Login
[This is Part III in a series on research conducted for a recent Hulu documentary on the 2015 hack of marital infidelity website AshleyMadison.com.]
In 2019, a Canadian company called Defiant Tech Inc. pleaded guilty to running LeakedSource[.]com, a service that sold access to billions of passwords and other data exposed in countless data breaches. KrebsOnSecurity has learned that the owner of Defiant Tech, a 32-year-old Ontario man named Jordan Evan Bloom, was hired in late 2014 as a developer for the marital infidelity site AshleyMadison.com. Bloom resigned from AshleyMadison citing health reasons in June 2015 — less than one month before unidentified hackers stole data on 37 million users — and launched LeakedSource three months later.
Jordan Evan Bloom, posing in front of his Lamborghini.
On Jan. 15, 2018, the Royal Canadian Mounted Police (RCMP) charged then 27-year-old Bloom, of Thornhill, Ontario, with selling stolen personal identities online through the website LeakedSource[.]com.
LeakedSource was advertised on a number of popular cybercrime forums as a service that could help hackers break into valuable or high-profile accounts. LeakedSource also tried to pass itself off as a legal, legitimate business that was marketing to security firms and professionals.
The RCMP arrested Bloom in December 2017, and said he made approximately $250,000 selling hacked data, which included information on 37 million user accounts leaked in the 2015 Ashley Madison breach.
Subsequent press releases from the RCMP about the LeakedSource investigation omitted any mention of Bloom, and referred to the defendant only as Defiant Tech. In a legal settlement that is quintessentially Canadian, the matter was resolved in 2019 after Defiant Tech agreed to plead guilty. The RCMP declined to comment for this story.
The Impact Team, the hacker group that claimed responsibility for stealing and leaking the AshleyMadison user data, also leaked several years worth of email from then-CEO Noel Biderman. A review of those messages shows that Ashley Madison hired Jordan Evan Bloom as a PHP developer in December 2014 — even though the company understood that Bloom’s success as a programmer and businessman was tied to shady and legally murky enterprises.
Bloom’s recommendation came to Biderman via Trevor Sykes, then chief technology officer for Ashley Madison parent firm Avid Life Media (ALM). The following is an email from Sykes to Biderman dated Nov. 14, 2014:
“Greetings Noel,
“We’d like to offer Jordan Bloom the position of PHP developer reporting to Mike Morris for 75k CAD/Year. He did well on the test, but he also has a great understanding of the business side of things having run small businesses himself. This was an internal referral.”
When Biderman responded that he needed more information about the candidate, Sykes replied that Bloom was independently wealthy as a result of his forays into the shadowy world of “gold farming” — the semi-automated use of large numbers of player accounts to win some advantage that is usually related to cashing out game accounts or inventory. Gold farming is particularly prevalent in massively multiplayer online role-playing games (MMORPGs), such as RuneScape and World of Warcraft.
“In his previous experience he had been doing RMT (Real Money Trading),” Sykes wrote. “This is the practice of selling virtual goods in games for real world money. This is a grey market, which is usually against the terms and services of the game companies.” Here’s the rest of his message to Biderman:
“RMT sellers traditionally have a lot of problems with chargebacks, and payment processor compliance. During my interview with him, I spent some time focusing in on this. He had to demonstrate to the processor, Paypal, at the time he had a business and technical strategy to address his charge back rate.”
“He ran this company himself, and did all the coding, including the integration with the processors,” Sykes continued in his assessment of Bloom. “Eventually he was squeezed out by Chinese gold farmers, and their ability to market with much more investment than he could. In addition the cost of ‘farming’ the virtual goods was cheaper in China to do than in North America.”
The gold farming reference is fascinating because in 2017 KrebsOnSecurity published Who Ran LeakedSource?, which examined clues suggesting that one of the administrators of LeakedSource also was the admin of abusewith[.]us, a site unabashedly dedicated to helping people hack email and online gaming accounts.
An administrator account Xerx3s on Abusewithus.
Abusewith[.]us began in September 2013 as a forum for learning and teaching how to hack accounts at Runescape, an MMORPG set in a medieval fantasy realm where players battle for kingdoms and riches.
The currency with which Runescape players buy and sell weapons, potions and other in-game items are virtual gold coins, and many of Abusewith[dot]us’s early members traded in a handful of commodities: Phishing kits and exploits that could be used to steal Runescape usernames and passwords from fellow players; virtual gold plundered from hacked accounts; and databases from hacked forums and websites related to Runescape and other online games.
That 2017 report here interviewed a Michigan man who acknowledged being administrator of Abusewith[.]us, but denied being the operator of LeakedSource. Still, the story noted that LeakedSource likely had more than one operator, and breached records show Bloom was a prolific member of Abusewith[.]us.
In an email to all employees on Dec. 1, 2014, Ashley Madison’s director of HR said Bloom graduated from York University in Toronto with a degree in theoretical physics, and that he has been an active programmer since high school.
“He’s a proprietor of a high traffic multiplayer game and developer/publisher of utilities such as PicTrace,” the HR director enthused. “He will be a great addition to the team.”
PicTrace appears to have been a service that allowed users to glean information about anyone who viewed an image hosted on the platform, such as their Internet address, browser type and version number. A copy of pictrace[.]com from Archive.org in 2012 redirects to the domain qksnap.com, which DomainTools.com says was registered to a Jordan Bloom from Thornhill, ON that same year.
The street address listed in the registration records for qksnap.com — 204 Beverley Glen Blvd — also shows up in the registration records for leakadvisor[.]com, a domain registered in 2017 just months after Canadian authorities seized the servers running LeakedSource.
Pictrace, one of Jordan Bloom’s early IT successes.
A review of passive DNS records from DomainTools indicates that in 2013 pictrace[.]com shared a server with just a handful of other domains, including Near-Reality[.]com — a popular RuneScape Private Server (RSPS) game based on the RuneScape MMORPG.
Copies of near-reality[.]com from 2013 via Archive.org show the top of the community’s homepage was retrofitted with a message saying Near Reality was no longer available due to a copyright dispute. Although the site doesn’t specify the other party to the copyright dispute, it appears Near-Reality got sued by Jagex, the owner of RuneScape.
The message goes on to say the website will no longer “encourage, facilitate, enable or condone (i) any infringement of copyright in RuneScape or any other Jagex product; nor (ii) any breach of the terms and conditions of RuneScape or any other Jagex product.”
A scene from the MMORPG RuneScape.
Near Reality also has a Facebook page that was last updated in 2019, when its owner posted a link to a news story about Defiant Tech’s guilty plea in the LeakedSource investigation. That Facebook page indicates Bloom also went by the nickname “Agentjags.”
“Just a quick PSA,” reads a post to the Near Reality Facebook page dated Jan. 21, 2018, which linked to a story about the charges against Bloom and a photo of Bloom standing in front of his lime-green Lamborghini. “Agentjags has got involved in some shady shit that may have compromised your personal details. I advise anyone who is using an old NR [Near Reality] password for anything remotely important should change it ASAP.”
By the beginning of 2016, Bloom was nowhere to be found, and was suspected of having fled his country for the Caribbean, according to the people commenting on the Near Reality Facebook page:
“Jordan aka Agentjags has gone missing,” wrote a presumed co-owner of the Facebook page. “He is supposedly hiding in St. Lucia, doing what he loved, scuba-diving. Any information to his whereabouts will be appreciated.”
KrebsOnSecurity ran the unusual nickname “AgentJags” through a search at Constella Intelligence, a commercial service that tracks breached data sets. That search returned just a few dozen results — and virtually all were accounts at various RuneScape-themed sites, including a half-dozen accounts at Abusewith[.]us.
Constella found other “AgentJags” accounts tied to the email address ownagegaming1@gmail.com. The marketing firm Apollo.io experienced a data breach several years back, and according to Apollo the email address ownagegaming1@gmail.com belongs to Jordan Bloom in Ontario.
Constella also revealed that the password frequently used by ownagegaming1@gmail.com across many sites was some variation on “niggapls,” which my 2017 report found was also the password used by the administrator of LeakedSource.
Constella discovered that the email eric.malek@rogers.com comes up when one searches for “AgentJags.” This is curious because emails leaked from Ashley Madison’s then-CEO Biderman show that Eric Malek from Toronto was the Ashley Madison employee who initially recommended Bloom for the PHP developer job.
According to DomainTools.com, Eric.Malek@rogers.com was used to register the domain devjobs.ca, which previously advertised “the most exciting developer jobs in Canada, delivered to you weekly.” Constella says eric.malek@rogers.com also had an account at Abusewith[.]us — under the nickname “Jags.”
Biderman’s email records show Eric Malek was also a PHP developer for Ashley Madison, and that he was hired into this position just a few months before Bloom — on Sept. 2, 2014. The CEO’s leaked emails show Eric Malek resigned from his developer position at Ashley Madison on June 19, 2015.
“Please note that Eric Malek has resigned from this position with Avid and his last day will be June 19th,” read a June 5, 2015 email from ALM’s HR director. “He is resigning to deal with some personal issues which include health issues. Because he is not sure how much time it will take to resolve, he is not requesting a leave of absence (his time off will be indefinite). Overall, he likes the company and plans to reach out to Trevor or I when the issues are resolved to see what is available at that time.”
A follow-up email from Biderman demanded, “want to know where he’s truly going….,” and it’s unclear whether there was friction with Malek’s departure. But ALM General Counsel Avi Weisman replied indicating that Malek probably would not sign an “Exit Acknowledgment Form” prior to leaving, and that the company had unanswered questions for Malek.
“Aneka should dig during exit interview,” Weisman wrote. “Let’s see if he balks at signing the Acknowledgment.”
Bloom’s departure notice from Ashley Madison’s HR person, dated June 23, 2015, read:
“Please note that Jordan Bloom has resigned from his position as PHP Developer with Avid. He is leaving for personal reasons. He has a neck issue that will require surgery in the upcoming months and because of his medical appointment schedule and the pain he is experiencing he can no longer commit to a full-time schedule. He may pick up contract work until he is back to 100%.”
A follow-up note to Biderman about this announcement read:
“Note that he has disclosed that he is independently wealthy so he can get by without FT work until he is on the mend. He has signed the Exit Acknowledgement Form already without issue. He also says he would consider reapplying to Avid in the future if we have opportunities available at that time.”
Perhaps Mr. Bloom hurt his neck from craning it around blind spots in his Lamborghini. Maybe it was from a bad scuba outing. Whatever the pain in Bloom’s neck was, it didn’t stop him from launching himself fully into LeakedSource[.]com, which was registered roughly one month after the Impact Team leaked data on 37 million Ashley Madison accounts.
Mr. Malek declined a request for comment. A now-deleted LinkedIn profile for Malek from December 2018 listed him as a “technical recruiter” from Toronto who also attended Mr. Bloom’s alma mater — York University. That resume did not mention Mr. Malek’s brief stint as a PHP developer at Ashley Madison.
“Developer, entrepreneur, and now technical recruiter of the most uncommon variety!” Mr. Malek’s LinkedIn profile enthused. “Are you a developer, or other technical specialist, interested in working with a recruiter who can properly understand your concerns and aspirations, technical, environmental and financial? Don’t settle for a ‘hack’; this is your career, let’s do it right! Connect with me on LinkedIn. Note: If you are not a resident of Canada/Toronto, I cannot help you.”
Mr. Bloom told KrebsOnSecurity he had no role in harming or hacking Ashley Madison. Bloom validated his identity by responding at one of the email addresses mentioned above, and agreed to field questions so long as KrebsOnSecurity agreed to publish our email conversation in full (PDF).
Bloom said Mr. Malek did recommend him for the Ashley Madison job, but that Mr. Malek also received a $5,000 referral bonus for doing so. Given Mr. Malek’s stated role as a technical recruiter, it seems likely he also recommended several other employees to Ashley Madison.
Bloom was asked whether anyone at the RCMP, Ashley Madison or any authority anywhere ever questioned him in connection with the July 2015 hack of Ashley Madison. He replied that he was called once by someone claiming to be from the Toronto Police Service asking if he knew anything about the Ashley Madison hack.
“The AM situation was not something they pursued according to the RCMP disclosure,” Bloom wrote. “Learning about the RCMP’s most advanced cyber investigative techniques and capabilities was very interesting though. I was eventually told information by a third party which included knowledge that law enforcement effectively knew who the hacker was, but didn’t have enough evidence to proceed with a case. That is the extent of my involvement with any authorities.”
As to his company’s guilty plea for operating LeakedSource, Bloom maintains that the judge at his preliminary inquiry found that even if everything the Canadian government alleged was true it would not constitute a violation of any law in Canada with respect the charges the RCMP leveled against him, which included unauthorized use of a computer and “mischief to data.”
“In Canada at the lower court level we are allowed to possess stolen information and manipulate our copies of them as we please,” Bloom said. “The judge however decided that a trial was required to determine whether any activities of mine were reckless, as the other qualifier of intentionally criminal didn’t apply. I will note here that nothing I was accused of doing would have been illegal if done in the United States of America according to their District Attorney. +1 for free speech in America vs freedom of expression in Canada.”
“Shortly after their having most of their case thrown out, the Government proposed an offer during a closed door meeting where they would drop all charges against me, provide full and complete personal immunity, and in exchange the Corporation which has since been dissolved would plead guilty,” Bloom continued. “The Corporation would also pay a modest fine.”
Bloom said he left Ashley Madison because he was bored, but he acknowledged starting LeakedSource partly in response to the Ashley Madison hack.
“I intended to leverage my gaming connections to get into security work including for other private servers such as Minecraft communities and others,” Bloom said. “After months of asking management for more interesting tasks, I became bored. Some days I had virtually nothing to do except spin in my chair so I would browse the source code for security holes to fix because I found it enjoyable.”
“I believe the decision to start LS [LeakedSource] was partly inspired by the AM hack itself, and the large number of people from a former friend group messaging me asking if XYZ person was in the leak after I revealed to them that I downloaded a copy and had the ability to browse it,” Bloom continued. “LS was never my idea – I was just a builder, and the only Canadian. In other countries it was never thought to be illegal on closer examination of their laws.”
Bloom said he still considers himself independently wealthy, and that still has the lime green Lambo. But he said he’s currently unemployed and can’t seem to land a job in what he views as his most promising career path: Information security.
“As I’m sure you’re aware, having negative media attention associated with alleged (key word) criminal activity can have a detrimental effect on employment, banking and relationships,” Bloom wrote. “I have no current interest in being a business owner, nor do I have any useful business ideas to be honest. I was and am interested in interesting Information Security/programming work but it’s too large of a risk for any business to hire someone who was formerly accused of a crime.”
If you liked this story, please consider reading the first two pieces in this series:
SEO Expert Hired and Fired by Ashley Madison Turned on Company, Promising Revenge
Top Suspect in 2015 Ashley Madison Hack Committed Suicide in 2014
When U.S. consumers have their online bank accounts hijacked and plundered by hackers, U.S. financial institutions are legally obligated to reverse any unauthorized transactions as long as the victim reports the fraud in a timely manner. But new data released this week suggests that for some of the nation’s largest banks, reimbursing account takeover victims has become more the exception than the rule.
The findings came in a report released by Sen. Elizabeth Warren (D-Mass.), who in April 2022 opened an investigation into fraud tied to Zelle, the “peer-to-peer” digital payment service used by many financial institutions that allows customers to quickly send cash to friends and family.
Zelle is run by Early Warning Services LLC (EWS), a private financial services company which is jointly owned by Bank of America, Capital One, JPMorgan Chase, PNC Bank, Truist, U.S. Bank, and Wells Fargo. Zelle is enabled by default for customers at over 1,000 different financial institutions, even if a great many customers still don’t know it’s there.
Sen. Warren said several of the EWS owner banks — including Capital One, JPMorgan and Wells Fargo — failed to provide all of the requested data. But Warren did get the requested information from PNC, Truist and U.S. Bank.
“Overall, the three banks that provided complete data sets reported 35,848 cases of scams, involving over $25.9 million of payments in 2021 and the first half of 2022,” the report summarized. “In the vast majority of these cases, the banks did not repay the customers that reported being scammed. Overall these three banks reported repaying customers in only 3,473 cases (representing nearly 10% of scam claims) and repaid only $2.9 million.”
Importantly, the report distinguishes between cases that involve straight up bank account takeovers and unauthorized transfers (fraud), and those losses that stem from “fraudulently induced payments,” where the victim is tricked into authorizing the transfer of funds to scammers (scams).
A common example of the latter is the Zelle Fraud Scam, which uses an ever-shifting set of come-ons to trick people into transferring money to fraudsters. The Zelle Fraud Scam often employs text messages and phone calls spoofed to look like they came from your bank, and the scam usually relates to fooling the customer into thinking they’re sending money to themselves when they’re really sending it to the crooks.
Here’s the rub: When a customer issues a payment order to their bank, the bank is obligated to honor that order so long as it passes a two-stage test. The first question asks, Did the request actually come from an authorized owner or signer on the account? In the case of Zelle scams, the answer is yes.
Trace Fooshee, a strategic advisor in the anti money laundering practice at Aite-Novarica, said the second stage requires banks to give the customer’s transfer order a kind of “sniff test” using “commercially reasonable” fraud controls that generally are not designed to detect patterns involving social engineering.
Fooshee said the legal phrase “commercially reasonable” is the primary reason why no bank has much — if anything — in the way of controlling for scam detection.
“In order for them to deploy something that would detect a good chunk of fraud on something so hard to detect they would generate egregiously high rates of false positives which would also make consumers (and, then, regulators) very unhappy,” Fooshee said. “This would tank the business case for the service as a whole rendering it something that the bank can claim to NOT be commercially reasonable.”
Sen. Warren’s report makes clear that banks generally do not pay consumers back if they are fraudulently induced into making Zelle payments.
“In simple terms, Zelle indicated that it would provide redress for users in cases of unauthorized transfers in which a user’s account is accessed by a bad actor and used to transfer a payment,” the report continued. “However, EWS’ response also indicated that neither Zelle nor its parent bank owners would reimburse users fraudulently induced by a bad actor into making a payment on the platform.”
Still, the data suggest banks did repay at least some of the funds stolen from scam victims about 10 percent of the time. Fooshee said he’s surprised that number is so high.
“That banks are paying victims of authorized payment fraud scams anything at all is noteworthy,” he said. “That’s money that they’re paying for out of pocket almost entirely for goodwill. You could argue that repaying all victims is a sound strategy especially in the climate we’re in but to say that it should be what all banks do remains an opinion until Congress changes the law.”
However, when it comes to reimbursing victims of fraud and account takeovers, the report suggests banks are stiffing their customers whenever they can get away with it. “Overall, the four banks that provided complete data sets indicated that they reimbursed only 47% of the dollar amount of fraud claims they received,” the report notes.
How did the banks behave individually? From the report:
-In 2021 and the first six months of 2022, PNC Bank indicated that its customers reported 10,683 cases of unauthorized payments totaling over $10.6 million, of which only 1,495 cases totaling $1.46 were refunded to consumers. PNC Bank left 86% of its customers that reported cases of fraud without recourse for fraudulent activity that occurred on Zelle.
-Over this same time period, U.S. Bank customers reported a total of 28,642 cases of unauthorized transactions totaling over $16.2 million, while only refunding 8,242 cases totaling less than $4.7 million.
-In the period between January 2021 and September 2022, Bank of America customers reported 81,797 cases of unauthorized transactions, totaling $125 million. Bank of America refunded only $56.1 million in fraud claims – less than 45% of the overall dollar value of claims made in that time.
–Truist indicated that the bank had a much better record of reimbursing defrauded customers over this same time period. During 2021 and the first half of 2022, Truist customers filed 24,752 unauthorized transaction claims amounting to $24.4 million. Truist reimbursed 20,349 of those claims, totaling $20.8 million – 82% of Truist claims were reimbursed over this period. Overall, however, the four banks that provided complete data sets indicated that they reimbursed only 47% of the dollar amount of fraud claims they received.
Fooshee said there has long been a great deal of inconsistency in how banks reimburse unauthorized fraud claims — even after the Consumer Financial Protection Bureau (CPFB) came out with guidance on what qualifies as an unauthorized fraud claim.
“Many banks reported that they were still not living up to those standards,” he said. “As a result, I imagine that the CFPB will come down hard on those with fines and we’ll see a correction.”
Fooshee said many banks have recently adjusted their reimbursement policies to bring them more into line with the CFPB’s guidance from last year.
“So this is heading in the right direction but not with sufficient vigor and speed to satisfy critics,” he said.
Seth Ruden is a payments fraud expert who serves as director of global advisory for digital identity company BioCatch. Ruden said Zelle has recently made “significant changes to its fraud program oversight because of consumer influence.”
“It is clear to me that despite sensational headlines, progress has been made to improve outcomes,” Ruden said. “Presently, losses in the network on a volume-adjusted basis are lower than those typical of credit cards.”
But he said any failure to reimburse victims of fraud and account takeovers only adds to pressure on Congress to do more to help victims of those scammed into authorizing Zelle payments.
“The bottom line is that regulations have not kept up with the speed of payment technology in the United States, and we’re not alone,” Ruden said. “For the first time in the UK, authorized payment scam losses have outpaced credit card losses and a regulatory response is now on the table. Banks have the choice right now to take action and increase controls or await regulators to impose a new regulatory environment.”
Sen. Warren’s report is available here (PDF).
There are, of course, some versions of the Zelle fraud scam that may be confusing financial institutions as to what constitutes “authorized” payment instructions. For example, the variant I wrote about earlier this year began with a text message that spoofed the target’s bank and warned of a pending suspicious transfer.
Those who responded at all received a call from a number spoofed to make it look like the victim’s bank calling, and were asked to validate their identities by reading back a one-time password sent via SMS. In reality, the thieves had simply asked the bank’s website to reset the victim’s password, and that one-time code sent via text by the bank’s site was the only thing the crooks needed to reset the target’s password and drain the account using Zelle.
None of the above discussion involves the risks affecting businesses that bank online. Businesses in the United States do not enjoy the same fraud liability protection afforded to consumers, and if a banking trojan or clever phishing site results in a business account getting drained, most banks will not reimburse that loss.
This is why I have always and will continue to urge small business owners to conduct their online banking affairs only from a dedicated, access restricted and security-hardened device — and preferably a non-Windows machine.
For consumers, the same old advice remains the best: Watch your bank statements like a hawk, and immediately report and contest any charges that appear fraudulent or unauthorized.
FreshRSS 