An Indiana man named Jesse D. Allen created a website in 2005 with the title AllForUSA.com, apparently to pursue some business interests, but he soon abandoned the site. A decade later, at the age of 80, Allen died.
But AllForUSA was just getting started.
As the 2016 presidential campaign heated up, AllForUSA.com suddenly bristled with what appeared to be news articles celebrating Republican presidential nominee Donald Trump and bashing his Democratic rival Hillary Clinton. “HILLARY May END UP in PRISON AFTER ALL,” read one headline.
On Reddit, the commenter “allforusa” posted similar messages and linked to headlines on AllForUSA.com. On Freelancer.com, somebody solicited paid blog posts and mentioned the “AllForUSA” name targeting American audiences. The following year, after Trump’s election, a Twitter account named “@allforusa11” retweeted the president before inexplicably changing subjects to tweet about feminism — in Japanese.
The final twist came a few months later when AllForUSA.com was reborn again — this time as a Russian online gambling site.
A clue to the mystery of this multilingual burst of activity appeared in a February indictment by special counsel Robert S. Mueller III. It said the Russians who operated fake social media accounts to manipulate American voters used email@example.com to fraudulently access a PayPal account and to promote a “March for Trump” campaign rally in New York.
The other “AllForUSA” accounts probably were operated in tandem with this email address and with each other, according to a report Monday from cyberintelligence firm GroupSense, whose researchers found a subtle tangle of connections left in records discovered online.
The report highlights how data breaches fuel nefarious online activity, giving criminal hackers and disinformation teams an endless supply of cheap accounts to use individually or for networks of “bots,” automated accounts controlled by a single operative. All this typically takes place without the original owners knowing what happened to their creations.
The GroupSense discovery also underscores how disinformation operations such as the Russian one named in the indictment, the Internet Research Agency, work across multiple platforms to bolster the credibility and prominence of their posts. Acquiring and repurposing real accounts — created by people who had forgotten or simply abandoned them — probably helped Russians evade detection by offering the illusion of authenticity, experts say.
“These things get bought, sold and traded online,” said Tom Richards, the chief strategy officer for GroupSense, based in Arlington, Va. “An account with some age or historic activity or even indications that it belongs to a real person is more valuable because it looks more normal.”
Experts say that criminals working on the so-called dark web — the parts of the Internet that are hard for average users to reach because they require specific software or credentials — routinely sell hacked email addresses, social media account handles and passwords.
“These operations thrive on our digital security vulnerabilities,” said Camille Francois, director of research and analysis for Graphika, a network analytics firm that studied the GroupSense data with its permission. “They make ample use of stolen credentials, repurposed identities, spam markets, etc. Better digital security protection for all users will make it harder to manipulate online conversations.”
Unraveling the story of the AllForUSA accounts started with the Mueller indictment’s reference to email accounts allegedly used by Internet Research Agency operatives. (Some of those indicted have disputed Mueller’s allegations.)
Richards checked the accounts against a database GroupSense has amassed of more than 5 billion hacked emails and passwords to see if any matched. Of 13 email addresses listed in the indictment, a single one matched — firstname.lastname@example.org — meaning it had been swept up in a data breach. Other email addresses named in the indictment also may have been abandoned or hacked accounts but were not part of the GroupSense database.
Starting with the Yahoo email address, Richards found the similarly named “allforusa” account on Reddit’s “r/The_Donald” discussion group, which is favored by supporters of Trump. One Reddit post from “allforusa” to “r/The_Donald” linked to a story on the AllForUSA.com website, seemingly during the 2016 election, with the headline “After Tim Kaine Loses VP Debate, New Doubts About Hillary.”
Richards figured out how the Yahoo email address fit in the puzzle by attempting to reset the password on the “allforusa” Reddit account. When he tried a random email account, it wouldn’t reset the password. When he plugged in “email@example.com,” it suddenly did, suggesting that the Reddit and Yahoo accounts may have been affiliated.
After initial publication of this article, Reddit said in a statement, “When actionable details of malicious accounts and/or email addresses on any platform are released by government sources, it is our standard practice to investigate so as to detect and action, when appropriate, any potentially congruent suspicious accounts on our site … There is no account on Reddit linked to the email address ‘firstname.lastname@example.org' as claimed in a recent report by a consulting firm cited by the Washington Post.”
Posts from the Reddit account stopped being available online soon after Richards reset the password for the account, but the posts have since reappeared.
For Richards, the next clue in his search was found in domain registration records for AllForUSA.com from 2005 showing that original website registration belonged to Allen, of the Indianapolis suburb of Speedway. Richards also found business records showing that Allen had registered a company in Marion County, Ind., called “All for One.” (A relative of Allen’s confirmed his death in 2015 but had no information on the website or the business.) AllForUSA.com was suspended in 2006.
What happened between 2006, when AllForUSA.com was suspended, and 2016 remains a mystery.
There is no reference to Allen in domain records from 2016; instead they refer to a Canadian privacy service that allows Internet users to obscure the ownership of a website. But by August that year it had acquired a rippling flag logo in the shape of the continental United States and was touting such headlines as “FBI recovers 30 deleted Clinton emails from Benghazi attack.”
It’s not clear when the site began promoting online gambling, but as recently as June it offered digital versions of roulette, poker and digital card games in Russian before becoming unavailable in recent weeks, amid the GroupSense research.
GroupSense did find a few other connections. A Twitter account, @allforusa, tweeted once in 2010 — in support of a filibuster by Sen. Bernie Sanders (I) of Vermont — before going quiet. A second Twitter account, @allforusa11, appeared to briefly post pro-Trump content in 2016 and 2017 before switching to Japanese and eventually getting suspended. (Twitter has suspended tens of millions of fake and suspicious accounts in recent months.)
Twitter declined to comment.
Checks of similarly named accounts on Facebook and Instagram did not yield clear connections in the GroupSense research, but one last site with a link was on Google+, the lightly used social media site run by the search giant Google. A Google+ account posted links to AllForUSA.com and also some political content criticizing Republican Mitt Romney. The Google+ account posted ads for Christmas gifts last year, including a TAG Heuer watch, a pearl necklace and a variable speed foot massager.
The GroupSense researchers also investigated the possibility of a much larger set of abandoned accounts either created or operated by a single group. The key to this line of inquiry was the password for the Yahoo email address: the word “shark” followed by a five-digit number.
When Richards checked to see if “shark” and other five-digit numbers were passwords to email addresses in the database, he turned up more than 800,000 matches — many times more than for similar combinations, such as “shark” plus a four-digit number.
The similar password constructions suggested either a single operation managing fake accounts or multiple operations using a similar password-creating tool, said GroupSense researchers. They also found matches when other five-digit words — such as “march,” “lunch,” “glass,” “table,” “frame” and “phone” — were paired with five-digit numbers, producing an overall set of 9.5 million accounts with similar password styles.
“It’s either an actor or a group of actors,” said Kurtis Minder, chief executive for GroupSense. “We think there is, at least for a set of these accounts, a common source.”
Ellen Nakashima and Julie Tate contributed to this report.
Clarification: This story has been updated to include a statement from Reddit that no account on its platform is associated with the Yahoo email address. The Washington Post did not seek comment from Reddit prior to publication.