Midterm Election 2026 in United States
getty
Forget about hackers targeting voting machines or altering ballots—the biggest threat to November’s mid-term elections may be phishing and the impersonation of election officials.
According to research from Check Point Software, bad actors are increasingly flooding social media and search results with misleading narratives and fake content, impersonating respected news sources in an effort to erode trust in what people see and hear online.
“Sophisticated operators have already cloned major media brands like Reuters, The Washington Post, and Fox News using look-alike domains that can fool even attentive readers at a glance,” said Danielle Hess, Check Point cyber threat intelligence analyst, exposure management.
“In this new era of AI-powered disinformation, the goal is often not to change vote counts directly, but to convince voters that truth itself is difficult to verify.”
While there’s nothing wrong with registering an election-related domain, Check Point Exposure Management has spotted certain suspicious patterns.
In January, around 1,300 domains containing “election” and just under 3,000 containing “vote” were registered. From mid-April to mid-May, “election” registrations held relatively steady at around 1,140, but “vote” domains jumped to approximately 4,010. And this trend is continuing, with the mix is shifting toward the more voter-facing term.
“Domain registration volume alone does not establish malicious intent,” said Hess. “But security teams know what these domains are typically used for: phishing pages impersonating voter information portals, fraudulent donation collection, candidate impersonation, and misinformation distribution designed to look like official election communications.”
With topical infrastructure registered in advance, bad actors are able to bring it into play quickly at crucial moments, and take it down before detection efforts catch up.
Meanwhile, credential exposure is compounding the risk. Check Point said that, as of May, it has tracked around 9,500 leaked credentials tied to Democratic fundraising platform ActBlue and 6,500 tied to the Republican equivalent WinRed in criminal markets.
Those credentials are available in readiness now, helping with account takeover, donor fraud, and targeted social engineering against both parties’ fundraising platforms.
“The 2026 midterm threat environment is a trust infrastructure story, and the systems under pressure are ones security teams already manage: email, web properties, credential exposure, third-party platforms, and brand integrity,” said Hess.
“Security teams working with campaigns, election organizations, fundraising platforms, or any organization adjacent to this environment should treat this cycle as an elevated-risk period for phishing, brand impersonation, and credential-based attacks. That’s not because the threats are novel, but because the motivation and attention behind them are significantly higher than usual.”
The report follows a $707 million cut in budget for the Cybersecurity and Infrastructure Security Agency, described by the Trump administration as “weaponization and waste” and “focused on censorship”.
But, said senator Mark R. Warner, vice chairman of the Senate Select Committee on Intelligence, “While the states are taking valiant and expensive measures to protect their elections, it is impossible for states to independently obtain intelligence, subject-matter expertise, and real-time incident reporting, and information at the scale and speed required to protect state elections from physical and cyber threats.”
Leave a comment