Ashley Madison puts $377,000 bounty on hackers' heads

Police suspect two suicides are related to the release of information stolen from the relationship-cheating website.

Screen shot by Luke Westaway/CNET

Amid reports that the Ashley Madison security breach may have led to suicides and extortion plots, Toronto police and the affair-arranging website are upping the ante to catch the hackers responsible for the embarrassing leak of users' information.

To increase the chance of that happening, Ashley Madison's parent company, Avid Life Media, offered $500,000 Canadian ($377,000) on Monday to anyone providing information leading to the arrest of those involved.

Hackers calling themselves the Impact Team first revealed in July they had stolen information from the site, including data on more than 30 million Ashley Madison patrons, who sign up with the goal of having extramarital affairs.

The cyberattackers threatened to release the embarrassing data if the website didn't shut down. Ashley Madison refused, and so the hackers delivered on their threat last week, upending the lives of people who'd counted on the site's confidentiality.

While it's all happened on the Internet, there have been very real effects. In a press conference on Monday, Toronto police said they suspect two suicides were related to the leak. They also believe the hack led to a few attempts of extortion from the outed users.

Now, Ashley Madison is willing to pay up to find the culprits. If it succeeds, the bounty could renew people's faith in Internet companies, experts say.

"If people know hacking is not an anonymous crime and they can be caught, there's much more of a deterrent," said Jonathan Schmidt, a former prosecutor who is now a criminal defense attorney with Ropes & Gray.

It's unusual but not unheard of for a company to offer a bounty on a hacker, said Alex Rice, an executive at HackerOne, which helps connect companies with coding experts who can find flaws in their software. More typically, law enforcement agencies offer the money.

Sometimes, hackers do get caught. Microsoft in 2011 offered $250,000 to help bring down the group running Rustock, a network of hacked computers that sent out nearly 40 percent of the world's spam email. The FBI and Microsoft successfully dismantled Rustock that same year.

Some hackers can avoid getting caught by paying off people to cover their trail. The US government offers a total of $4.3 million for information leading the capture of the world's most notorious hackers. Evgeniy Mikhailovich Bogachev, at the top of the FBI's "cyber most wanted" list, rated a $3 million bounty in 2014, after being indicted for conspiracy, computer hacking, wire fraud, bank fraud and money laundering.

"He made a lot of money off his hacking," said Stephen Cobb, a security researcher at antivirus company ESET. "Which probably helps him."

That might not be the case for the Impact Team, which should make it easier for law enforcement to track them down, said Cobb. "One staggers to think what was on the mind of this Impact team," he said. "I think the reward could actually be effective."

Convincing people to name the hackers is likely the best way to catch them, experts say. That's because cyberattackers have gotten good at covering their tracks, making a forensic investigation of Ashley Madison's computer systems unlikely to yield much data.

It's the human element that usually does them in. From bragging to friends about their exploits, to posting pictures on Facebook with ill-gotten cash, history is filled with hackers brought down by pride, said Cobb.

Perhaps the hackers will be caught, and perhaps Internet users will be more careful with their personal information, said Rice, the executive at HackerOne. If so, the entire incident will leave a lasting mark on the psyche of Internet users.

"I can't make up my mind if any good will come of this," Rice said. "Hopefully more good than harm in the long run, but I think that's optimistic."

Updated at 7:30 p.m. PTto correct amount of reward.

Featured Video