Hackers already targeted elections in the United States and France. Are they building the infrastructure to attempt the same in Germany?

Germans go to the polls in September to elect a new parliament, the Bundestag. Chancellor Angela Merkel, running for a fourth term, and her conservative Christian Democratic Union (CDU) party, enjoy a comfortable lead over their main rival, Martin Schulz of the Social Democratic Party (SPD).

Opinion poll from Emnid / Bild am Sonntag, July 23, 2017, showing the CDU and its Bavarian sister party, the CSU, at 38 percent, well ahead of the SPD, at 25 percent. (Source: wahlumfrage.de)

But ahead of the poll, concerns have arisen that hackers may attempt to influence the vote by leaking stolen emails, as in the United States in 2016 and France in 2017.

Hackers are known to have raided Bundestag accounts in 2015, reportedly stealing 16-gigabytes (GB) of data; the CDU was targeted in 2016; at least ten members of parliament were reportedly targeted in March 2017. German intelligence has repeatedly spoken of a hacking campaign “directed from Russia” — also a parallel to the hacks in the United States and France.

Since the emails were stolen, attention turned to the question of where, and how, the emails might be leaked.

Particular concern has focused on a website, btleaks.com, and an associated Facebook page, @BTLeaks. @DFRLab analyzed these pages. We also analyzed online traffic around nascent hashtags including #BTleaks (short for Bundestagleaks), #Merkelleaks, #Schulzleaks, #CDUleaks, and #SPDleaks on Facebook, Twitter, VKontakte, and elsewhere online. (We analyzed traffic on #AfDleaks, a hashtag associated with leaks regarding the far-right Alternative für Deutschland party, in a separate study here.)

These analyses show that assorted “BTleaks” sites are probably not related to the German election.

They further show that traffic on the various “-leaks” hashtags listed above is low, and not uniform. Traffic on #CDUleaks, #SPDleaks, and #Schulzleaks is largely been satirical.

The odd one out is #Merkelleaks, which enjoyed a spike in traffic in mid-March following a suggestive tweet from WikiLeaks, which was largely amplified by accounts with a pro-AfD stance, a pro-Russian stance, or both.

BTleaks: An unlikely connection

In Germany, the bulk of media attention has focused on the phrase “BTleaks.” As both Die Zeit and Der Tagesspiegel reported, a website called btleaks.com was created in January, but not populated.