at the lower court level we are allowed to possess stolen information and manipulate our copies of them as we please,” Bloom mentioned. “The judge however decided that a trial was required to determine whether any activities of mine were reckless, as the other qualifier of intentionally criminal didn’t apply. I will note here that nothing I was accused of doing would have been illegal if done in the United States of America according to their District Attorney. +1 for free speech in America vs freedom of expression in Canada.”
“Shortly after their having most of their case thrown out, the Government proposed an offer during a closed door meeting where they would drop all charges against me, provide full and complete personal immunity, and in exchange the Corporation which has since been dissolved would plead guilty,” Bloom continued. “The Corporation would also pay a modest fine.”
Bloom mentioned he left Ashley Madison as a result of he was bored, however he acknowledged beginning LeakedSource partly in response to the Ashley Madison hack.
“I intended to leverage my gaming connections to get into security work including for other private servers such as Minecraft communities and others,” Bloom mentioned. “After months of asking management for more interesting tasks, I became bored. Some days I had virtually nothing to do except spin in my chair so I would browse the source code for security holes to fix because I found it enjoyable.”
“I believe the decision to start LS [LeakedSource] was partly inspired by the AM hack itself, and the large number of people from a former friend group messaging me asking if XYZ person was in the leak after I revealed to them that I downloaded a copy and had the ability to browse it,” Bloom continued. “LS was never my idea – I was just a builder, and the only Canadian. In other countries it was never thought to be illegal on closer examination of their laws.”
Bloom mentioned he nonetheless considers himself independently rich, and that also has the lime inexperienced Lambo. But he mentioned he’s at present unemployed and might’t appear to land a job in what he views as his most promising profession path: Information safety.
“As I’m sure you’re aware, having negative media attention associated with alleged (key word) criminal activity can have a detrimental effect on employment, banking and relationships,” Bloom wrote. “I have no current interest in being a business owner, nor do I have any useful business ideas to be honest. I was and am interested in interesting Information Security/programming work but it’s too large of a risk for any business to hire someone who was formerly accused of a crime.”
If you favored this story, please take into account studying the primary two items on this sequence:
Top Suspect in 2015 Ashley Madison Hack Committed Suicide in 2014