5,000+ Election Phishing Domains Target 2026 US Midterm Voters

More than 5,150 malicious domains specifically designed to target the 2026 US midterm elections were registered between April 13 and May 14, 2026, according to Check Point Research. The infrastructure — split between 1,140+ domains containing the word "election" and 4,010+ containing "vote" — is designed to impersonate official voter registration portals, clone campaign donation platforms including ActBlue and WinRed, and distribute AI-generated election disinformation masquerading as reporting from Reuters, The Washington Post, and Fox News. The campaign runs alongside 9,500 compromised ActBlue account credentials and 6,500 WinRed account credentials actively circulating in criminal markets, providing ready-made targets for financial fraud and campaign finance manipulation.

// 01 Election Phishing Domains 2026: Technical Details

Check Point cyber threat intelligence analyst Danielle Hess led the research, identifying a registration spike that began April 13, 2026. The 32-day registration window preceding a late-May analysis suggests attackers began building infrastructure months before the November 2026 midterm elections — consistent with the lead-time observed in 2022 and 2024 election-cycle threat campaigns.

The malicious domain infrastructure divides into three functional categories:

Voter portal impersonation: Domains that mimic official state and federal voter registration sites — sites where voters verify registration status, request mail-in ballots, or look up polling locations. These pages harvest personally identifiable information (PII — data that identifies an individual, including name, address, date of birth, and last four digits of Social Security number) under the guise of voter services.

Donation platform cloning: Sites that spoof ActBlue (the primary small-dollar Democratic donation processor) and WinRed (the Republican equivalent), designed to collect credit card numbers and campaign contributions. The threat is amplified by 16,000 known-compromised credentials (9,500 ActBlue, 6,500 WinRed accounts) circulating in underground markets — attackers can use these credentials to make fraudulent donations in victims' names, commit campaign finance fraud, or pivot to linked payment methods.

AI-assisted disinformation portals: Domains impersonating major media brands — Reuters, The Washington Post, Fox News — publishing AI-generated content designed to appear as legitimate election reporting. Content themes include false election results, voter intimidation narratives, and polling location misinformation. This technique, sometimes called "synthetic news injection," has been used in previous election cycles but the scale and quality of AI-generated content has increased substantially with 2025-2026 generation models.

// 02 Who Is Affected

The election phishing domain campaign targets three distinct groups:

Voters: Individuals seeking to verify voter registration, request absentee ballots, or find polling information are the primary targets of voter portal spoofs. Victims who enter their information on fake state election sites expose their PII to identity theft pipelines, and may be served false voting instructions.

Campaign donors: Anyone who donates to federal or state campaigns through online platforms faces risk from ActBlue and WinRed clones. The 16,000 circulating credentials from legitimate donation accounts indicate that credential stuffing attacks — automated logins using username/password pairs from previous breaches — are already in progress against the real platforms.

Campaign organizations and election staff: Campaign operatives who receive phishing emails appearing to come from official election authorities, donor databases, or media contacts face business email compromise (BEC — a class of social engineering attack targeting organizations' financial or operational workflows) and credential harvesting risk. Election staff at state and county levels, who handle sensitive voter data and voting system access, are high-value targets.

The attack surface is geographically broad: domains impersonating election infrastructure from multiple states were identified, with no single state disproportionately targeted in Check Point's initial analysis.

// 03 What Campaigns, Voters, and Organizations Should Do

• Bookmark official election sites directly: Voters should access voter registration and election information only through official state government domains (.gov TLD — Top-Level Domain, the suffix identifying government websites). Navigate directly to the URL rather than clicking links in email or social media.

• Verify donation URLs before contributing: Donors should confirm they are on secure.actblue.com or winred.com before entering payment information. Check the browser address bar — not just the page's displayed text — for the full URL including https:// and the exact domain.

• Enable multi-factor authentication on donation accounts: ActBlue and WinRed both support MFA (Multi-Factor Authentication — requiring a second verification step beyond a password). Activate it to prevent credential-stuffed logins even if your password was exposed in a previous breach.

• Report suspicious domains to CISA: The Cybersecurity and Infrastructure Security Agency (CISA) maintains an election security reporting mechanism at cisa.gov/election-security. Suspected phishing domains targeting elections should be reported through this channel.

• Brief campaign staff on phishing indicators: Campaign staff should receive training on recognizing election-themed spearphishing (targeted phishing emails crafted to appear from a specific trusted source). Key indicators include unexpected urgency, requests to verify login credentials, and sender addresses that differ subtly from legitimate election authority domains.

• Monitor for brand impersonation: If your organization's name or logo appears on election-adjacent phishing sites, submit takedown requests through your domain registrar and contact CISA's Election Security team. Major registrars have expedited abuse processes for election infrastructure impersonation.

// 04 Background: Understanding the Risk

The 2026 midterm election phishing campaign follows a well-established pattern that intensifies with each election cycle. In 2022, the Cybersecurity and Infrastructure Security Agency identified a similar wave of election-themed domain registrations, though at lower volume. In 2024, a multi-agency advisory documented increased use of AI-generated content in disinformation operations targeting election officials and voters. The 2026 campaign reflects both trends simultaneously, at greater scale.

The threat is infrastructure, not voting machines. A common misconception frames election cybersecurity as primarily about hacking electronic voting machines — a technically difficult target with significant physical access requirements and audit trail oversight. The 2026 threat campaign, like most recent election interference operations, targets the human infrastructure around elections: the donors who fund campaigns, the volunteers and staff who operate campaign communications, and the voters who make decisions based on information they trust. Phishing, credential theft, and disinformation are dramatically more scalable and accessible attack vectors than physical voting system compromise.

Credential markets pre-load the attack. The 16,000 circulating ActBlue and WinRed credentials did not originate from an election-specific breach — they were almost certainly harvested through previous credential-stuffing campaigns against these platforms, or through infostealer malware (software that steals stored credentials from browsers and password managers) on donors' personal devices. Attackers do not need to compromise the donation platforms themselves; they purchase credential databases and run automated login attempts at scale. For campaigns and platforms, this means the breach that enables election-cycle fraud often happened months or years earlier, in an unrelated attack.

AI disinformation is evolving rapidly. The synthetic news sites identified by Check Point represent a maturation of the disinformation toolkit. Text generated by 2025-2026 large language models is substantially more fluent and contextually accurate than earlier synthetic content, reducing the "obvious tell" signals that readers previously used to identify fake articles. Impersonating the visual design and byline structure of Reuters or The Washington Post — combined with AI-generated plausible content — creates a credibility proxy that is difficult for non-expert readers to reject without actively verifying source URLs.

The registration timeline indicates deliberate campaign planning. A 32-day bulk domain registration window starting April 13 suggests organized, resource-sufficient threat actors rather than opportunistic registrations. Bulk domain acquisition at this scale, months before an election, is consistent with nation-state or well-funded organized crime operations conducting pre-positioning for influence operations. Check Point's analysis did not attribute the campaign to a specific state actor, though historical Russian-linked operations were noted in the context of media domain impersonation.

// 05 Conclusion

More than 5,150 malicious domains stand ready to harvest credentials, steal donations, and spread disinformation targeting the November 2026 US midterm elections — built months in advance, fueled by 16,000 pre-compromised campaign donor accounts. Voters should access election information exclusively through official .gov domains and verify donation URLs before submitting payment. Campaign organizations should enable MFA on all staff accounts and brief teams on election-themed spearphishing immediately — the infrastructure is already in place and the election is five months away.