Cyber Incident Victim: Vote Joe
Date:
Nov 2020
Location:
United States of America
Summary
The Biden-Harris campaign's Vote Joe website was compromised and defaced by a Turkish hacker operating under the alias RootAyyildiz, who displayed a political message in Turkish for over 24 hours before the site was taken offline. The attacker claimed to be a lone "Vatan Lover" and issued warnings against US-backed Turkish political parties while referencing the 2016 coup attempt in Turkey, accompanied by an image of Sultan Abdul Hamid II. Despite the campaign's eventual takedown of the site, cached copies of the defaced content remained temporarily accessible through search engines. This incident occurred following the U.S. presidential election and amid broader reports of security vulnerabilities affecting both major political campaigns' digital assets during the election cycle.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around November 21, 2020, the Vote Joe website (vote.joebiden.com), associated with the Biden-Harris Presidential campaign, was compromised and defaced by a Turkish hacker operating under the alias RootAyyildiz. The attack replaced the site’s original content, which had redirected visitors to iwillvote.com prior to November 9, 2020, with a message written in Turkish. Archived snapshots indicated the defacement persisted for over 24 hours before mitigation efforts began. The attacker’s message explicitly claimed responsibility, declaring RootAyyildiz was “not a Group or an Organization, but a Vatan Lover who Fights alone.” The defacement included political warnings directed at US-aligned Turkish political parties such as CHP, HDP, and the Good Party, alongside references to the 2016 Turkish coup d’état attempt. A photograph of Ottoman Sultan Abdul Hamid II accompanied the text. Despite the site being taken offline following the incident, Google’s search cache retained a copy of the defaced version at the time of reporting.
The compromise occurred days after the 2020 U.S. Presidential Election, during a period when the site’s operational relevance had diminished. The incident’s primary observable impact was reputational disruption, as the defacement publicly exposed the site’s vulnerability. No voter data breaches or systemic disruptions to election infrastructure were attributed to this event in the available reporting. The campaign’s response involved taking the Vote Joe domain offline entirely, though the timeline for this action relative to the defacement’s discovery was not detailed. The article contextualized this breach alongside prior security issues affecting both major U.S. political campaigns, including a Trump campaign website leak of voter data and vulnerabilities in mobile applications associated with both campaigns. These references highlighted recurring cybersecurity challenges in political digital assets but did not establish a direct link to the RootAyyildiz incident. The attacker’s motivations, as inferred from the message, appeared focused on Turkish domestic political grievances rather than U.S. election interference.