In December 2020, the election-integrity group True the Vote told the Department of Justice that it had stumbled onto something alarming: after requesting Nevada’s statewide voter-registration list, the automated email it received back carried, in the carbon-copy line, the address of a man in Lahore, Pakistan. The group called it evidence of a breach in the Secretary of State’s email system. The Secretary of State called it a self-inflicted artifact of the requester’s own paperwork. Both cannot be right. What is remarkable, five years later, is that the question was never resolved — not because it was unresolvable, but because every party who could have produced the deciding records declined to.
This report does not pronounce a verdict. It is structured as an open investigation, because that is the honest posture given what is and is not on the public record. What follows is a technical reconstruction of how Nevada’s system actually works, an account of what True the Vote plausibly did, the subcontracting arrangement that sits at the center of the dispute, a full matrix of the competing explanations — including the possibility of deliberate framing — the broader and fully documented record of foreign interference in recent elections, and finally the specific forensic artifacts that would have answered the question in an afternoon. The reader is left to weigh them.
Section OneWhat Is Publicly Verifiable
Strip away the amplification and the corroborated core is narrow. In late 2020, True the Vote requested Nevada’s voter file. The reply it received carried the address waqas@kavtech.net in the CC field. That address belongs to Waqas Butt, CEO and co-founder of Kavtech Solutions, a private data-services firm in Lahore. True the Vote’s president, Catherine Engelbrecht, reported the matter to the Assistant Attorney General for National Security in a letter dated December 3, 2020, and attached a copy of the email she had received. These facts are not in dispute; they appear in the original Breitbart account that broke the story and in Engelbrecht’s own letter.
Two things sit just outside that corroborated core and must be labeled as claims rather than facts. The first is the characterization of Kavtech as a firm “with ties to Pakistani intelligence, military, and the interior.” That description originates entirely with Engelbrecht’s letter; no independent body — not the Department of Justice, not the Treasury’s sanctions office, not any court — has corroborated it, and Butt has called it baseless. The second is the inference that the CC’s presence proves a breach. That is an interpretation of the artifact, not a property of it.
What the email shows is that the Kavtech address was present in the CC line by the time Nevada’s system generated the reply. What it cannot show, on its own, is who put it there or at what step. Every serious question in this case lives in that gap.
The artifact at issue — the email Engelbrecht attached to her DOJ letter, which Breitbart published — is, in its essentials, a routine system reply with one address that does not belong. Schematically, the header block looked like this:
The data itself
It is worth grounding one point that the louder framing tends to skip: the Nevada statewide voter list is a public record. The Secretary of State’s own description of the NevVoter system states that the database is publicly accessible through the office and available in hard copy or a variety of electronic formats. The office has also said it does not release private identifiers — Social Security numbers, driver’s license numbers, email addresses — as part of that list. This does not make foreign receipt of the file harmless, but it does mean the stakes of the transfer are different from the “entire database including everything” framing that later circulated. The list is something anyone, including a foreign national, can lawfully request.
Section TwoHow Nevada’s System Actually Works
The phrase “Nevada emailed the database to Pakistan” misdescribes the mechanism. Obtaining the statewide list is not a single email with a giant attachment. Per the Secretary of State’s published instructions, it is a deliberate two-step process:
- Account creation. The applicant must first create a web account within the Nevada Secretary of State Online Services portal.
- A signed request form. The applicant must then download, complete, sign, and file an “Official Request for List of Registered Voters” form. The office explicitly states this form may be submitted “via email, fax, mail or by personal delivery.”
Once the request is verified, the office notifies the applicant by email that access has been granted, and the file is retrieved through the account. In other words, the email at the heart of this story is best understood as a system-generated notification or response tied to a request — not a spontaneous transmission. That detail matters enormously, because it means there exists, somewhere, a request artifact: the form and/or the submission that triggered the reply. Whatever recipient or carbon-copy fields existed on that submission are the proximate cause of whatever appeared on the reply.
This is the technical pivot of the entire case. If the request was submitted by email — one of the four methods the Secretary of State permits — then a “Reply” or “Reply All” from the office would carry forward whatever addresses were on the inbound message. If the address rode in on the request, the reply echoing it is mundane mail behavior, not an intrusion.
One technical guardrail bounds the whole analysis. A successful web request or an email exchange that completes — a file actually delivered, a reply actually received — cannot be performed from a forged source address. The underlying transport requires a completed handshake; the requester has to actually receive the responses. So whatever IP or account ran the session that produced this reply was a real participant, not a spoofed one. That single fact eliminates several dramatic theories before they start.
Section ThreeWhat True the Vote May Have Done — and the Subcontracting Chain
Here the record contains an admission that is easy to miss because it comes from the accused party. Butt told a reporter that True the Vote had subcontracted Kavtech to develop a web-based application to review voter information and identify potential voting-related fraud, and that the email was an automated response in which “whoever requested the report” had entered his address. Engelbrecht denied that True the Vote ever subcontracted Kavtech.
This is the fork on which everything turns, and it is worth stating both possibilities plainly. If Butt is correct, then a working relationship existed between True the Vote’s data operation and a Lahore firm, an employee or contractor in that chain copied Butt on data correspondence as a matter of routine, and his address was therefore sitting in the request that Nevada replied to. If Engelbrecht is correct, no such relationship existed, and the address’s appearance demands a different explanation.
Notably, even an outlet sympathetic to True the Vote reported the mechanics in a way that aligns with Butt. In a December 28, 2020 update to its own coverage, The Gateway Pundit relayed that True the Vote had told the outlet directly the Kavtech email “was first emailed to the Nevada Secretary of State in a True the Vote email” — that the address originated on the requesting side — and appended that a True the Vote employee had copied Butt, so that when the Secretary of State did a “Reply All” with the voter information, the address was carried along.1 Engelbrecht’s public rebuttal in that same update did not take the form of “here is our original request showing no Kavtech address.” It took the narrower form of “the FBI can check the IP addresses, which will clarify that we in fact had no involvement in adding the Kavtech address to the CC line.”
The distinction between those two rebuttals is the most underappreciated detail in the entire affair. The first — producing a clean original request — would have been dispositive and was entirely within True the Vote’s power. The second — pointing at IP logs held by others — defers the question to records the group did not control and that were never released. A party confident it had a clean outbound request would, ordinarily, simply produce it.
Kavtech Solutions is a privately held data and analytics outsourcing firm founded in 2014 in Lahore by Afaq Ahmed and Waqas Butt, with a secondary footprint in Los Angeles. Its public profile is commercial: data warehousing, business intelligence, visualization, image processing, and machine learning, on standard enterprise tooling. Butt stated the firm had never worked for any government department. No independent record establishes the alleged intelligence ownership; that characterization rests solely on the complainant’s letter. The reader should hold both facts at once: the firm is, on the public record, an ordinary regional data shop — and an ordinary regional data shop is exactly the kind of vendor a data operation might subcontract.
The Awan question, addressed and closed
Because this episode is often folded into a broader “Pakistani penetration of U.S. systems” narrative alongside the Awan congressional-IT matter, it should be stated directly: there is no documented connection between Kavtech or Waqas Butt and Imran Awan or his family. They are separate people, separate firms, separate cases, years apart. The only thing linking them is thematic adjacency in the same media ecosystem. And on its own terms, the Awan espionage theory was investigated and came up empty — the federal inquiry found no evidence of unauthorized data removal or foreign-intelligence ties, and Awan ultimately pleaded only to an unrelated bank-fraud count. A responsible report does not borrow weight from a theory that did not hold.
Section FourThe Hypothesis Matrix
Four explanations can account for a Pakistani address on the reply. Each leaves a different forensic signature. None can be confirmed or excluded on the public record, which is precisely the point. They are presented here in no order of preference.
A person in True the Vote’s data chain — plausibly a Kavtech developer working on the voter-review application Butt described — submitted or was copied on the Nevada request. The address was in the inbound message; Nevada’s reply echoed it. No intrusion of any kind occurs in this scenario.
The request payload contains the Kavtech address in a recipient or CC field. The originating IP resolves to a contractor, a cloud host, or a VPN egress — not to Nevada and not necessarily to True the Vote’s main office. Authentication logs show a valid account. This is the scenario most consistent with Butt’s account and with the sympathetic outlet’s reconstruction.
An unauthorized third party used True the Vote’s portal credentials to make the request, inserting the Kavtech address. In this scenario the failure is on the requester’s side — an account takeover — not on Nevada’s.
The request payload carries the address; the authentication record shows True the Vote’s account; but the originating IP is foreign to both True the Vote and Nevada, and True the Vote can demonstrate it did not initiate the session. This is distinguishable from Hypothesis A only by True the Vote’s own access records and testimony.
The address was not present in any legitimate request, but appeared on Nevada’s outbound reply because something inside the Secretary of State’s mail or report-generation environment inserted it — a compromised template, a malicious configuration, or an intrusion into the office’s systems. This is the only scenario that implicates Nevada itself, and the only one consistent with the “breach” framing.
The request payload is clean — no Kavtech address — yet the reply carries it. Server and mailer logs show the address inserted at the Nevada end, with no corresponding inbound source. There would likely be other indicators of unauthorized access during the same window. The Secretary of State’s IT staff stated they found no such intrusion; that statement has never been independently audited against the underlying logs.
The address was placed into the request intentionally, by someone on the requesting side, to manufacture the appearance of a foreign-intelligence nexus — a finding that could then be reported to DOJ and publicized. This is the framing hypothesis, and intellectual honesty requires stating it as squarely as the others.
Critically, the observable evidence for Hypothesis D is identical to Hypothesis A: the address sits in the request payload, submitted from a non-Nevada source. The two are distinguishable only by intent — and intent is not visible in network logs. Separating them would require something logs cannot supply: internal communications, the actual contractual relationship with Kavtech, the timing and authorship of the form, and the surrounding correspondence. Absent those, Hypothesis D can be neither substantiated nor dismissed. It is a live possibility precisely because the disambiguating records were never produced — the same records whose absence keeps Hypothesis C alive.
Hypotheses C and D are mirror images. One requires believing Nevada’s systems were penetrated and the office’s denial was wrong or untruthful. The other requires believing the reporting party engineered the artifact. Both depend on the exact same missing evidence to move from possible to proven. Whoever withheld that evidence foreclosed both theories equally. That is the real scandal here, and it does not require choosing between C and D to state it.
Section FiveThe Decision Tree
The competing scenarios resolve along two gates. The first asks whether the address was in the submission. The second — only if the first is answered “yes” — asks who submitted it. The IP, contrary to how it was invoked publicly, is the least dispositive single input.
The lesson of the tree is blunt: every IP-mismatch outcome points back toward the requester’s side, not Nevada’s. A foreign or unfamiliar IP does not clear True the Vote and does not implicate Nevada; if anything, it is the fingerprint of a contractor having done the work. Engelbrecht’s public logic — that a non-TTV IP would “confirm we had no involvement” — does not survive the tree. The only branch that reaches a Nevada breach is the one where the address was absent from the submission, and that branch can be walked only with the Secretary of State’s own server logs.
Section SixForeign Interference Is Real — The Documented Record
It would be a mistake to read the unresolved Nevada question as evidence that foreign interference is a myth, just as it would be a mistake to read it as proof of a breach. The two are separate matters. Foreign efforts to influence and, in narrower instances, interfere with American elections are not allegation or theory — they are the documented, on-the-record findings of the U.S. intelligence community, federal prosecutors, and the Treasury. This section sets out that record from primary sources, precisely so the Nevada analysis is not made to carry weight it cannot bear. Each item below is sourced to a government document, an indictment, or a sanctions designation — not to a partisan retelling.
The 2017 assessment (the 2016 cycle)
In January 2017, the CIA, FBI, and NSA, under the ODNI, released the declassified assessment Assessing Russian Activities and Intentions in Recent US Elections. Its central judgment was that Russian President Putin ordered an influence campaign in 2016 aimed at the U.S. presidential election, with goals of undermining public faith in the democratic process and harming one candidate’s electability. The agencies expressed high confidence in the core judgment, with one documented confidence split: CIA and FBI held high confidence, and NSA moderate confidence, on the narrower point that the Kremlin aspired to help one candidate. That internal calibration is part of the public record, not a later discovery.
Critically, even this assessment did not claim votes were altered. The intelligence community made no assessment of the impact on the outcome, and DHS assessed that the systems Russian actors targeted or compromised were not involved in vote tallying. The distinction between influence (shaping opinion) and interference (touching the technical machinery of voting) runs through the entire official record and is worth holding onto.
The bipartisan validation (2018–2020)
The 2017 assessment was not left to stand on its own authority. The Senate Select Committee on Intelligence — under Republican leadership — conducted a multi-year bipartisan review and, in stages through 2018 and a 2020 volume, concluded that the assessment was sound. It found that the analysts were under no politically motivated pressure, that the confidence-level differences reflected legitimate analytic judgment reached transparently, and that there were no significant tradecraft issues in how the assessment was prepared. This matters for the present purpose: the most rigorous, adversarial, bipartisan check available endorsed the core finding.
The 2021 assessment (the 2020 cycle) — the five judgments
In March 2021, the ODNI released the declassified ICA Foreign Threats to the 2020 US Federal Elections, drafted by the National Intelligence Council with CIA, DHS, FBI, INR, and NSA. Its five key judgments are the most authoritative public statement on what did and did not happen in the cycle at issue here:
- Judgment 1 — No technical interference. The IC had no indications that any foreign actor altered any technical aspect of the voting process — voter registration, casting, tabulation, or reporting. It did identify some successful compromises of state and local government networks before Election Day, but assessed these were not directed at altering the election. And it noted that Iran and Russia spread false or inflated claims about supposed voting-system compromises to undermine public confidence.
- Judgment 2 — Russia (influence, high confidence). Putin authorized influence operations denigrating one candidate and supporting the other, working largely through proxies linked to Russian intelligence who laundered narratives through U.S. media, officials, and prominent individuals. Unlike 2016, the IC did not see persistent Russian cyber efforts to access election infrastructure.
- Judgment 3 — Iran (influence, high confidence). Iran ran a multi-pronged covert campaign, authorized by Supreme Leader Khamenei and implemented by its military and intelligence services — notably more aggressive than in past cycles, including emails to individual voters.
- Judgment 4 — China (declined to interfere, high confidence). China considered but did not deploy efforts to change the outcome, judging the risk of getting caught not worth it. (One dissent is preserved in the document: the National Intelligence Officer for Cyber assessed China did take some steps to undermine one candidate’s reelection. The dissent is part of the record.)
- Judgment 5 — Others. Lebanese Hizballah, Cuba, and Venezuela took smaller-scale steps; profit-motivated cybercriminals disrupted some preparations.
Across both cycles, the intelligence community’s consistent finding is that adversaries ran aggressive influence operations and, in some cases, acquired voter data and probed networks — but did not alter votes or tabulation. “Foreign interference happened” is true in the documented sense of influence operations and data acquisition. “Foreign actors changed the vote count” is not supported by any official assessment. Both halves of that sentence are load-bearing.
From assessment to indictment — the Iran case
The 2020 influence record is not merely analytic; part of it was charged criminally. In November 2021, the Justice Department unsealed an indictment against two Iranian nationals, Seyyed Mohammad Hosein Musa Kazemi and Sajjad Kashian, described as experienced Iran-based hackers who had worked as contractors for an Iranian firm (now known as Emennet Pasargad) that provided services to the Iranian government. The indictment alleges they obtained confidential U.S. voter information from at least one state election website, attempted to access voting-related websites in several states, and sent threatening emails — the notorious messages purporting to come from the Proud Boys — to intimidate voters. Concurrently, the Treasury’s Office of Foreign Assets Control sanctioned the company, the two men, and four other Iranian nationals; the State Department posted multimillion-dollar rewards. This is the most concrete tier of the record: not an assessment’s confidence level, but named defendants, statutes, and sanctions.
It is worth noting how this confirmed case actually worked, because it is instructive for the Nevada question. The Iranian operation obtained voter data — much of which is public or semi-public — and weaponized it for intimidation and disinformation. It did not alter a single vote. The damage was to confidence, not to tabulation. That is the characteristic shape of real, prosecuted foreign election activity in this era.
The 2025 re-litigation — handled honestly
Because the intelligence record is itself now contested terrain, completeness requires addressing the 2025 developments rather than ignoring them. In mid-2025, CIA Director Ratcliffe released a “tradecraft review” of the 2017 assessment, and DNI Gabbard declassified a House Intelligence Committee review along with other materials, characterizing them publicly in sweeping terms. The honest reading of those documents is more measured than the public characterizations of them:
- Ratcliffe’s review criticized the 2017 assessment’s compressed timeline, compartmentation, and the involvement of agency heads, and argued the “aspired to help” judgment should not have carried high confidence. But the same review concluded the overall assessment was “defensible.”
- The declassified House review — despite being titled around a “manufactured” hoax — did not dispute that Putin ordered influence operations and hack-and-leak efforts, nor that he sought to undermine American democracy and one candidate.
- The sweeping public claim that the assessment was “manufactured” is not supported by the underlying documents the same officials released, nor by the earlier bipartisan Senate review.
In other words: the procedural critiques are real and worth airing, and reasonable people can argue about confidence levels and process. But the load-bearing conclusion — that Russia conducted influence operations against U.S. elections — survives every review, including the hostile ones. A report that wants to be trusted states that plainly rather than overclaiming in either direction.
Where this leaves the “they were hiding it” instinct
The suspicion that institutions minimized inconvenient findings is not baseless as a general matter; the existence of competing reviews proves the judgments were contested. But the specific charge that fits the Nevada case is narrower and, frankly, more provable than “a breach was found and concealed.” It is this: a national-security-grade question was raised to the Department of Justice, and then nobody — not the Secretary of State, not True the Vote, not the FBI, not DOJ — produced the one or two records that would have answered it. That is suppression by inaction, and it does not require proving a breach. It only requires noticing the silence.
That silence is now measurable. In the more than five years since December 2020, there appears to be no public follow-up of any kind on this specific incident: no Justice Department or FBI update or charging decision, no further filing or statement from the Nevada Secretary of State, no subsequent comment from Waqas Butt, and no release by True the Vote of the original request that would have settled the matter in its favor. The episode was raised at the highest level as a potential foreign-intelligence breach of election data — and then simply stopped, with none of the four parties who could close it doing so. The absence is not a gap in this report’s research; the absence is the finding. A question this serious does not normally evaporate. This one did.
Section SevenWhat Would Actually Settle It
The Nevada question is not unanswerable. It is unanswered. Four artifacts, three of them small, would resolve it — and each is or was held by an identifiable party. The table below is also, in effect, a discovery and public-records roadmap.
| Artifact | Held by | What it proves |
|---|---|---|
| The original request submission (form + email), showing the recipient/CC field as sent | True the Vote | Whether the address rode in on the request. Dispositive between Gate 1’s two branches. |
| Portal authentication / account-access records for that request | Nevada SOS | Which account and credential submitted it — separates contractor (A/D) from credential compromise (B). |
| Mail server & report-generator logs for the outbound reply | Nevada SOS | Whether the address was inserted server-side. The only thing that can confirm or kill the breach (C). |
| Originating IP / session metadata for the request | Nevada SOS / FBI | Where the session came from. Useful only with the above, not alone. |
Three of these four sit with the Secretary of State and could be compelled through a public-records request or litigation discovery framed precisely around them. The first sits with True the Vote and could have been published voluntarily at any point in the last five years. The IP metadata — the one thing Engelbrecht pointed at — is the weakest of the four standing alone, because it answers “where from” without answering “who” or “inserted where.”
The Kavtech email is not a proven breach, not a debunked hoax, and not a confirmed frame-up. It is a documented anomaly with four viable explanations — two alarming, two mundane — separated by records that exist but were never disclosed. The most defensible thing that can be said with certainty is this: a question of foreign access to American voter data was raised at the highest level, and the institutions positioned to answer it — on every side — left it open. That is the finding. The rest is hypothesis, and is labeled as such.
AppendixA Sourced Chronology
The 2016-cycle assessment
CIA, FBI, and NSA release the declassified assessment finding Putin ordered an influence campaign in 2016. No claim that votes were altered.
Bipartisan Senate validation
The Republican-led Senate Intelligence Committee reviews the assessment and finds it sound, with no significant tradecraft issues and no political pressure on analysts.
Iran’s “Proud Boys” emails; voter data on forums
ODNI publicly attributes voter-intimidation emails to Iran. Separately, a cybersecurity firm finds large volumes of voter records — much of it public — circulating on hacker forums, attributed by officials to Iranian and Russian acquisition.
The Kavtech report to DOJ
True the Vote notifies the Assistant Attorney General for National Security that a Pakistani address appeared in the CC line of Nevada’s voter-file reply, attaching the received email. Breitbart publishes December 5.
The rebuttals
The Nevada Secretary of State says the address was added on the request side and IT found no hack. Waqas Butt says TTV subcontracted Kavtech and the address was entered into the request; Engelbrecht denies the subcontract and points to IP logs. No deciding artifact is published by anyone.
The 2020-cycle assessment
ODNI releases the five key judgments: no technical interference; Russia and Iran ran influence campaigns; China declined; others smaller-scale.
Iran indictment & sanctions
DOJ unseals charges against two Iranian nationals for the voter-intimidation campaign; Treasury sanctions the firm and six individuals.
Re-litigation of the 2017 assessment
CIA and ODNI release reviews critical of the 2017 assessment’s process. The reviews sharpen procedural critiques but do not overturn the core finding that Russia conducted influence operations; the CIA review calls the overall assessment “defensible.”
Silence on the Kavtech incident
No public DOJ or FBI update, no further Secretary of State or True the Vote filing on the matter, and no subsequent comment from Waqas Butt. The disambiguating records are never produced. The question remains exactly where it was left.
Notes
- The Gateway Pundit, “Evidence of Foreign Influence in 2020 Election: Nevada Secretary of State Caught Sending Voter Data List to Pakistani Firm…,” published December 28, 2020 and subsequently updated. The update states that True the Vote told the outlet the Kavtech email “was first emailed to the Nevada Secretary of State in a True the Vote email,” that Nevada officials then “responded to True the Vote and Kavtech in their reply,” and — quoting a referenced social-media thread — that “a True the Vote employee cc’d him… so when the [Nevada Secretary of State] did a *Reply All* w/voter info, there it was.” The same update reproduces True the Vote’s statement that the FBI “will undoubtedly be able to identify the IP addresses from which requests were made, which will clarify that we in fact had no involvement in adding the Kavtech address to the CC line.” The outlet is one generally aligned with True the Vote’s broader claims, which is what makes its account of the requesting-side origin notable rather than adversarial. Link.
A note on sourcing
This analysis draws on primary and contemporaneous sources throughout: the original December 5, 2020 Breitbart report by Kristina Wong, which obtained and published Engelbrecht’s DOJ letter and the received email; The Epoch Times’ reporting carrying Waqas Butt’s on-the-record responses; the Nevada Secretary of State’s published NevVoter request instructions and post-election “Facts vs. Myths” materials; the 2017 ICA Assessing Russian Activities and Intentions in Recent US Elections and the Senate Intelligence Committee’s review of it; the 2021 ICA Foreign Threats to the 2020 US Federal Elections (key judgments quoted in bounded form from the ODNI declassified PDF); the November 2021 Justice Department indictment of Kazemi and Kashian and the corresponding OFAC sanctions; the 2025 CIA tradecraft review and the declassified House Intelligence Committee materials, read against the contemporaneous reporting on their actual contents; and the federal investigative record on the unrelated Awan matter. Disputed characterizations are attributed to their source. No hypothesis in Section Four is asserted as established fact. Where this report describes forensic signatures, it describes what such records would show, not what any disclosed record does show — because, as the report’s central point holds, those records were never disclosed.
It’s not the story they tell you that is important. It’s what they omit.
— Tore