Full Report
Hacking voting machines is so 2017. Phishing, impersonation pose the real election risks
Analysis Summary
# Threat Actor: Unattributed Cyber Criminals & Opportunistic Scammers
## Attribution & Identity
**Actor Identification:** The article describes a non-specific, broad set of cyber threat actors ranging from opportunistic cybercriminals to political scammers. No specific state-sponsored group (APT) is currently attributed in this report; however, the activity is characterized by high-volume, automated, and opportunistic exploitation.
**Associated Groups/Forums:**
* **BreachForums:** Used for leaking voter data.
* **Spear[.]cx:** A criminal forum where multi-state voter databases are traded.
## Activity Summary
In the lead-up to the 2026 US Midterms (April–May 2026), threat actors have significantly scaled infrastructure for influence and theft. Key activities include:
* **Domain Squatting/Registration:** Registration of over 5,000 election-themed domains (keywords "vote" and "election") to be used as malicious infrastructure.
* **Credential Harvesting:** Collection and distribution of over 17,000 exposed credentials from major political fundraising platforms.
* **Data Leaking:** Unauthorized distribution of voter registration data from specific counties (e.g., Fremont County, CO) and multi-state voter databases.
## Tactics, Techniques & Procedures
* **Phishing & Impersonation:** Creating domains that mimic official voter info sites or candidate pages.
* **Credential Stuffing/Replay:** Leveraging leaked credentials from ActBlue, WinRed, and GOP platforms to gain unauthorized access to accounts.
* **Infostealer Logs:** Use of malware-derived logs to harvest credentials from specific campaign staffers (e.g., Tom Kean Jr. campaign).
* **AI-Enhanced Social Engineering:** Utilizing Artificial Intelligence to create more convincing phishing lures and misinformation at scale.
* **Data Exfiltration/Dumping:** Posting stolen PII (names, emails, IP addresses) on dark web forums to facilitate further social engineering.
## Targeting
* **Sectors:** Political Campaigns, Government Services, Non-Profit Fundraising, Elections Infrastructure.
* **Geography:** United States (National and Regional levels).
* **Victims:**
* **Platforms:** ActBlue (9,500+ credentials), WinRed (6,500+ credentials), usa[.]gov (150 credentials).
* **Organizations:** GOP[.]com, Democrats[.]org, EI-ISAC.
* **Individuals:** Rep. Tom Kean Jr. campaign (infostealer victim), Fremont County (CO) election division.
## Tools & Infrastructure
* **Malware Families:** Infostealers (unspecified variants) used for harvesting browser-stored credentials.
* **Infrastructure:**
* **Election-themed Domains:** Over 5,100 domains registered containing "election" (1,140) or "vote" (4,010).
* **Dark Web Forums:** BreachForums, Spear[.]cx (defang: spear[.]cx).
* **Fundraising Portals:** ActBlue[.]com, WinRed[.]com.
## Implications
The shift in threat landscape indicates that the primary risk to elections has moved from "hacking the vote" (manipulating machines) to "hacking the voter" (manipulating perception and stealing funds). The combination of AI-generated content and massive credential leaks allows low-skill actors to conduct high-impact operations. Massive exposure of fundraising platform credentials poses a direct financial risk to political parties and a risk of identity theft for donors.
## Mitigations
* **Enable Multi-Factor Authentication (MFA):** Implementation of hardware keys or app-based MFA on all fundraising and campaign staff accounts to neutralize the 17,000+ leaked credentials.
* **Domain Monitoring:** Organizations should proactively monitor for "typosquatting" or newly registered domains mimicking their official presence.
* **Credential Hygiene:** Campaign staff should be audited for infostealer infections, and passwords should be rotated for any accounts found in dark web logs.
* **Public Awareness:** Educating voters that official communications will not typically come from newly created, non-governmental domains.