Antifa Redirects to Joe Biden

by | Sep 9, 2020 | Security

There is a meme going around right now that says to type in and see what happens. Spoiler: antifa redirects to Joe Biden.  That is redirects to

The political right says this shows Biden’s support for antifa.  The political left is claiming it’s just some prankster pointing a domain to a server to make a presidential candidate look bad.

Let’s avoid the politics and break it down technically and see what’s going on.

Who Registered is registered at NameCheap.  A quick search of their whois database at reveals that the registrant opted for private registration in order to hide their identity.  This is a perfectly legal, acceptable, and common practice as we explored in a previous blog post, but in this case, it does raise a question as to why the domain registration information would need to be private.  A prankster would want to hide their identity else risk be exposed as not being part of the campaign, but with private registration there is at least doubt that the registrant could be part of the campaign.

Registrant Name: WhoisGuard Protected
Registrant Organization: WhoisGuard, Inc.
Registrant Street: P.O. Box 0823-03411
Registrant City: Panama
Registrant State/Province: Panama
Registrant Postal Code:
Registrant Country: PA
Registrant Email:


Where are and hosted?

A quick lookup of shows that it is hosted at a server with the IP address of that is owned by Fastly  and is hosted at a server with an IP address of that is owned by NameCheap.

Now we know that and are on different servers, so how does a user type in and end up at  We originally did a deeper technical dive thinking this problem was more complex than it was, but the answer comes in a simple form of a simple redirect from antifa to joe biden.

If you are interested in in the test where we tried to force to answer requests for, please read Does Host and then come back to this article for more information on what’s actually happening when antifa redirects to joe biden. redirects to

The Redirect from to

When a user types in, their computer resolves the domain name to be the address.  That server at NameCheap responds with a header instructing the client (browser) to redirect to using an HTTP 302 (permanent) redirect.   The client (browser) then resolves to be the server at and the Fastly server serves up the website.

It is important to note that the Fastly server hosting is never asked to serve any files for  From a technical perspective, they are two separate unrelated HTTP requests.  After the client requests and the NameCheap server returns the document with the redirect, the first transaction is complete.  The client then kicks off a new request for to the Fastly server.  Even though the user sees this as one fluid operation, it’s really two separate transactions with two separate DNS lookups, two separate HTML document requests on two separate domains on two separate servers.  (It’s actually many more HTTP requests to fully load, but that’s outside of the scope of this post.)

Side note:  As I was editing this post to confirm all of the details, I noticed that the chain of redirects had changed during the time it took me to write the first and second drafts.  The original chain was redirecting to which redirected to  As of September 9th, 2020, redirects directly to  This does not change the analysis or the outcome, but it does indicate that the owner of has updated the forwarder at NameCheap for some reason.


So what does all of this mean?

The owner for and are the same person/organization: Unconfirmed; neither registrant has public information.

The owner of is a prankster:  Possibly. accepts redirects from Confirmed accepts redirects from Confirmed


This is a prank?

Possibly.  Without knowing the identity of the registrant at NameCheap, it’s difficult to say. 

  • It could be a prankster seeing how much traction this gets and how far it’ll spread before fact checkers start removing it from social media.
  • It could be a political activist sowing discord. 
  • It could be state-sponsored political interference. 
  • It could be the Biden campaign subtly associating with antifa while publicly distancing themselves and keeping plausible deniability.

All of these are possibilities.  The political ideologies of the individual will dictate the weight that is given to each theory.  Our goal was to analyze this from an apolitical technical perspective so we’re not going to guess which one of the above is the real answer.

Does the campaign know that antifa redirects to joe biden?

They should.  The Biden campaign has a talented social media team and we have to assume that they’re aware of the meme.  We can also tell that is using Mixpanel, Google Analytics, and a number of other tracking and analytics tools to track users behavior not only on but on other websites and social media platforms as well.  These tools will tell you where traffic originated and they’d be able to see as one of the sources for the traffic.  Fastly is a reputable company that hosts major websites and this information regarding the redirect from to would also show up in the server logs.  (It may be outside of the scope of contract for Fastly to review these logs for this type of data, but the campaign would still have it available to them to review if needed.)

Earlier in this post I indicated that “It is important to note that the Fastly server hosting is never asked to serve any files for”  This is true in that the browser never asks the Fastly server hosting for files associated with (and, as we proved in the article titled “Does Host” it wouldn’t work anyway), but the HTTP referer header does indicate that the user was redirected from to and this information will appear in both the analytics tools and server logs.

Could reject any traffic that was intended for

Sure.  By looking at the HTTP referer header they would be able to tell that traffic originated from and block it or redirect to a page explicitly supporting or denouncing antifa.


  1. It’s hard to imagine that referring sites are not logged by what was and now as of Jan 20,2021 is the new redirect: As a matter of fact considering how much attention to supposed threats to the President, it would be unheard of. You can be certain, the site is monitored. And that all traffic redirects are known and monitored.

    I for one am sure that Antifa funneled oversees campaign contributions using redirected traffic.

    • As of today, redirects to which redirects to We agree that inbound traffic to surely must be monitored, but with this extra redirect they may have to stop it at, but that’s far from an insurmountable task.


Submit a Comment

Your email address will not be published. Required fields are marked *