The emails claimed to be from the Proud Boys, a far-right group supportive of President Trump, but appeared instead to be a deceptive campaign making use of a vulnerability in the organization’s online network.
First divulged on Tuesday by local law enforcement and elections officials in Florida and Alaska, the emails were soon turned over to federal authorities, according to U.S. officials.
The messages appeared to target Democrats using data from digital databases known as “voter files,” some of which are commercially available. They told recipients the Proud Boys were “in possession of all your information” and instructed voters to change their party registration and cast their ballots for Trump.
By suggesting the group had gained access to privileged data, and also possibly penetrated electronic systems to detect how people were voting, the emails seemed designed to create the appearance of an election breach, said cybersecurity researchers. Such a move may serve to undermine confidence in the integrity of the democratic process without posing a genuine risk to the election, these researchers said.
“You will vote for Trump on Election Day or we will come after you,” warned the emails, which by Tuesday night were said to have reached voters in as many as four states, three of them hotly contested swing states in the coming presidential election.
The domain enlisted for the misleading operation, officialproudboys.com, was recently dropped by a hosting company that uses Google Cloud services, according to Google Cloud spokesman Ted Ladd. Without a secure host, the domain stood vulnerable to exploitation, cybersecurity experts said. Voters using Comcast, Yahoo and Gmail accounts were affected.
In addition to reports from Florida and Alaska, a voter in Pennsylvania told The Washington Post she had received one such email, though she suspected it may have been linked to her previous registration in Alaska. The Pennsylvania attorney general’s office had not received reports about the messages, a spokesman, Mark Shade, said Wednesday.
Kristen Clarke, president and executive director of the national Lawyers’ Committee for Civil Rights Under Law, said her organization had received at least one report that a similar email had reached a voter in Arizona. The Arizona secretary of state’s office was looking into the matter, said a spokeswoman, Sophia Solis.
Enrique Tarrio, the chairman of the Proud Boys and the Florida state director of Latinos for Trump, denied involvement, saying the group operates two sites, and was increasingly migrating away from the domain used in the email campaign.
“Two weeks ago, I believe, we had Google Cloud services drop us from their platform, so then we initiated a url transfer, which is still in process,” he said in an interview. “We kind of just never used it.”
The technical data embedded in the emails did not make immediately apparent who was behind the messages. But metadata gathered from dozens of the emails pointed to the use of servers in Saudi Arabia, Estonia, Singapore and the United Arab Emirates, according to numerous analysts.
“It’s clearly organized and very much planned,” said Rita Katz, executive director of SITE Intelligence Group.
Democrats in Alachua County, in north-central Florida, began receiving the messages on Tuesday morning, according to interviews with several recipients. So, too, did voters in Alaska, said Casey Steinau, chair of the Alaska Democratic Party. Her communications director, Jeanne Devon, said Tuesday night that the FBI “is now involved in the investigation.” A spokeswoman for the bureau’s Anchorage field office did not respond to a request for comment.
“This is absolutely something to be concerned about,” said John Scott-Railton, a senior researcher at the Citizen Lab at the University of Toronto’s Munk School of Global Affairs and Public Policy. “This is what election interference looks like.” He said he knew of a threatening email reaching a voter in Pennsylvania.
Scott-Railton also said one email he had viewed included a link to a video — earlier reported by Vice — showing Trump making disparaging comments about mail-in voting, followed by a logo with the name of the Proud Boys. It then documented what was made to appear as a hack of voting data in an effort to produce a fraudulent ballot. The video was also posted on a Twitter account that has since been suspended.
Even as the president sows doubt about mail balloting, federal law enforcement officials as well as election administrators have underscored the security of the process, which has been routine in some states for years. They also have warned about possible disinformation designed to create the appearance of fraud or to stoke fears of voter intimidation — which itself threatens to keep voters away from the polls.
The Justice Department issued a statement on Wednesday saying it was “aware of reports that threatening correspondence referencing the current election” have been sent to people in several states. It said it could neither confirm nor deny any investigation and said, “if appropriate, the department will prosecute any civil or criminal violation to the fullest extent of the law.”
Christopher C. Krebs, director of DHS’s Security’s Cybersecurity and Infrastructure Security Agency, wrote in a tweet on Tuesday that his office was aware of the emails, noting, “Ballot secrecy is guaranteed by law in all states.”
“These emails are meant to intimidate and undermine American voters’ confidence in our elections,” he added.
Some cybersecurity experts said foreign involvement should be expected.
“We’re still reviewing it, but it wouldn’t be unheard of for a foreign actor to impersonate political figures or organizations,” said John Hultquist, senior director of analysis for Mandiant Threat Intelligence. “It could be a form of voter intimidation or it could be meant to inject discord into an already fragile process.”
Tarrio, determined to beat back the perception of involvement by the Proud Boys, said he had spoken to an FBI agent about the episode. Amanda Videll, a spokeswoman for the bureau in Jacksonville, Fla., declined to comment.
Bennett Ragan, campaign manager for a Democratic State House candidate in Gainesville, Fla., said he received two of the threatening messages on his Gmail account and knows of at least 10 other similar emails that had reached friends or associates. He said the home address cited in the emails he received could have come only from a Florida voters’ roll from 2018 because he has moved several times in recent years.
Ragan said he believed the purpose was to intimidate Democratic voters in a swing state with hotly contested races up and down the ballot on Nov. 3.
“When you have people who have a voter roll and then send off emails, they will make a big splash. They will scare people. That is without a doubt the intent,” he said.
The hosting service that previously carried the Proud Boys domain canceled the registration after Google Cloud notified the customer that a nonprofit group had raised concerns about the controversial organization, said Ladd, the Google Cloud spokesman.
Following the action from the hosting service, the domain appears to have been left unsecured, allowing anyone on the Internet to take control of it and use it to send out the menacing messages, said Trevor Davis, CEO of CounterAction, a Washington-based digital intelligence firm.
The lapse, which began on Oct. 8, “likely made them vulnerable to this kind of hijacking,” Davis said. “Bad actors are constantly scanning the Internet for opportunities. Given the public profile of the Proud Boys and the likelihood that whoever’s sending these emails has access to a voter file, this appears to be opportunism.”
An Internet Protocol (IP) address associated with metadata in at least one email had previously been reported, pointing to its likely use in scam or phishing operations, said Cindy Otis, a former CIA analyst and vice president of analysis for Alethea Group, an organization combating online threats and misinformation.
The Proud Boys rose to national prominence last month during the first presidential debate between Trump and his Democratic rival, Joe Biden, when the president passed up an invitation by moderator Chris Wallace, of Fox News, to denounce White supremacists. When Biden suggested that Trump denounce the Proud Boys, he said they should “stand back and stand by” — a comment that was widely celebrated on social media by the group as a call to action.
Memes circulated online with the words integrated into the Proud Boys logo. One doctored image showed Trump wearing one of the Proud Boys’ signature polo shirts. Another online poster used the moment to advertise T-shirts and hoodies bearing the group’s logo and the words “PROUD BOYS STANDING BY.”
The group’s leaders say they do not support White supremacy, but they had a contingent at 2017’s notorious Unite the Right rally in Charlottesville. The Proud Boys also have been frequent participants in the protests demonstrating against coronavirus shutdowns and, more recently, the protests in Portland, Ore. Facebook has banned the group as a hate group, and the Southern Poverty Law Center classifies it as a hate group and says its leaders “regularly spout white nationalist memes and maintain affiliations with known extremists.”