ZeroFox Assessment: Physical Threats to the U.S. Elections

Executive Summary

There is an elevated risk of political violence related to the upcoming 2024 U.S. presidential elections. Prior to the first assassination attempt on former President Donald Trump, the most substantial threats came from those concerned with the integrity of U.S. elections. They stem from an uptick in politically motivated violence, including physical attacks and death threats that have targeted political candidates, their supporters, government officials, and polling locations since the 2020 election.

Passionate opinions related to campaign issues like immigration, wars in Ukraine and Gaza, LGBTQ+ rights, and access to abortion could also lead to violence. The primary risk locations are battleground states and areas where elections were contested in 2020. 

This report should be read in conjunction with ZeroFox’s Intelligence brief Cyber Threats to the U.S. Election (B-2024-10-03b).

Election Landscape & Context

The upcoming U.S. presidential election set to be held on November 5, 2024, is very likely to be a closely fought campaign. As of the writing of this report, state and national polls indicate that neither candidate has established a substantial lead. 

• Former President Trump had looked very likely to win the U.S. presidential election after a gunman fired at him during his rally in Butler, Pennsylvania, on July 13, 2024, which galvanized his supporters and gave him a substantial polling lead over then-rival current U.S. President Joe Biden.
• However, after the July 2024 Republican Convention, Joe Biden ended his re-election campaign and was replaced by current U.S. Vice President Kamala Harris, who has since improved the Democratic Party’s standings in polls.

Public political discourse surrounding the election is febrile, with significant polarization among U.S. voters. Approximately seven U.S. “swing states” will likely have a disproportionate impact on the election outcome: Michigan, Arizona, Georgia, Nevada, Pennsylvania, North Carolina, and Wisconsin. Recent elections in these states have been decided by just thousands of voters, some of whom are focused on key foreign policy issues, like Arab Americans in Michigan. 

• Almost all reliable recent polling indicates the swing states remain very close, with marginal leads attributed to both candidates.

Such small margins present a fertile ground for the realization of physical threats that could influence or interfere with electoral processes and outcomes. The campaigning period has illustrated the increasing interconnectivity of the cyber and geopolitical domains, with an array of nefarious actors identified leveraging information campaigns to prompt and incite targeted parties into physical action. Physical attacks on candidates, intimidation of voters, and the risk of destructive cyberattacks targeting electoral infrastructure are likely to make the 2024 U.S. elections one of the most challenging and volatile U.S. political environments in recent history.

Threat Actors Targeting the U.S. Election

Threat actors with an array of motivations, capabilities, and intents very likely perceive the upcoming election, as well as the periods prior to and afterwards, as a means by which to pursue objectives ranging from geopolitical-shaping activity to political or religious extremism to impacting election outcomes. Broadly, these threat actors include:

Threat actor activity targeting or leveraging the U.S. election may seek to interfere in electoral processes, outcomes, or associated elements or utilize these as a vehicle or means by which to achieve other (adjacent or unrelated) predefined ends. Threat actor motivations can broadly be categorized into three buckets; these categories are not mutually exclusive, and threat actors may sit within more than one of these categories. 

• Election Interference - SSeeking to directly induce a specific change, such as determining the winner of the election; obstructing or sabotaging electoral processes to delay, damage, or otherwise impede their proficiency and output.

• Election Influence - Seeking to undermine or subvert electoral institutions and organizations; affecting, influencing, or shaping the electorate in order to change their perception of political candidates or an ongoing foreign affair.

• Election Opportunism - Seeking to capitalize on or leverage the election to achieve certain political or financial strategic objectives, albeit often with indifference to the election itself or its outcome.

The majority of physical threats prior to the U.S. presidential election likely fall within the election influence category, with actors seeking to influence members of the public and peddle narratives that favor one candidate or the other. This is particularly relevant to the periods prior to and after voting day, although ZeroFox notes that physical threats realized on the day of the election have an increased chance of sitting in the election interference category and are designed to sabotage infrastructure, intimidate election officials, or disrupt or obstruct voters. 

ZeroFox anticipates increased volatility in the remaining few weeks because of the major ramifications the election will have for global and U.S. stability. Threat actors are likely adjusting their strategies to undermine the elections in light of recent events and shifts in polling.

Pre-Election

Physical threats posed to the 2024 U.S. presidential election will very likely remain at an elevated level prior to—and even beyond—voting day. Attack techniques conducted during this time period will very likely seek to influence election outcomes, though as November 5 draws closer, these same techniques could disrupt or interfere with the electoral process. Physical threats conducted in the pre-election period are very likely categorized as either having a higher chance of realization but low impact or low likelihood threats that could have substantial impact on the electoral process.

Domestic Threats

Pro-Palestinian and anti-Israel-Hamas conflict protests and demonstrations are an anticipated  source of coordinated protest activity that will likely be aimed at both the Democratic and Republican Parties. The one-year anniversary (October 7, 2024) of the start of the Israel-Hamas war is approximately one month prior to the elections, with planned activities to commemorate the anniversary during the week of October 6-12.

• Amid the heated political landscape, small counter-protests may also manifest in the vicinity of protests or campaign events, increasing the potential for clashes and increased use of force by police seeking to disperse crowds.
• Demonstrations over the Israel-Hamas conflict erupted at universities nationwide from April to May 2024. Violent clashes ensued between protesters and security personnel, resulting in a wave of arrests and encampments across the country.
• The beginning of the Fall 2024 semester coincided with another spike in demonstrations on campus and at government buildings, especially in major cities across the United States.

Protests relating to other social issues (such as LGBTQ+ rights, economic issues, abortion rights, and immigration) are also likely to materialize in the run-up to the election. ZeroFox has not identified any such protests announced to date but anticipates this will change in the near-term. While unlikely, some protesters could seek to target key pre-election events, polling stations, or critical infrastructure to draw attention to their cause. 

• While not directly targeting the election, striking port workers calling for wage increases along U.S. East and Gulf ports starting on October 1 have been accused of timing the strike to influence the election.

Physical Attacks Targeting Officials

In addition to two shooting attempts targeting former President Trump, there has been an overall rise in threats and physical attacks on Western politicians—especially those linked to elections. The threat to the presidential candidates, as well as to senior campaign officials, will very likely remain high throughout the pre-election period.

• More than 50 candidates and activists were physically assaulted during France’s recent July parliamentary elections.
• A candidate from the German anti-immigration Alternative for Germany (AfD) party was stabbed on June 4, 2024, days before EU-wide elections on June 6. Over 80 AfD members were attacked in the year leading up to the vote.
• Both the Slovak and Danish prime ministers were violently attacked in May and June 2024.

According to the U.S. MIlitary Academy at West Point, the number of arrests related to threats targeting public officials has doubled in the last decade. These include a July 2024 arrest of an individual in Utah who threatened President Biden before an official visit to the state; the 2022 arrest of a man with weapons outside Supreme Court Justice Brett Kavanaugh’s home; and the attack on then-House Speaker Nancy Pelosi’s husband inside their home. 

Domestic Terrorism and Armed Groups

ZeroFox has observed only small-scale threats from extremist groups—including the domestic groups that have targeted political, pro-choice, LBGTQ+, and civil rights-related gatherings in the recent past. During the 2020 election cycle, this led to clashes with counter-protesters and security forces, most of which were between groups like the Proud Boys and ANTIFA (anti-fascist).

• Following former President Trump’s comments on immigrants in Springfield, OH, during the September 10 presidential debate, dozens of Proud Boy members gathered in the city in mid-September 2024 to demand the mass deportation of “foreigners and Haitians.” The city was also subjected to dozens of fake bomb threats.
• Since the January 6 attack on the Capitol, the Proud Boys have participated in dozens of disruptive incidents that often resulted in violence between opposing groups over social issues such as abortion, LGBTQ+ rights, and COVID-19 vaccinations.

While the Proud Boys have attended pro-Trump events, the group is now more decentralized and relies on the existence of local chapters after several top members were arrested on January 6, 2021. Local chapters and other fringe groups (such as the Boogaloo Boys, the Three Percenters, and the Blood Tribe) are likely to reemerge amid the upcoming election to host disruptive events and potentially intimidate voters.

Intimidation of Voters

ZeroFox has observed numerous incidents of deep and dark web (DDW) actors targeting the 2024 election. This is not solely a cyber threat, as some actors have been selling and offering illicitly obtained personally identifiable information (PII) and personal financial information (PFI) on voters and candidates that present a physical threat to their security.

• Physical threats to voters could be exacerbated by cyber threat actors doxxing voters with information that could be used to intimidate, harass, influence, or locate voters. While this data could be used to locate voters after November 5, it is likely more valuable in the lead-up to the election.

“OriginalCrazyOldFart”, a well-established threat actor known for their activity on DDW communities such as RaidForums, has recently reappeared, leaking sensitive U.S. voter data on BreachForums. Over the course of several weeks in mid-2024,

OriginalCrazyOldFart released multiple datasets, which included voter information from several states. The actor’s motivation appears political, as they explicitly mention their intent to use the data to disrupt Republican efforts ahead of the upcoming elections. OriginalCrazyOldFart emphasized their intent to involve more people in influencing the elections against Trump and his supporters. 

• On September 10, 2024, OriginalCrazyOldFart posted a U.S. voter database on BreachForums. The database, reportedly comprising over 99 million records and sized at 816.3 MB, contains details such as names, addresses, phone numbers, dates of birth, and party affiliations.

• On August 2, 2024, OriginalCrazyOldFart posted an alleged Oklahoma voter list composed of PII such as names, addresses, party affiliations, and other identifying information. While the actor encourages other threat actors to email Republican voters listed in the file, the information could also be used to physically locate voters regardless of political persuasion and try to influence their vote or prevent them from voting.
• On July 31, 2024, OriginalCrazyOldFart shared a dataset titled “2024 Statewide North Carolina Voter list,” allegedly containing 8,695,045 lines of voter information. The file, reportedly dated June 13, 2024, includes various details such as names, addresses, phone numbers, voter registration numbers, and demographic information like race and gender.

• In a separate post, OriginalCrazyOldFart suggested that the data could be useful for election-related activities but also warned that “thieves” could collect such voter data to target individuals maliciously.
  • The thread later garnered support from other forum members, who praised OriginalCrazyOldFart for the effort involved in assembling the data and acknowledged the utility of such voter lists for marketing or political purposes. The actor noted that most voters likely remained at the same addresses, and the deletion of files did not significantly impact the data’s overall value. They emphasized that the data, despite these changes, remained useful for anyone looking to leverage voter information for various purposes.

Threat actors specifically seeking to diminish voter turnout could use this data to locate potential voters and physically intimate them or otherwise influence their vote. There is a roughly even chance that further voter data dumps containing PII will be released. However, ZeroFox has not observed threat actors using this type of data to influence voters, and the voter data is more likely to be utilized by financially motivated threat actors.

International Threats

The United States’ geopolitical stature and international presence ensures that both friendly and opposing states have a continued interest in the country’s leader, foreign affairs, and domestic policies. Foreign states view the shaping of U.S. elections as a means by which to ensure their own security, achieve strategic objectives, and pursue preferred outcomes to ongoing geopolitical events

• This is primarily a cybersecurity risk, as threats of interference or violent actions from nation-state-backed threat actors are very unlikely. However, some of the campaigns could motivate people to action over divisive election issues.

Much of this activity is considered a part of “Spamoflage”, an ongoing disinformation campaign that is almost certainly at the behest of the Chinese government. Active since as early as 2017, Spamoflage seeks to promote pro-Chinese Communist Party propaganda and influence public opinion surrounding geopolitical topics important to China.

• Many recently-observed Spamoflage operations have taken place on social media platforms such as X and Meta, where large numbers of fake accounts appear to impersonate American voters. The accounts do not appear to overtly support either presidential candidate but, rather, seek to sow division via sharing divisive content about immigration, veterans’ welfare, and female reproductive rights.

Of the foreign states, Russian cyber activity likely poses the greatest threat to the outcome of the upcoming election.

• Immediately following the shooting of former President Trump at the Butler, PA, rally, pro-Russia websites masquerading as U.S. news outlets posted incendiary, misleading disinformation, such as unsubstantiated claims the Democratic Party was involved. The sites leverage easily accessible artificial intelligence (AI) tools to produce inflammatory content, intending to promote controversial or inaccurate narratives.

Russia has also been accused of sponsoring mass sabotage events in other Western countries hosting elections or important events.

• In France, days before the Olympics, saboteurs targeted rail and internet cables outside of Paris in nine different areas, likely because security forces were concentrated on downtown Paris.

While no culprits have been identified, ZeroFox warned before the Olympics that Russian-backed threat actors had been staging sabotage events throughout Europe as part of their hybrid war against Ukraine supporters. This has included attacks on pro-EU protesters and politicians running in the June EU elections. The attacks have mainly occurred in eastern European countries, but Germany has also reportedly been subjected to Russian-backed acts of sabotage and arrested Germans paid and recruited by Russia over the issue in 2024.

Russia likely has limited resources to conduct these sorts of acts of sabotage in the United States or to recruit U.S. nationals to stage violent attacks or target critical infrastructure.

Lone-Actor Terror Attacks

Since the Israel-Hamas war began in October 2023, authorities have issued several security warnings over the heightened risk of a terror attack on large gatherings. Despite the warnings issued, it is very unlikely that the Islamic State (IS) or similar groups have the capability to carry out a large-scale coordinated attack on the U.S. elections. Rather, security forces are more likely concerned about the risk of lone wolves hitting soft targets, such as protests, campaign events, voters waiting in line to vote, or other election-related activities, like watch parties. 

• IS welcomes and encourages lone-wolf attacks in its name. Unlike larger orchestrated attacks, knife/small arms attacks and vehicular assaults require little instruction. These could include unsophisticated improvised explosive devices (IEDs) that attackers learn to build online.

Voting Period

Due to a shortened time frame demanding more decisive action from malicious actors that seek to have an effect, threats during the voting period of the election are more likely intended to directly impact the outcome or obstruct and delay electoral processes. At this stage, there is a high threat from attackers seeking to prevent votes from being effectively cast. 

Protests and Intimidation of Voters at Polling Places

The primary physical security concerns during the voting period center on potential violence and intimidation at polling locations. Security forces are concerned about intimidation or violence at polling places and against election workers by protest groups, and armed groups or individuals monitoring elections and potentially intimidating voters. Threats against those counting ballots, elected officials, and election workers have increased significantly in recent years—especially in swing states. While potentially less violent, ideological protest groups gathering near polling locations also risk improperly influencing voters during the voting period. 

• Most jurisdictions have clear laws prohibiting political groups from congregating outside or near voting locations, and security forces generally arrive quickly when an incident occurs. However, the risk of large protests or gatherings cannot be ruled out given the polarized political atmosphere.
• Armed groups could gather at polling places to observe the elections under the guise of monitoring for things like fraud but could end up intimidating voters and preventing the voting process. This extends to drop box locations as well.
• Election workers could also be threatened during the voting process.

There are added concerns that political strategies that bring supporters closer to the electoral process risk a physical confrontation between those hoping to influence the elections and those perceived to be obstructing them, including election officials and law enforcement. 

• The potential of having poll watchers monitoring elections who are already prepared to challenge election results, voters, and officials before the election could lead to violence—particularly in closely-contested elections during and in the aftermath of the election. Election officials fear more ideological poll watchers could delay voting, lead to long lines, and even erupt into violent clashes given the severely polarized political environment.
• Public exposure of these election officials could lead to targeted harassment, which may discourage involvement in political discourse or policy-making.
• Disinformation posts aimed at discrediting candidates and casting doubts on the voting system may incite radical supporters. This disinformation risk will continue throughout the voting period and could encourage acts of violence in the lead-up to and immediately after the elections.

Social media disinformation designed to incite physical violence, disruptions, or other physical repercussions is also a very likely threat to the U.S. elections. Such disinformation can spread rapidly, fueling anger, distrust, and division. There have been posts calling people to “always carry” arms and claiming that there is no “prohibited place,” which will likely lead to physical violence or altercations. 

• Several accounts on X have been circulating videos supposedly of a “group of Syrians” carrying ammunition and in tactical gear. These accounts claim that Americans will face “absolute chaos” before the elections, urging people to “buy guns and ammo.” It is important to note that the videos have not been verified and are likely being distributed to incite volatile public reactions.

Several posts emerged on X after the first presidential debate urging people to “stock up” on artillery. Many of these posts cited Vice President Harris’ alleged comments about confiscating ammunition if she is elected.

The ongoing risk to workers in recent elections has likely contributed to the high turnover rate of election officials. Normally around 75 percent of election workers remain on staff for the next election, but that has decreased to only around 60 percent in recent elections.

• Many of the new employees may be more ideological than the previous ones, contributing to an insider threat risk where a campaign official uses their authorized access to interfere in the election. An insider could then alter or destroy ballots, steal proprietary information, or intimidate other staff members or voters.

Post-Election

Post-election physical threats will very likely center upon claims that the election was fraudulent, with protests very likely and violence likely. Such claims will likely beunderpinned by the widespread proliferation of mis-, dis-, and malinformation campaigns aimed at undermining democratic procedures, questioning the authenticity of the electoral processes and results, and continuing to maintain political relevance by denigrating opposition parties.

The groundwork is already being laid to challenge election results, which—in addition to escalating tensions between both major parties—very likely means that physical security threats will persist long beyond November 5.

• Dozens of lawsuits have been filed related to the start dates of early voting, how votes will be counted, and the validity of mail-in ballots. Similar lawsuits were brought after the 2020 election and provided some of the motivation for the January 6, 2021, attack on the U.S. Capitol.
• These new lawsuits have brought lawyers and activists from both sides into courtrooms to either challenge or defend a particular jurisdiction's voting rules. Activists in some jurisdictions are calling to reduce the time for early voting, make last-minute changes to how votes are counted, and disqualify mail-in ballots—despite mail-in ballots largely already being mailed and early voting starting in some states as early as mid-September.
• In the event of an electoral loss, the losing side is likely to blame the electoral system, pointing to either last-minute changes that disqualified votes or vulnerabilities that permitted fraud.

The greatest threat is expected to stem from prominent figures seeking to establish an early narrative that can later be used to garner support and incite unrest or discontent should final counts lead to outcomes considered unfavorable. Some likely claims include:

• Votes were not properly counted, and a recount should take place. This is most likely to occur in swing states that will have a disproportionate impact on the outcome of the election.
• Votes in certain states have been “rigged” or otherwise tampered with. This is most likely to occur in states within which pre-election polls had indicated alternative results.
• Voters have been misled or confused by changes made to voting methods, rules, times and dates, or legislation.
• Significant domestic or international events, such as natural disasters or epidemics, have led to mass confusion and disarray.
• Earlier examples of interference, disruption, or malpractice associated with election procedures are reinvigorated and used to explain unexpected outcomes, even if such activity has already been accounted for or rectified.

The bulk of the elevated fear of election-related violence surrounds “Stop the Steal”-linked movements. “Stop the Steal” supporters assert that the 2020 presidential election was stolen and claim those same forces are threatening election outcomes. Conversely, the “Big Lie” movement counters “Stop the Steal” supporters by asserting that the 2020 election was decided fairly.

Depending on the results, there are concerns about attacks against government buildings and law enforcement officials by those who believe the election was unfair. The certification process, particularly in swing states, could lead to unrest.

• Factors that could increase risk of unrest in 2024 include a candidate making claims of election fraud—particularly in the event of a close election result in one of the seven major U.S. swing states. Online disinformation and conspiracy theories continue to be a concern for fueling potential violence.

Social media disinformation alleging election fraud is also very likely to evoke volatile reactions, leading to erosion of voter trust in the aftermath of electoral process or even physical reactions—including clashes between supporters of the different presidential campaigns. Several users have taken to social media to post incendiary claims about voters committing election fraud, which will likely incite physical violence, intimidate voters, and disrupt the flow of activities at polling stations. 

An X post featuring a video of “an elections worker ripping Donald Trump’s ballots live on Instagram” has been circulated. However, through the community notes feature on the X app, users have added context to the video indicating that it was filmed in 2020 as a joke and was aimed at garnering engagement. Such posts are likely to evoke unprecedented online debates that can, in turn, lead to other consequences, including loss of voter trust in the electoral process. 

• Supporters of the Democratic and the Republic campaigns have posted claims about the other side committing election fraud, accusing them of “cheating” during elections. These posts are very likely to agitate supporters of the opposing campaign, likely evoking either incendiary digital responses or even leading to potential physical altercations.

• Some posts are directly claiming that voters supporting certain candidates will cause “chaos” on the day of the election. Such disinformation posts aimed at discrediting candidates and casting doubts on the voting system may incite acts of violence in the lead-up to the elections and immediately after, should their preferred candidate lose.

Immediately following a disputed election, security forces will likely focus on election infrastructure at the precinct, county, and state level, where votes must be counted and the results certified at least six days before the Electoral College meets on December 17. 

• Threats or violence could occur because of recounts, audits, or close elections where one candidate does not concede or makes an allegation of fraud.
• Ideological poll workers or election officials at the precinct level could face pressure to alter the election results.

Conclusion

Given the severely polarized political environment and heightened sentiments among supporters of both major U.S. parties, the threat of politically motivated violence during the election cycle is high. The potential for large-scale protests and civil unrest exists throughout the election period. There have already been two shooting attempts against former President Trump during the campaign season, while potential attacks aimed at influencing or initiating voters are most likely on election day. The security threat is arguably highest immediately after the vote—especially if the losing party challenges the veracity of the election..

The combination of elevated tensions, rhetoric, and online disinformation could lead to further politically motivated attacks. The bulk of threats revolve around election integrity concerns, but other campaign issues—including, immigration, inflation, racism, and abortion rights—are also key.

ZeroFox Intelligence Recommendations

• When visiting polling locations, be aware of surroundings and report any incidents of intimidation, violence, or otherwise suspicious activity to staff or law enforcement.
• Use diverse media sources to remain informed of any future or ongoing threats (such as protest activity or law enforcement warnings) in polling locations and surrounding areas.
• Consider voting early or by mail if there is reason to believe that disruption, intimidation, or violence could take place at local polling facilities on November 5, 2024.
• Avoid publicly sharing personal details and political viewpoints on social media platforms and other online forums.
• Report suspected electoral fraud, such as intimidation or bribery, to the relevant authorities.
  • hXXps://www.usa[.]gov/voter-fraud
• Staff at polling facilities should follow proper procedures when handling ballots, security furniture, voting equipment, and auditing protocols, as advised by the U.S. Election Assistance Commission.
• Staff at polling facilities should be educated and advised on the threat posed from insiders. Guidance from the Cybersecurity & Infrastructure Security Agency (CISA) should be used to minimize risk and report incidents.

Tags: Threat Intelligence