Federal law enforcement authorities say they are aware of a website that sprang up over the weekend and began doxxing federal and state government officials at odds with Donald Trump’s efforts to overturn the election.
The site, which appears to have been created on Sunday, contains the home addresses, pictures of homes, personal emails, and photos of state and local officials who have pushed back on or questioned the president’s legal campaign.
“The following individuals have aided and abetted the fraudulent election against Trump,” the website, enemiesofthepeople.org, declared.
A Federal Bureau of Investigation spokesperson told The Daily Beast on Thursday that the FBI is “aware of the matter,” but declined to comment further.
The site was only online for a few days, and the identities of those responsible for it are not known. But archived versions of the site, and publicly available website registration data, show that the individual or individuals behind it used email addresses associated with a Russian email service provider and web hosting services based in the country. The possibility exists that the use of those addresses and hosting services were done to make it appear to be a Russian operation.
The website was created as brewing national tensions over the 2020 election boiled over into violent threats against officials whom the president’s supporters have deemed complicit in a vast, often nonsensical conspiracy to steal the election for President-elect Joe Biden. Those claims have been rejected in dozens of state and federal court cases, and by high-level officials of both parties.
Among the officials targeted—literally—by the enemiesofthepeople website were Govs. Gretchen Whitmer (D-MI), Brian Kemp (R-GA), Doug Ducey (R-AZ), multiple people affiliated with the company Dominion Voting Systems, and Christopher Krebs, the former top federal cybersecurity official who was fired last month for publicly debunking many of the conspiracy theories floated by Trump and his legal team.
“If blood is spilled, it is on the hands of the president,” Krebs’ attorneys wrote in a Wednesday statement regarding the website. The specific threats, they noted, “may be domestic or foreign actors trying to stoke the violence.”
As documented by Joe Slowik, a senior security researcher at the firm DomainTools, enemiesofthepeople.org and a sister website, enemiesofthepeople.us, were registered by individuals using the Russian email service Yandex, and the website’s IP servers are hosted in Russia.
“Current information available on registration patterns and ownership are indeterminate, with some observables strongly indicating a Russian or Eastern European nexus (hosting in Russia and Romania, use of Yandex emails, Slavic names) while others indicate a domestic US angle (registration address in Georgia, US phone number),” Slowik told The Daily Beast. “Further research and likely law enforcement action will be required to gather more information on the responsible parties.”
The same person or people behind the enemiesofthepeople domains also appear to have registered another election conspiracy website, donttouchthegreenbutton.us. That domain name is similar to one that the Trump campaign set up last month to solicit testimonials from “whistleblowers'' and others who claimed to have knowledge of ostensible election irregularities.
“While I can’t assess the actor’s intent, I can’t help but wonder if that domain was intentionally created to get someone investigating this activity to erroneously point their finger at the Trump Campaign [or the] RNC,” said Kyle Ehmke, a threat intelligence researcher at ThreatConnect.
As for the apparent Russian fingerprints, Ehmke said publicly available information was insufficient to attribute the website to any foreign actor. “At this point, based on what we’ve seen, we don’t have enough information to assess who is behind this website at an individual or state level,” he said.
A search of the website in RiskIQ’s cybersecurity database shows that the website was associated with a Twitter account, @peopleenemies, that has since been suspended.
The website also included links to profiles on two social media sites, Parler and Gab, that are popular with Trump supporters. “We have compiled a list of people who allowed the act of treason to take place,” the Gab profile’s bio says. As of Thursday morning, the Parler profile had been set to private, and the Gab profile’s posts had all been deleted.
In a statement to The Daily Beast, Gab CEO Andrew Torba said that “Threats of violence have no place on Gab and never have. Within minutes of being alerted to this account last night our team took immediate action and suspended the account.”
A Twitter spokesperson told The Daily Beast: “We permanently suspended this account for violating our ban evasion policy, and labeled corresponding URLs in line with our private information policy.”
Parler did not respond to questions from The Daily Beast in time for publication.
“Overall, this type of activity—posting contact and location data for both prominent officials and Dominion employees—is reprehensible and dangerous,” Slowik said. “Content providers, hosting services, and registrars can and should take swift action to disable these sites as they extend well beyond the bounds of protected political speech given their incitement to violence.”