Just days after supporters of former President Donald Trump violently stormed the Capitol on Jan. 6, Ali Alexander, one of the primary organizers of the rally that day, appeared to be busy, attempting to hide his ties to dozens and dozens of websites calling the 2020 election stolen.
Domains tied to Alexander that pushed Stop the Steal, which the Daily Dot reviewed, including ones he publicly posted on as himself, were scrambled in the wake of the riot to hide ownership. But hacked documents show they trace right back to Ali and an anonymize service from the web hosting company Epik.
In the run-up to the failed insurrection, which was sparked by weeks of false allegations regarding widespread voter fraud in the 2020 presidential election, Alexander had positioned himself as the movement’s de facto leader with his “Stop the Steal” campaign.
At a Dec. 19 rally in Arizona that he spoke at, Alexander made his intentions for Jan. 6 clear: He and his legion of followers would do whatever was necessary to stop Congress from certifying the electoral votes of President Joe Biden’s victory.
“We’re going to convince them to not certify the vote on Jan. 6 by marching hundreds of thousands, if not millions of patriots, to sit their butts in D.C. and close that city down, right?” Alexander said that December day. “And if we have to explore options after that…”
Alexander has been a prominent backchannel in Republican politics for nearly two decades. He’s also pled guilty to felony charges under a previous name, when he was known as Ali Akbar. He’s been friendly with far-right operatives like Laura Loomer and Jacob Wohl. He also has ties to Roger Stone, who is under investigation for his role in fomenting the Capitol riot. At the time of the Capitol riot, Alexander had almost a quarter of a million Twitter followers.
On the night before the riot, Alexander was filmed chanting “Victory or Death” to an enthusiastic crowd. He’d also dubbed himself an official co-ordinator of the Jan. 6 event, and was filmed on a roof during the rally glowing about its success.
When the dust finally settled on Jan. 6, Alexander had already seemed to start an effort to obfuscate his ties to the movement. With five deaths, hundreds of injuries, and extensive damage to the Capitol, the conspiracy theorist would find himself facing permanent suspensions across social media before eventually going into hiding.
As the national outrage over the riot intensified, work appeared to be happening behind the scenes. On Jan. 15, just nine days after the failed insurrection, Alexander, or someone working with him, took steps to anonymize his personal information on the registrations for more than 100 domains. Nearly half of those domains are directly related to Stop the Steal. Domains such as stopthestealmovement.com, stopthestealnews.com, and stopthestealupdates.com were all scrambled in the wake of the riot.
Alexander had opted to entrust his web addresses with the domain registrar company Epik, which offers a domain privacy feature known as “Anonymize.” The decision would, theoretically, keep the public from discovering which domains he owned.
Yet on Sept. 13, the hacking collective Anonymous announced that it had pilfered a decade’s worth of data from Epik, a company known best for hosting extremist websites. Although the company initially claimed to be unaware of a breach, Epik CEO Rob Monster later said in a bizarre, four-hour-long video conference that hackers had obtained a backup of its data.
Released online in a torrent, the 180-gigabyte data cache included, among other things, domain registrations and account credentials as well as the personal details of individuals who had registered some of the internet’s most notorious far-right domains.
Analysis of the data by the Daily Dot was able to link an email tied to Alexander to 122 separate domains. On Jan. 15, the far-right figure received an email to a ProtonMail address thanking him for setting up an Anonymize account.
“Dear Ali A,” the email begins. “Thank you for signing up with us. Your new account has been setup and you can now login to our client area using the details below.”
By searching through the hacked data for the ProtonMail address used to register the account, the Daily Dot was able to locate Alexander’s Anonymize profile. The data includes Alexander’s username and hashed password as well as a phone number and address. The address appears to be that of a UPS store in Texas. The Fort Worth Star-Telegram previously tied that UPS address to Alexander.
The Daily Dot made repeated attempts to reach Alexander over the phone number and email address found in the breach but did not receive a reply by press time.
The account creation date listed under Alexander’s account information, Jan. 15, matches the date of the email that says he signed up for the Anonymize service.
The account for Alexander was assigned a unique ID, that would take the place of his actual name on his public domain registrars. The Daily Dot is not disclosing Alexander’s ID.
Anonymize provides all its users with an email address based on the five digits in their unique ID. Those numbers show up across Alexander’s web presence.
Querying the Anonymize email address in the breach uncovers every domain that it appears the far-right figure apparently attempted to hide. Had the hack of Epik not been so expansive, some of the domains may have been difficult if not impossible to link to Alexander based just on the Anonymize email address alone.
Many of the domains, however, do little to hide their true owner. Among the domains listed include AliAlexander.org, the primary website where Alexander solicits donations as “the most deplatformed man in the world.”
A mailing address on the website also matches the one seen in Alexander’s Anonymize profile.
Other domains carry similar themes surrounding Alexander’s alleged persecution, such as NoPlatformed.com. And although many of the domains are either for sale or vacant, others host operating websites.
The domain JoeBidenIsSick.com, for example, is dedicated to the claim that the president is suffering from Parkinson’s disease. Alexander, who publicly acknowledged his ownership of the domain after launching it last year, offers an array of merchandise on the site including branded hats, T-shirts, and fanny packs.
Although Alexander has since scrubbed his name from the website, viewing the current domain registrar for JoeBidenIsSick.com confirms the account holder’s email matches Alexander’s anonymize address.
Numerous domains also make reference to Alexander’s religious beliefs, including ChristianNationalism.us, Apostolates.com, and CommunionOfPatriots.com.
But aside from a handful of sites linked to politicians, such as TheOfficeOfDonaldJTrump.com and HarrisAdministration.net, the significant portion of domains owned by Alexander were tied to the Stop the Steal movement. The Daily Dot was able to obtain a list of 57 such domains.
All were anonymized in the wake of the Capitol riot.
Alexander, according to the law enforcement sources speaking with the Washington Post, was placed under investigation by the FBI in the wake of Jan. 6. No charges have been filed against him thus far.
Interestingly enough, the address tied to Alexander also chose to register the domain CapitolInvestigation.org just one day after signing up for Epik’s domain privacy service.
Despite the negative attention on Alexander, the far-right figure in February told his supporters that he was still committed to doing away “with this whole system.”
“I’ve been licking my wounds, but I’ve been plotting,” Alexander said. “I’ve been planning. I’ve been scheming.”
Alexander’s future plans remain unclear. For now, Alexander is fueling his crusade by charging his followers $500 a year to read his personal blog.