5K+ election domains registered ahead of US midterms
Jump to main content
Search
REG AD
Security
Election interlopers register 5K+ domains, hope to catch some voting phish
Hacking voting machines is so 2017. Phishing, impersonation pose the real election risks
Jessica Lyons
Jessica<br>Lyons
Published<br>mon 1 Jun 2026 // 20:46 UTC
The biggest threat to America’s midterm elections in November likely isn’t foreign attackers hacking US voting machines. Phishing and election-official impersonation are the bigger risks, according to Check Point, which documented more than 5,000 election-themed domains registered between April and May.<br>These domains can be used by attackers for phishing, impersonation, fraud, misinformation, or influence activity, especially when coupled with about 17,000 exposed credentials associated with fundraising orgs, political parties, and government-related services also spotted by the security shop’s intelligence arm in May.<br>"Election-related domains and leaked credentials represent two sides of the same problem: infrastructure and access," Danielle Hess, a cyber threat intelligence analyst at Check Point Software, told The Register.
REG AD
"A rise in election-themed domains not only creates more potential infrastructure that could be abused for phishing or impersonation, but also reflects a growing election-related ecosystem with more organizations, accounts, and users that can be targeted," Hess said. "When combined with a large pool of exposed credentials, attackers have more opportunities to conduct convincing and scalable election-related operations."
REG AD
Plus, AI gives phishing, impersonation, election misinformation and other scam operations a massive boost, making them faster, cheaper, and easier to scale.
MORE CONTEXT
Trump wants to take a battle axe to CISA again and slash $707M from budget
Election workers fear threats and intimidation without feds' support in 2026
US election workers slammed with phishing, malware-stuffed emails
A Russian speaker and jailbroken Gemini went on a hacking spree and emptied at least one MAGA victim's crypto wallets
The uptick in election-related threats follows the Trump administration’s efforts to gut America’s lead cyber-defense agency and decimate its efforts to combat election-related fraud, while slashing its budget and workforce, and shutting down the Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC).<br>According to a Monday report, Check Point has been monitoring registered domains and documented about 1,300 containing the keyword “election” and 2,957 containing “vote” in January. Three months later, between April 13 and May 14, about 1,140 newly registered domains contained the word "election," while the number containing "vote" had climbed to about 4,010.<br>While simply registering a domain doesn’t guarantee it will be used for malicious purposes, such domains are often used for phishing pages that impersonate voter info sites or candidates themselves, and campaign donation scams, and misinformation sites designed to look like official election communications.<br>Along these lines, the security shop documented thousands of leaked credentials in May linked to fundraising and political party websites including about 9,500 ActBlue.com (Democrats’ fundraising site) compromised credentials, 6,500 leaked WinRed.com (Republican fundraising) credentials, plus 600 from the official Republican gop.com website, 130 from democrats.org, and 150 leaked usa.gov citizen services’ site credentials.<br>Hess told us that "it's important to note that the credential statistics reflect credentials identified on Check Point's External Risk Management (ERM) platform as of May 2026 and are not limited to credentials that were necessarily stolen or leaked during May 2026 itself."<br>As the reports point out, the credential leaks aren't limited to one political party or specific campaigns.
REG AD
“Individual political campaign domains showed little to no observed credential exposure across a sample of swing-state candidates from both major political parties, reinforcing that current exposure is concentrated in centralized platforms rather than campaign-specific infrastructure,” according to the report.<br>“A single campaign domain stood out as an exception, with around 90 leaked credentials identified,” the report continued.<br>"The campaign domain referenced was associated with candidate Tom Kean," Hess said, referring to Rep. Tom Kean Jr. (R-NJ). "However, it's important to note the credentials were identified within infostealer malware logs, which typically reflect opportunistic compromise rather than deliberate targeting of a specific campaign. While not indicative of direct targeting, the presence of these credentials may still pose a security risk if associated accounts remain active or reused.”<br>In addition to the political org-related credential exposure, voter information is also appearing across dark web forums ahead of the...