April 20, 2020

The past few weeks have seen a large number of new domain registrations beginning with the word “reopen” and ending with U.S. city or state names. The largest number of them were created just hours after President Trump sent a series of all-caps tweets urging citizens to “liberate” themselves from new gun control measures and state leaders who’ve enacted strict social distancing restrictions in the face of the COVID-19 pandemic. Here’s a closer look at who and what appear to be behind these domains.

A series of inciteful tweets sent by President Trump on April 17, the same day dozens of state-themed “reopen” domains were registered — mostly by conservative groups and gun rights advocates.

KrebsOnSecurity began this research after reading a fascinating Reddit thread over the weekend on several “reopen” sites that seemed to be engaged in astroturfing, which involves masking the sponsors of a message or organization to make it appear as though it originates from and is supported by grassroots participants.

The Reddit discussion focused on a handful of new domains — including reopenmn.com, reopenpa.com, and reopenva.com — that appeared to be tied to various gun rights groups in those states. Their registrations have roughly coincided with contemporaneous demonstrations in Minnesota, California and Tennessee where people showed up to protest quarantine restrictions over the past few days.

A “reopen California” protest over the weekend in Huntington Beach, Calif. Image: Reddit.

Suspecting that these were but a subset of a larger corpus of similar domains registered for every state in the union, KrebsOnSecurity ran a domain search report at DomainTools [an advertiser on this site], requesting any and all domains registered in the past month that begin with “reopen” and end in “.com.”

That lookup returned approximately 150 domains; in addition to those named after the individual 50 states, some of the domains refer to large American cities or counties, and others to more general concepts, such as “reopeningchurch.com” or “reopenamericanbusiness.com.”

Many of the domains are still dormant, leading to parked pages and registration records obscured behind privacy protection services. But a review of other details about these domains suggests a majority of them are tied to various gun rights groups, state Republican Party organizations, and conservative think tanks, religious and advocacy groups.

For example, reopenmn.com forwards to minnesotagunrights.org, but the site’s WHOIS registration records (obscured since the Reddit thread went viral) point to an individual living in Florida. That same Florida resident registered reopenpa.com, a site that forwards to the Pennsylvania Firearms Association, and urges the state’s residents to contact their governor about easing the COVID-19 restrictions.

Reopenpa.com is tied to a Facebook page called Pennsylvanians Against Excessive Quarantine, which sought to organize an “Operation Gridlock” protest at noon today in Pennsylvania among its 68,000 members.

Both the Minnesota and Pennsylvania gun advocacy sites include the same Google Analytics tracker in their source code: UA-60996284. A cursory Internet search on that code shows it also is present on reopentexasnow.comreopenwi.com and reopeniowa.com.

More importantly, the same code shows up on a number of other anti-gun control sites registered by the Dorr Brothers, real-life brothers who have created nonprofits (in name only) across dozens of states that are so extreme in their stance they make the National Rifle Association look like a liberal group by comparison.

This 2019 article at cleveland.com quotes several 2nd Amendment advocates saying the Dorr brothers simply seek “to stir the pot and make as much animosity as they can, and then raise money off that animosity.” The site dorrbrotherscams.com also is instructive here.

A number of other sites — such as reopennc.com — seem to exist merely to sell t-shirts, decals and yard signs with such slogans as “Know Your Rights,” “Live Free or Die,” and “Facts not Fear.” WHOIS records show the same Florida resident who registered this North Carolina site also registered one for New York — reopenny.com — just a few minutes later.

Merchandise available from reopennc.com.

Some of the concept reopen domains — including reopenoureconomy.com (registered Apr. 15) and reopensociety.com (Apr. 16) — trace back to FreedomWorks, a conservative group that the Associated Press says has been holding weekly virtual town halls with members of Congress, “igniting an activist base of thousands of supporters across the nation to back up the effort.”

Reopenoc.com — which advocates for lifting social restrictions in Orange County, Calif. — links to a Facebook page for Orange County Republicans, and has been chronicling the street protests there. The messaging on Reopensc.com — urging visitors to digitally sign a reopen petition to the state governor — is identical to the message on the Facebook page of the Horry County, SC Conservative Republicans.

Reopenmississippi.com was registered on April 16 to In Pursuit of LLC, an Arlington, Va.-based conservative group with a number of former employees who currently work at the White House or in cabinet agencies. A 2016 story from USA Today says In Pursuit Of LLC is a for-profit communications agency launched by billionaire industrialist Charles Koch.

Many of the reopen sites that have redacted names and other information about their registrants nevertheless hold other clues, mainly based on precisely when they were registered. Each domain registration record includes a date and timestamp down to the second that the domain was registered. By grouping the timestamps for domains that have obfuscated registration details and comparing them to domains that do include ownership data, we can infer more information.

For example, more than 50 reopen domains were registered within an hour of each other on April 17 — between 3:25 p.m. ET and 4:43 ET. Most of these lack registration details, but a handful of them did (until the Reddit post went viral) include the registrant name Michael Murphy, the same name tied to the aforementioned Minnesota and Pennsylvania gun rights domains (reopenmn.com and reopenpa.com) that were registered within seconds of each other on April 8.

A large number of “reopen” domains were registered within the same one-hour period on April 17, and tie back to the same name used in the various reopen domains connected to gun rights groups. A link to the spreadsheet where this screen shot is drawn from is included below.

A Google spreadsheet documenting much of the domain information sourced in this story is available here.

No one responded to the email addresses and phone numbers tied to Mr. Murphy, who may or may not have been involved in this domain registration scheme. Those contact details suggest he runs a store in Florida that makes art out of reclaimed or discarded items.

Update, April 21, 6:40 a.m. ET: Mother Jones has published a compelling interview with Mr. Murphy, who says he registered thousands of dollars worth of “reopen” and “liberate” domains to keep them out of the hands of people trying to organize protests. KrebsOnSecurity has not be able to validate this report, but it’s a fascinating twist to this tale: How an ‘Old Hippie’ Got Accused of Astroturfing the Right-Wing Campaign to Reopen the Economy

Update, April 22, 1:52 p.m. ET: Mr. Murphy told Jacksonville.com he did not register reopenmn.com or reopenpa.com, contrary to data in the spreadsheet linked above. I looked up each of the records in that spreadsheet manually, but did have some help from another source in compiling and sorting the information. It is possible the registration data for those domains got transposed with reopenmd.com and reopenva.com, which included Mr. Murphy’s information prior to being redacted by the domain registrar.

Original story:

As much as President Trump likes to refer to stories critical of him and his administration as “fake news,” this type of astroturfing is not only dangerous to public health, but it’s reminiscent of the playbook used by Russia to sow discord, create phony protest events, and spread disinformation across America in the lead-up to the 2016 election.

This entire astroturfing campaign also brings to mind a “local news” network called Local Government Information Services (LGIS), an organization founded in 2018 which operates a huge network of hundreds of sites that purport to be local news sites in various states. However, most of the content is generated by automated computer algorithms that consume data from reports released by U.S. executive branch federal agencies.

The relatively scarce actual bylined content on these LGIS sites is authored by freelancers who are in most cases nowhere near the localities they cover. Other content not drawn from government reports often repurpose press releases from conservative Web sites, including gunrightswatch.com, taxfoundation.org, and The Heritage Foundation. For more on LGIS, check out the 2018 coverage from The Chicago Tribune and the Columbia Journalism Review.

242 thoughts on “Who’s Behind the “Reopen” Domain Surge?

  1. Shim

    Supposably Murphy was trying to prevent more sites from opening by buying them. Dailydot has an article about it. His sites don’t have any content. That doesn’t explain the other sites with content.

  2. Eric

    Should be rewritten and titled, “Who’s Behind China Virus aka Bioweapon”.

    1. i'm a person

      Uhhhhhhhhh, no.
      I don’t think you should spread your conspiracy theories on a computer forum

    2. i'm a person

      Uhhhhhhhhh, no.
      I don’t think you should spread your conspiracy theories on a computer security site.

      1. Phart Maan

        When someone opens an argument with “Uhhhhhhhhh,” I immediately dismiss them as retarded.

        1. kj

          When someone has a username like “Phart Maan”, I usually dismiss them as incapable of rational debate.

  3. Rdbrewer

    I’ve noticed a pulse of new eggs on twitter trying to sound oh so reasonable. No followers. No followed. And I even got a good ol fashioned concern troll: “I vote GOP and for Trump, but I’m concerned his rabid followers will blow it in November.” They’re about 1% as clever as they think.

  4. Scott

    Brian, I’m missing the security context in this article. So there are a bunch of sites that have been created. So some of them go no where, and some are redirected to another site. Are they hosting malware? Are they stealing user’s data? This article looks more like a thinly veiled political hit piece than security news.

    1. Tech wannabe

      There’s nothing veiled about it! I am surprised. I thought this site was generally non-political.

    2. Chip Douglas

      I agree. I don’t remember this kind of political article ever pointing to anything associated with Democrats. What has this got to do with computer security?

    3. Obi

      It does point to a clear and present danger not only to our democracy but to the life of us and our family.

      So yeah, it counts.

      1. Mahhn

        Obi, correction, the US is a Republic, not a democracy. Lots of young people make that mistake due to media disinformation.

        1. BRWM

          This is a garbage misinformation that comes from right-wing crooks who are today trying to sideline democracy because the increasingly non-white demographics of the USA scares them.

          The USA is a representative democracy.

          1. Chip Douglas

            No, actually we are a Constitutional Republic.
            We do vote for representatives who represent us. That is the Republic part. Pure Democracy is mob rule which is why the electoral college was created.

          2. Joe

            The misinformed are the ones that don’t understand the concepts of sets, subsets and mutually exclusive terms.

            A republic is a subset type of democracy.
            It is an indirect democracy, or representative democracy.
            It is not a direct democracy that the elites fear as “mob rule”, but it still has government power being derived from a mandate from the people. That is still a democracy.

            And Chip needs to open a book, and stop spewing nonsense.
            The electoral college has nothing to do with any kind of motivation against direct democracy.
            The electoral college ONLY APPLIES TO THE PRESIDENT… where as our representative democracy is mostly about Congress (originally just the House of “Representative”, as Senators were not elected by the people).
            There is no electoral college for congressional elections. So Chip has no idea what he is talking about.

            The real reason for the electoral college, has nothing to do with the direct vs. indirect democracy,… but rather it is a concession to small states who feared large states with overflowing populations would have too much power. Same reason why slaves, who couldn’t vote themselves, could increase the number of electors, the smaller slave states were very influential.

            1. KFritz

              Bravo! Someone who understands mathematics, history, government…and how to write! Is that a quadrafecta?

    4. CP

      Fair question. My 2 cents: the security aspect to this is the fact that anyone can run out and register a bunch of internet domains that have the potential to alter the political course of a nation.

      If there are no basic controls over the registration of what is essentially “digital real estate” then visitors to those locations are deprived of the re-assurance that goes with 99% of other domains. If you visit “fox.com” or “cnn.com” for news, you have a reasonable expectation that the site you find there is legitimate, belongs to the news organization in question and has no ulterior motive.

      What Brian’s article is pointing out is that many of these domains could equally easily have been registered by Russians masquerading as American citizens and could absolutely exist for no purpose other than sowing division and hatred in the United States. An America divided literally alters the global balance of power in Russia’s favor.

      So, yeah, registration of these domains could easily be or become a big deal.

      If you want another example/analogy, think about money. Chances are, you’ve got a few bucks in paper currency in your wallet right now, yes? Pull out the highest denomination bill you have and give it a good look. What does it say it’s worth? 50 bucks? 20? 100?

      If it’s a $100 bill, it’s 156mm wide, 66.3mm high. The paper on which it’s printed is 75% cotton. It uses a variety of different ink pigments. Do you think that piece of paper costs $100 bucks to make? Of course not. So is it *worth* $100?

      That’s a much more interesting question. It’s only *worth* $100 because you and the person you may want to offer it to, in exchange for $100 or more in goods, both believe that it has that value. Both you and your counter-party would be “trusting” the value of that piece of paper to be worth more than its material cost. Because you both support and trust the federal government to underwrite it.

      Truth is, it’s just a piece of paper. It only has “value” because of the trust you place in it. These domains could potentially be another example. If you “trust” them and place “value” in them, you are going to believe the legitimacy of their content. And if that legitimacy can be subverted, that’s when this whole thing becomes incredibly dangerous.

      1. dvv

        Nah, come on, CP. It’s an old hippie who’s doing the sowing here. It’s all good now. Go back to bed, America.

    5. Debbie

      The security context is entirely clear, the protest are a threat to to the public and to health care/first responders.

    6. AC

      Spreading misinformation, as the reopen sites and social media groups do, is a security concern. It’s that whole “integrity” piece of the info sec triad. Astroturfing is a security concern for the same reason.

    7. Sergei

      You must have never heard of social engineering if you think this article has nothing to do with information security. There’s obviously SE campaign going on here targeting wide audience for political and/or financial gain.

      You conservative types get triggered so easily and in your rage you become blind to the message that is being conveyed here. All you see is democrats attacking you even though it is objective investigation of an ongoing SE campaign.

    8. skippy

      I may be able to help answer that Scott. Brian links some of the domain ownership to an extreme group run by Dorr brothers. these two yokels are continuously fronting gun rights and soliciting for money from unsuspecting doners. where they are actually playing both sides in an effort to get donations from *both* pro-gun & anti-gun folks. Then funnel into their fraudulent non-profit. this on top of just being jerks in public to garner attention to their organizations. Hence one of the financial componentsof this scheme. by jumping on the reopen theme.

    9. Steve Holt

      I agree. This article is not what I expect from Krebs. So what if someone is exercising their Constitutional rights.

    10. James

      The protests were fake, and organized by groups trying to deceive the public about a civil disobedience events which were ill-legitimate, and protesters who were insincere, trying to pawn their actions off as organic. Much of the organizing was done through cyberspace. Propaganda on such a wide scale is a legitimate security concern. Not everything that is unsafe has to involve a bomb, but when the internet is weaponized to give rise to propaganda and disinformation, it deserves to be exposed. Did that really require explaining?

  5. Francis Dec

    ‘More important things than living,’ Texas’ Dan Patrick says in coronavirus interview.

  6. terry

    It is a mistake to ever bring up politics, religion, or one other subject on the internet. People are unable to discuss those subjects in a mature, adult manner.

    I personally visit this website for security news. I hope this website continues to be an excellent source for security news.

    1. Unsympathetic

      Couldn’t disagree more — domain name registration trending and information about those organizations doing the repeated registration IS a security issue.

      You’re welcome to your own feelings, not your own facts.

      Keep doing the digging and reporting.

  7. Mike

    So what? This is a nothingburger.

    Skip the politcs and stick to security.

    1. Kevin

      The scam is pretty apparent, especially with the Dorr brothers. Setting up fake non-profits and raking in donations. It’s hardly even political, they are just using political messages to scam.

  8. Balanced Reporting Question

    Great investigation – I appreciate your commitment to transparency and truth. Curious – did you also investigate who was behind “grassroots” domain registration and social media propagation related to Black Lives Matter, free healthcare, free tuition, LBGTQ rights, gun control, and other divisive liberal issues?

    The more than we can shine light on the puppetmasters, the harder it will be for them to keep pulling our strings.

  9. KoSReader600000

    As others may have alluded, this old Hippie Gentleman may have been going to let his basket of domains ripen a bit. When the time was most profitable he may just sell those domains to more skilled internet confidence person[s] who really can scam people. Just, because he was noticed by well known site a bit early doesn’t mean he will not try resale of the domains or an actual scam by himself or his buddies. That may work or may not work.

  10. p13

    Phishing and scamming are forms of misrepresentation designed to take advantage of the target in some way. “Security” aims to protect targets against these misrepresentations. For those complaining about the political nature of this article, please explain why a security website should only warn readers about some types of misrepresentation and not others. Mr. Krebs is merely pointing out that a number of websites that might appear to represent “grass root” sentiment may not be what they seem.

  11. Lrrr

    This is a good piece on security of democracy!

    Silly humans … why don’t they realize that it’s much easier, cheaper, and effective to hack into and influence the minds of voters instead of hacking into actual voting machines.

    It all started with TV and exploded after the Fairness Doctrine was revoked instead of revised.

  12. Phart Maan

    I love your reporting. However, I cancelled my Facebook account longggg ago, and shortly thereafter, cancelled my Reddit account as well. They’re both becoming the Twitter (liberal shills) of the Internet.
    This was an interesting story, but if mass registering domain names could sway an election, it would’ve been done 50 million times already. In 2016, 2012, 2008, 2004 etc…
    I have to side on the “please keep reporting on info sec and not on politics”. Unless you want to tell us how Hillary Clinton’s 36,000 emails are, how they disappeared, and how you plan to hide when she finds out.

    1. Jeff Talley

      There it is. Your last paragraph about Hillary and the emails. You showed your cards. Hold them closer to your chest, you just might retain your credibility longer. You’ll still be found out. The only time you go all in on the first draw is if you’re low on chips and have a weak hand.

  13. Stephen Lewis

    I’m definitely seeing a pattern in disinformation. I’ve generally kept off of Facebook and Twitter (not so much out of security concerns, but mainly a lack of interest.) I’ve been more active in the last 10 days than I’ve been over the entire time I’ve had either account.

    The intensity of opinion on these sites is unbelievable. Even when given actual medical facts from sources like CDC, NIH, WHO, state and county health departments, many people are more interested in the money they are loosing than in the lives that are being lost. (I get why this is a concern, but it feels like it is being inflamed by bad advice and info.) Sure some may be coming from sites and officials that blindly support Trump, but it feels like “Crooked Hillary” more and more. A trope that is taking on a life of its own. A lot is being fed by desperate people, but I would not be surprised to see involvement from outside sources.

    I’ve been phished by someone on facebook, claiming to be a celebrity, and wanting me to make a major contribution to a charity I’ve never heard of. They were VERY convincing, and it took all of the “spidey sense” I’ve gained through my IT experience, to keep from responding. (Instead of an actual picture of this person, it had a picture of a current autobiography, combined with agreeing to my stance on things and giving me high praise.) I doubt a normal person would recognize this for the scam it was.

    I think we are seeing a combination of state-actors and simple scam artists, and this article points to another piece in the puzzle.
    At the very least, everyone needs to be on the lookout for all sorts of scams.

    There are some very bad actors/scammers that are taking full advantage of the current circumstances.

  14. PostToaster

    Thank you, Brian, for exposing these domain shenanigans. I follow this site and read every article, and recommend it to others.

    Knowing what’s being done to the web certainly fits my definition of “security”. Even if not – it’s your site and you can publish what you think is important.

    Those who object because their favorite demagogue happens to be involved in the present nonsense can simply not come back. They will miss a lot.

  15. Jonathan

    I felt this was pretty light on actual information security relevance. One might as well publish a list of where all the “wine” domains were being registered from.

    If it had been an article detailing who was profitting from dark web fake COVID-19 testing kits, that would have been far more relevant IMO.


  16. Cameochi

    Thank you for this great article, Brian. I don’t post often but I read your blog every single day.

    I’ve been getting bombed with emails promising a gift, reward, etc. and all come from fake *.edu addresses. I just keep on blocking them. Clearly, they are fraud.

    I am a bit disappointed that some readers do not grasp the importance of the information you provided. As for politics, they are what they are and a lot of the news is out and out fake. Some of you might want to check https://www.politifact.com that clearly shows what is true and what is false.

  17. whoopsie

    I just want me some mickyd’s cheeseburgers, damnit! send in the clown!

  18. Chuck

    Great to see the evidence that the right wing republican elites are the ones behind the fake “reopen” movement.

    Also great to see the allied trolls expose themselves so clearly failing here attempting to change the topic.

    Keep up the great work Brian.

  19. Robert

    Astroturfing is dishonest manipulation, the same as phishing. Any attack vector of misinformation is valid to note in a security context. The motivation of the actors (create political action) or how you feel about it personally (hey, that’s my team) is beside the point. Security is security.

    I think this info was shared in a neutral and straightforward way., and we need to know who is doing this and what their goals are so we can manage the threats.

  20. Charlie

    This article definitely stuck a nerve with many people. Was it the content (the need to reopen the economy) or the procedure (How fringe groups exploit a crisis by manipulating social media ) that upset people? Because people feel the need to reopen the economy is so important , it doesn’t matter where the message is coming from or who is generating the message. As long as the message helps the cause.
    If this article was about the Russians creating multiple domains in an effort to manipulate the 2020 election, the response to the article would be a lot different.

  21. Rob

    I think that the lesson here is that just because some site seems to be with/against your given opinion, does NOT mean that it actually is, and you may be a target of social engineering. A key tenet in social engineering is for someone else to use your implicit biases so that they benefit more than you do, whether or not they appear to be on “your side.” So, it is curious that some who come to this site and are dissuaded by the “apparent” political bias of this specific piece are not able to see this as a warning that their bias is a weapon to be used against them and, more importantly, they appear to be calling for this to be a “safe space.” I thought that there are not any such spaces, or so that is what we are told not to wish for by the NRA. At the same time, by not acknowledging our own blind spots, we are even more susceptible to their being weaponized against us.

    This piece, although touching the political realm, is very much a security piece because it tries to show how one specific word can be made into a trigger word and we all predictably rush to our corners. If that predictability doesn’t have a security connotation, then nothing does.

  22. David J McClelland

    Re comments on the legitimacy of the content of this post:
    * I find myself harboring feelings of defensiveness when I read something that calls my beliefs into question. (normal response)
    * I can let this color my judgement, filter what I take in, and reduce the intellectual rigor of my response – AKA the “heat of the moment.” This impairs my cognitive ability and makes me vulnerable.
    * The effectiveness of this vector seems to correlate with how strongly I identify with a given belief challenge on an emotional level.
    * If I allow myself to be a participant in this situation I have taken the bait. Knowing this I impose a framework on top of it, where I ask questions first: “how to I choose to engage?” “what is the agenda?” “Why am I getting hot reading this?” etc.
    * If you reject this article because there are elements of politics in it that provoke such feelings, I urge you to do a similar self-examination of your intellectual process.

  23. Lucy

    Is it possible the whole charade was orchestrated by leftists who attempted to “frame” a cabal of far-right organizations as maniacs trying to endanger public health?

    The domain names and apparent association with “gun rights groups, state GOP organizations, conservative think tanks and religious” advocacy groups fit the liberal caricature of right-wingers a bit too neatly.

    1. Tom

      Lucy, You’re missing the whole point. If you go to dorrbrotherscams.com, you’ll see quotes from gun rights advocates that claim that these guys aren’t gun rights advocates, but scammers looking to get money from gun rights advocates under false pretenses. You can vet the scams website yourself. The point here is that there are a multitude of “reopen…” websites being registered. Most of them aren’t what the casual observer might think. Some are being bought by a leftist to keep RW organizations from registering them. Others are being bought by TROLLS who claim extreme right wing views to make money. Then there’s a third group that actually are what they say they are. This clearly is a security issue. If you want to donate to a RW cause, you deserve to be able to actually do so, rather than have the money pocketed by scammers.

      In Colorado, something similar happened where two recall campaigns were launched online to oust the (Dem) governor. Both sites raised money. One didn’t spend even dime on recall election signature gathering. When both failed to gather enough signatures, one ended up giving out the contribs to the organizers. There was also a payment processor set up by politically connected folks that was collecting 6% fees from every donation. These very much fit the definition of political scams.

  24. OB

    You’ve gotta love that the guy with the “COVID-19 is a lie” sign is wearing a mask.

    1. Dave Horsfall

      I’m just wondering whether the dumb anti-vaxxers (but I repeat myself) will follow their beliefs and not take a COVID vaccine should one become available; it’s a pretty gross way to die, as you slowly drown in your pulmonary fluids.

  25. Ahmed

    Your excellent research and reporting on Net security has once again provided us with a primer, on how a coordinate campaign works -behind the scenes- with social media, and with websites, to lead, and mislead, the public. Ironically, this time that is happening in the middle of a deadly pandemic.

    Your information also provides an insight on how the global coalition of sinister operatives worked, before and during the 2016 elections, to confuse the US voters and to throw disarray into the functioning of our democracy.
    Hiding one’s information when registering a domain is akin to wearing a halloween mask while trying to spread alternate facts and disinformation.

    Yes. We all have the right to Free speech. But that applies only to a face not behind a halloween mask !!
    Keep up the great work and public service Brian !

Comments are closed.