Georgia Secretary of State Brian Kemp (R) on Sunday proved the old saying “no good deed goes unpunished” by taking concerns flagged for his lawyers about potential cyber vulnerabilities in the state’s voter registration website and turning it into an unfounded claim that Democrats had tried to hack the system.

The maneuver earned Kemp widespread criticism among election law experts. UC-Irvine professor Rick Hasen accused him of engaging in a “last-minute act of banana-republic level voter manipulation.”

The Georgia Democratic Party was among those who raised concerns about the potential vulnerability, which had to do with a voter who noticed that tinkering with the url on the online voter registration system might allow you to access others’ personal information. However, it appears that Kemp’s legal team first caught wind of the issue from David Cross, an attorney who had represented challengers in a lawsuit against Kemp over security issues with the state’s election system.

A spokeswoman for the Secretary of State’s office declined to answer TPM’s questions about the specific communications that happened over the weekend, and referred TPM to the Georgia Bureau of Investigation.

The bureau would only send TPM a statement confirming a request by the secretary of state to “investigate allegations of computer crimes related to the Secretary of State’s website(s)” and that a “criminal investigation will be conducted by the GBI’s Georgia Cyber Crime Center.

Based on what Cross, the Georgia Democrats and other people involved told TPM, as well as reporting done by other outlets, here’s how the whole fiasco seems to have unfolded:

Friday, Nov. 2 around 3 p.m. ET

Cross speaks to Richard Wright, a Georgia voter who said that he noticed the potential vulnerabilities while looking at his “My Voter Page.” Kemp’s office has denied the vulnerabilities exist.

Wright had been aware of the case that Cross had been involved in against Kemp. Wright got in touch with Cross by finding the spouse of one of the challengers in the case on social media.

Cross asked a cybersecurity firm — whom he said he has worked with in the past, but declined to identify for TPM — to vet Wright’s concerns. Like Wright, the firm could not confirm for sure that there was a vulnerability but agreed with the assessment there potentially was.

“By Saturday morning, we felt like we needed to alert the authorities,” Cross said.

The morning of Saturday, Nov. 3

Wright separately reached out to Rachel Small, a volunteer for the Dems’ voter protection hotline, via email at 10:48 a.m. ET. Smalls forwarded his email to Sara Ghazal, the state Dems’ voter protection director, at 11:18 a.m. ET. Here’s a redacted version of Wright’s email, according to the Georgia Democrats. (The party could not say who “Nate” was but said that he was not affiliated with the Dems)

The Democrats, in turn, reached out to Wenke Lee, a cyber advisor for Kemp, via a 11:43 ET email, that’s been posted by WhoWhatWhy news.

Lee did not respond to the Dems’ email, and it’s unclear whether he forwarded it along to the Secretary of State’s office. Regardless, the emails from Small and Ghazal eventually ended up in Kemp’s hands.

Saturday around noon

Cross got in touch with the FBI a little before noon over email, and then reached out to John Salter, an outside attorney hired by Kemp that Cross had dealt with in the election security case.

Cross, over the phone, walked Salter through what he knew and gave Salter contact information for Wright to speak to him directly.

Salter did not respond to email and voicemail inquiries from TPM.

The Secretary of State’s office at some point on Saturday received information about potential vulnerabilities from its legal team, but would not say whether this was the information flagged to Salter by Cross.

Saturday mid-day

When the Democrats reached out to Lee, they also also got in touch with Richard DeMillo, a cybersecurity expert who worked with the challengers in the paper ballot case. DeMillo notified Bruce Brown, another attorney for the challengers in the case, Brown told TPM.

DeMillo did not respond to TPM’s inquiries.

Saturday evening

When Brown and DeMillo discussed the concerns, they were not aware that Cross had already submitted them to Kemp’s attorney. Brown, at 7:03 p.m. ET wrote an email to Salter and Roy Barnes, a former governor who also served on Kemp’s legal team. He said he received confirmation that the email was received but has not heard of anything else from Kemp’s office.

The morning of Sunday, Nov. 3

WhoWhatWhy publishes its story early Sunday morning about the concerns raised about the potential vulnerability. It continues to be updated through the morning as the outlet gets more information from the parties involved.

At 8:34 a.m ET, the Atlantic Journal Constitution publishes claims by Kemp’s office that the state Democratic Party attempted to hack the voter registration system. Kemp’s office also publishes a press release on the its website announcing the launch of an investigation into Georgia Democrats “for possible cyber crimes.”

Another press release posted later Sunday said Kemp had received information from his legal team about “failed efforts to breach the online voter registration system and My Voter Page.”

Kemp’s claim of attempted Dem hacking appears to have been based on the email chain the Dems forwarded to Lee. Kemp’s spokeswoman has claimed that it showed that Small and Ghazal were discussing trying to hack the system. However, Democrats say they’re misreading the chain of emails forwarded to Lee, and attributing to Small and Ghazal the assessment that was actually done by Wright.

“If they had picked up the phone and called us before sending their politically motivated press release, we could have explained that their premise was incorrect,” Seth Bringman, of the Georgia Dems, told TPM. “Instead, Kemp recklessly and unethically launched this ‘investigation’ two days before Election Day.”