A cartoon man sitting at a computer.

AniWhite/Shutterstock (Licensed)

Epik hack reveals prominent, Trump-supporting websites under subpoena investigation

An internal ticketing system at Epik reveals subpoenas targeting far-right sites.

 

Mikael Thalen

Tech

Published Sep 24, 2021   Updated Sep 27, 2021, 6:16 am CDT

Data from the Epik hack leak reveals subpoenas and preservation requests directed to the company for information about some of its customers, apparently issued in the wake of Jan. 6.

Data leaked online from the hack of web hosting company Epik appears to reveal domains of interest to investigations or other court proceedings. Some of the requests for records came in the wake of the Jan. 6 Capitol riot. 

The hacking collective Anonymous last week took credit for breaching the domain registrar, best known for hosting some of the far-right’s most notorious websites.

Epik CEO Rob Monster confirmed the breach last Friday in a bizarre, four-hour-long live video conference which was ultimately overrun by hackers, trolls, upset customers, and even a neo-Nazi.

The hack, spread online via numerous torrents, includes data on more than 15 million people and websites.

The leak has also shed light on the activities of several prominent far-right customers of Epik, such as “Stop the Steal” founder Ali Alexander, who attempted to hide his digital ties to dozens of domains related to the Jan. 6 rally at the Capitol via a service Epik provides to anonymize the owners of websites.

Now, the Daily Dot has found within that leaked data internal Epik documents that reference subpoenas and data preservation requests made to Epik by the FBI and other unidentified entities. The data derives from an internal ticketing system where Epik employees chronicled such requests.

The tickets show not only the date when each request was received but also include notes on each matter from Epik employees. 

In one example, a popular website among supporters of President Donald Trump, which the Daily Dot is declining to name, was the subject of a subpoena served on Epik three weeks after the Capitol riot on Jan 27. The ticket does not identify who served the subpoena.

Another pro-Trump website was the subject of a 90-day record preservation request on Jan. 19. Epik would also be hit with a second 90-day request targeting the same website, as well as a “Grand jury subpoena and non-disclosure order.”

The Wall Street Journal reported on Jan. 26, a week after Epik was sent the request for the site, that the FBI had served more than 500 grand jury subpoenas to various recipients in relation to the riot. The Journal’s reporting does not specify whether any of those subpoenas were issued to Epik. 

Meanwhile, one preservation request issued to Epik and revealed by the data leak targeted an online store selling far-right-themed merchandise.

These sites were not among those named in the subpoenas the House Select Committee on January 6 announced it sent this summer to far-right social media sites including Gab and Parler. In January, Rep. Adam Schiff (D-Calif.) said the committee would go “straight to subpoenas.” 

With respect to the data entries Daily Dot reviewed, it’s unclear if these records requests were sent by the House committee, the FBI, or a private party. The House committee wasn’t officially established until July 1. The FBI declined to comment to the Daily Dot when presented with evidence of the subpoenas. The House committee did not respond to a request for comment. 

Epik CEO Rob Monster and his lawyer did not respond to a request for comment.  

Not all of the websites mentioned in Epik’s internal subpoena ticketing system are political in nature or connected to the events of Jan. 6. Another domain that was hosted by Epik was allegedly used in the malware attack against SolarWinds, a Texas-based IT company that provides services to numerous federal agencies. Malware used against SolarWinds pinged a site hosted by Epik. In late 2020, Epik was asked to preserve its records on the domain before being served a subpoena one week later. Epik identified the subpoena as being from the FBI. SolarWinds itself was not a recipient of the subpoena, nor does it appear to have any involvement with Epik. 

Notes left in the ticketing system by Epik employees also repeatedly stated that website owners should not be informed about any subpoenas or data requests.

“DO NOT tell the Registrant,” multiple notes in the ticketing system state when the company was hit by records requests and subpoenas for websites it hosted. The reason for the secrecy is not specified.

Subpoenas are a common information-gathering tool in criminal investigations and civil litigation and do not necessarily indicate that the recipient of the subpoena or the subject of it is suspected of wrongdoing. But the Epik data provides a usually unseen insight into how these are conducted, with web hosts sites being told to preserve records and not inform their client sites about the requests.   

While details about the specific subject matter of the subpoenas were not disclosed in the leaked documents, the nature of the websites targeted and the issue dates for the subpoenas—dating after Jan. 6—suggest that many of the data preservation requests relate to investigations of or lawsuits stemming from the Capitol riot.

The FBI declined to comment when asked specifically by the Daily Dot if it was aware that the Epik breach contained information regarding federal investigations.

The leak comes just weeks after the House select committee investigating the Capitol riot demanded data from 15 social media companies and numerous far-right websites. In a press release on the investigation, the committee said it was seeking records related to “the spread of misinformation, efforts to overturn the 2020 election or prevent the certification of the results, domestic violent extremism, and foreign influence in the 2020 election.”

Share this article
*First Published: Sep 24, 2021, 8:41 am CDT