Domestic Extremist? Or Something Else?

What does this site say to you at first glance?

patrioticfreedomfighter[.]com
patrioticfreedomfighter[.]com
This is one of nearly two dozen sites pushing fringe right wing views that are all associated with Mark Edward Baker, as detailed in this story by McClatchy. When I first heard of this the initial thought was that something so slippery could be a foreign influence operation. I came to a much different conclusion, but it took many hours of digging.

Here are the full list of domains involved:

1776christian[.]com

americangunnews[.]com

americanlibertyreport[.]com

americanviralheadlines[.]com

christianpatriotdaily[.]com

conservativezone[.]com

factsnotmemes[.]com

financialmorningdigest[.]com

firearmdaily[.]com

freedomnewsreport[.]com

frontpagepatriot[.]com

healthiervideos[.]com

liberalliedetector[.]com

libertyplanet[.]com

libertyvideonews[.]com

memesorfacts[.]com

nationalgunnetwork[.]com

patrioticfreedomfighter[.]com

patrioticviralnews[.]com

readytofirenews[.]com

uspoliticsandnews[.]com

wealthauthority[.]com

The physical plant for this is a circus – 434 unique IP addresses and they all seem to be tied to the operation.

Mark Edward Baker Internet Footprint
Mark Edward Baker Internet Footprint

A simpler exam of the SOA for each domain yielded a deeper clue in the form of the [email protected] address used for registration. It’s connected to another cluster of domains.

gomarkb@gmail.com domains
[email protected] domains

We are not going to revisit the merry chase this guy provides – fire up hunch.ly and go at it. He uses the alias Mark Bentley, be on the lookout for LOP, which is short of League of Power, and his wife Jennifer is a signatory on some of the paperwork. He has at least half a dozen PO boxes in Florida and a similar setup in Reno, Nevada, which appears to he his origin. Once I was sure I had a real name, I was more interested in what his business model is and if there were any foreign ties.

If you poke around for League of Power you’ll find complaints about his $27 scam work from home DVD. This guy’s ideology is getting other people’s money and providing little to nothing in return. This is pretty common to see on both sides of the aisle – grifters working the earnest, but naive masses. This guy clearly focuses on the right – different skills are needed to run a similar game against the left.

Here is the one image that more or less sums up what he is doing:

Mailgun Usage
Mailgun Usage

You would have to be in the business of examining attribution resistant hosting to notice this, but it was like a flashing neon sign for me. Domains that don’t want to be traced typically have no email handling at all. This guy’s business model is list building, which he’ll use for maybe some political stuff, but it will be an ongoing bulk mail target after the election.

 

What about foreign influence being behind this? The article mentions that conservativezone[.]com[.]com had been used. That’s a spearphishing move. It resolves to these geniuses:

conservativezone[.]com[.]com
conservativezone[.]com[.]com
What is AS206349? A dinky autonomous system in Bulgaria with a history of IP address hijacking. Baker got some service from these guys, but it wasn’t anything he wanted to receive. The may have noticed he was gathering lists of the easily duped and decided this would be a good phishing hole for them.

 

People who are way into the bipolar politics in the U.S. tend to judge things as either on their side, or the opposition. There are nuances on that spectrum that get ignored, foreign influence, weird cyberstalker types, and just outright fraud, like we’re seeing here. Don’t jump to sticking a red or blue label on something until you’ve had a good chance to inspect it and conjure up some alternate theories.