December 4, 2020
Thomas BrewsterForbes Staff
CybersecurityAssociate editor at Forbes, covering cybercrime, privacy, security and surveillance.
On the morning of November 5, as the 2020 election hung in the balance, Arizona federal agents raided a two-story house in Fountain Hills, Maricopa County, a county that had become a key battleground in the presidential race. The agents were looking for evidence of a cyberattack on an unnamed organization and stolen voter data. They left with eight hard drives, three computers and a bag of USB sticks. The resident of the property, a 56-year-old IT expert named Elliot Kerwin, was served the warrant. He is not yet facing charges and was unreachable for comment at the time of publication. There is no indication that anything other than voters’ information, which can be acquired for a few hundred dollars in Arizona counties, was taken from the affected office.
The warrant, discovered by Forbes this week, reveals investigators have been looking into a computer intrusion at an unnamed “victim office,” which occurred from October 21 to November 4. At the Kerwin residence, they were looking for any evidence within the seized computers that showed they’d been used to access the IT network at the office, as well as “protected voters’ information” and any indication that it had been disseminated to other people.
Of the 15 county recorder’s offices contacted by Forbes about the investigation, only one, Maricopa County, confirmed voter data had been stolen, noting that a federal investigation was under way. The Maricopa County Recorder’s office, which is just 30 minutes’ drive south from Kerwin’s home, did not confirm whether or not the investigation was the same as that referred to in the search warrant.
“Analysis by the Maricopa County Recorder’s Office IT Security indicates an unauthorized individual gathered publicly accessible voter information from our website,” a spokesperson said. They didn’t specify what voter information and declined to comment any further on the nature of the attack. The data trove could be significant; there were more than 2.5 million registered voters in the county for the 2020 election.
“Additional security controls were put in place to mitigate against this activity occurring in the future. The Maricopa County Recorder’s Office has reported this to proper authorities and law enforcement personnel, and there is an ongoing investigation by the FBI at this time. The FBI informed our office today they served a warrant,” the spokesperson added.
The Justice Department in Arizona told Forbes it couldn’t comment. An FBI spokesperson said they could neither confirm nor deny any investigation. The full scope of the investigation and the breach of Maricopa County’s website remains under seal.
The investigation is the only known probe by the FBI into a cyberattack on an electoral body responsible for handling the 2020 election. But there is no evidence to suggest that any theft of voter registration data could’ve had an impact on the election in Arizona. It’s possible to simply buy voter data from Maricopa County, costing as little as $328 for 1 million or more records. The systems used to count votes in Maricopa County were not affected. And despite fears of foreign interference and voter fraud, the DHS’ Cybersecurity and Infrastructure Security Agency (CISA) has stated the 2020 election was the “most secure in American history.”
Arizona and Maricopa County are at the center of an attempt by the Republican Party to challenge the results of the presidential election. The county was deemed crucial to the presidential race, dubbed the “Arizona county that could decide the future of Trump.” Maricopa County and the state of Arizona ended up being taken by the Democrats, helping President-elect Joe Biden on his way to the White House. Despite Maricopa County certifying Biden’s 45,000-vote lead in November, it remains a contested region, as Arizona’s Republican Party Chairwoman Kelli Ward filed a lawsuit looking for irregularities among 28,000 ballots that were duplicated as voters’ earlier ballots were damaged or couldn’t be tabulated, as reported by the AP this week.
So far, the Trump Administration’s attempts to overturn election counts have not gone in the president’s favor. Most significantly, in November, a lawsuit seeking to block Pennsylvania from certifying its election results was dismissed, while a recount that cost Trump’s legal team $5 million in Wisconsin only extended Biden’s lead.
Who is Elliot Kerwin?
Attempts to contact Kerwin, the Phoenix resident, over mobile, his Signal encrypted messenger account and his Gmail were unsuccessful.
It’s not the first time Kerwin has been investigated by police. According to a police report obtained by Forbes, on April 1, 2011, when he was the IT administrator for the City of Ashland, Wisconsin, he was questioned by police regarding spoof emails, sent out just ahead of a local election.
Initially, Kerwin denied any knowledge of who sent the emails, assisting police in looking through local government servers to determine the author of the emails. He eventually admitted to sending emails from the City of Ashland’s own IT systems, posing as former councilor James Melin and city resident Zygmund Jablonski Jr. The emails, handed to Forbes by the now-defunct local publication the Ashland Current, made little sense and were written in all caps, but referenced the election. At the time, Jablonski said he was concerned the faked emails were trying to “put some type of spin on the election.”
No charges were filed as it was deemed that the City of Ashland had dealt with the matter, though an Ashland Current report indicated Kerwin had resigned in June of that year. According to the police report, Kerwin said he sent the emails as an April Fools’ joke and as satire. An officer told him that if it was a joke, “It would’ve been best to tell us then rather than allow us to prepare subpoenas and drag the matter out,” according to the police report.
Since leaving local government, Kerwin has been running his own IT companies, one named Loon-a-Tech, where he promised “assistance with viruses, malware and security software.” According to his online CV, that Mercer, Wisconsin, business was closed in mid-2019, when he set up Desert Oasis Technology in Fountain Hills, Arizona, just northeast of metropolitan Phoenix. He also set up a sister company, Desert Oasis Tactical, which lists four specialties: weapon, warrior, defense and research. Amongst his services at his tech company are “cyber forensics” and “surveillance.”