Analysis: Election hacking has become a global industry and the costs involved are shockingly low
As elections around the globe face heightened scrutiny, an unsettling reality is coming to light: the rise of Election Hacking as a Service (HaaS). Far from the stereotype of isolated hackers working in basements, today's election manipulation is an organised business, with services bought and sold on the dark web.
In 2016, Russian operatives spent a mere $100,000 on Facebook ads to influence over 126 million Americans ahead of the US election. In 2020, Iranian hackers posed as the far-right group Proud Boys, sending threatening emails to voters in swing states.
Meanwhile, disinformation-for-hire services, available on the dark web offer clients the ability to manipulate elections on a global scale. These aren't just isolated incidents. Election hacking has now become a global industry, and the costs are shockingly low. With critical elections in the U.S. and Ireland approaching, the question isn’t if interference will happen, but how devastating it will be this time.
We need your consent to load this rte-player contentWe use rte-player to manage extra content that can set cookies on your device and collect data about your activity. Please review their details and accept them to load the content.Manage Preferences
From RTÉ Radio 1's Today with Claire Byrne, Chairman of Smarttech247 Ronan Murphy on why the dark web has all your personal data and what you can do about it
Much like Software as a Service (SaaS), HaaS offers specific hacking tools and services for rent, giving users the ability to carry out attacks without deep technical expertise. Dark web marketplaces are the home for this industry, where clients can browse offerings, negotiate prices, and even rate the effectiveness of hackers they hire. In these shadowy corners of the internet, democracy is up for sale as these marketplaces and forums openly advertise election hacking tools and services.
For example, election manipulation could start with phishing attacks where hackers use crafted emails to trick campaign workers or public officials into handing over login credentials used to provide access to sensitive databases, campaign strategies, and private emails.
A basic phishing kit complete with pre-made email templates, instructions, and malicious software-are readily available on the dark web and can cost as little as $50. More advanced kits with extra layers of social engineering, such as domain spoofing (making an email look like it’s coming from a trusted source), can fetch up to $500. Spear-phishing campaigns on the other hand, are highly targeted attacks and can cost anywhere from $500 to $5,000 per campaign.
We need your consent to load this rte-player contentWe use rte-player to manage extra content that can set cookies on your device and collect data about your activity. Please review their details and accept them to load the content.Manage Preferences
From RTÉ Radio 1's Today with Claire Byrne, DCU FuJo's Dr Eileen Culloty on whether we're ready to deal with disinformation at the next general election
In India, cybercrime experts ahead of the 2019 general elections raised concerns over a spike in phishing attempts targeting election officials, with fears that sensitive voter data could fall into the wrong hands. This was echoed previously in the lead-up to the 2017 Kenyan election where phishing emails were reportedly used to target key political figures and officials.
Fancy Bear (APT28), a hacking group with ties to Russian military intelligence, famously used phishing techniques to infiltrate the Democratic National Committee (DNC) during the 2016 U.S. election. Emails stolen in the attack were leaked via WikiLeaks in the months leading up to the election, leading to widespread controversy and fuelling disinformation narratives. This breach played a significant role in shaping public opinion and the political landscape, ultimately raising doubts about the integrity of the election.
Another example might involve a Distributed Denial of Service (DDoS) attack, which overwhelms servers with traffic, taking them offline. In an election context, DDoS attacks can shut down crucial systems such as voter registration databases, government websites, and election reporting services. Renting a botnet for a DDoS attack starts at $5 for a small-scale attack that lasts for 300 seconds, while a three-hour attack may cost around $60 on some marketplaces. These can increase in scale and can go as high as $1,500 for larger, more sustained operations.
READ: The growing online threats to sabotage elections
This low price point makes it a favourite tactic for disrupting election websites or media outlets reporting election results as was seen in the 2014 and 2019 Ukrainian presidential election, when hackers used DDoS attacks to target the Central Election Commission's website to disrupt the vote count. Fortunately, Ukrainian cybersecurity teams were able to neutralise the attacks before they had a significant impact on the outcome, but the incident showcased how DDoS attacks could be used to paralyse election infrastructure at a critical time.
Perhaps the most concerning aspect of modern election hacking isn't the direct interference with technical infrastructure, but rather the subtle manipulation of voters through disinformation. These operations are not as technically complex as the previous examples, but their impact is arguably more insidious. By hijacking social media accounts or deploying bot networks, hackers can flood platforms like Facebook, Twitter, and Instagram with misleading posts designed to sway public opinion.
In the lead-up to the 2020 U.S. election, the Internet Research Agency (IRA), a Russian organisation specialising in social media manipulation, used fake accounts and bot networks to promote conspiracy theories, deepen political polarisation, and create distrust in the election system itself. This campaign cost an estimated $1.25 million per month which was primarily spent on fake accounts, social media ads, and content creation which reached millions of U.S. voters with the intent to undermine confidence in democracy.
We need your consent to load this rte-player contentWe use rte-player to manage extra content that can set cookies on your device and collect data about your activity. Please review their details and accept them to load the content.Manage Preferences
From RTÉ Radio 1's The Ray D'Arcy Show, AI and deep fakes Expert Advisor Henry Ajder on how to recognise deep fake scams and protect yourself online
Recent findings have revealed that a buyer can rent a small botnet for $100 which is capable of sending out thousands of tweets or posts. If the same buyer has $500, they can scale up and deploy a more powerful bot army that amplifies disinformation or spreads propaganda. More recently, in 2023, a deepfake audio of a candidate claiming to have rigged the election went viral hours before polls closed in the Slovakian presidential election, resulting in that candidate's defeat.
Pricing for these illicit online services can vary widely and change rapidly, with cryptocurrency payments making transactions harder to trace. What is true, however, is that for a relatively low cost, political campaigns, rogue actors, or ideologically motivated individuals can now disrupt elections. The barrier to entry is no longer the technical knowledge required but the willingness to pay.
Election hacking services offer a way for nefarious actors to punch above their weight and disrupt the electoral process
With a budget as modest as $1,000, one could theoretically influence public discourse in a small constituency through targeted misinformation and fake social media campaigns. For an additional few thousand dollars, hackers could launch a cyberattack to destabilise voting infrastructure or steal sensitive election data. Compare these figures to the costs of running a legitimate political campaign.
In the US, the average cost of running for a seat in the House of Representatives exceeds $2 million, and Senate races can cost upwards of $10 million. In contrast, election hacking services offer a way for nefarious actors to punch above their weight, disrupting the electoral process for a fraction of the price. When elections can be hacked for less than the cost of a campaign ad, democracy itself becomes the target. Are we ready to accept that the true cost of our democracy might be just a click away?
Follow RTÉ Brainstorm on WhatsApp and Instagram for more stories and updates
The views expressed here are those of the author and do not represent or reflect the views of RTÉ
