My previous articles on Bexar County deal with what I found in an interesting file given to me by Dr. Walter Daugherity of Texas A&M University. The file was a list of voter check-ins for Bexar County, Texas. He knew there was an algorithm present based on his own examination of the file and wanted to know what I might find. To my surprise, I managed to almost completely reverse-engineer the full logic chain that produced it.

This much we know: a sophisticated algorithm altered the check-in results. The alterations generated 4,110 fake check-ins while discarding 4,116 real ones. Those check-ins represent ballots generated on the basis of false information. The original check-ins — presumably, though with chain of custody broken by the algorithm it is hard to know for sure — were then restored, leaving no trace of the exploit in the production files. Bexar County released a statement implausibly claiming that the 4,110 fake registrations were caused by an export error.

Today I want to deal with an aspect of this story that I know less about than the other parts: the hardware chain involved, and the potential scope of what happened. This means I am generating a hypothesis to be investigated, not making fact claims. My previous reporting concerned data I had in front of me and could discuss with considerable confidence. In this article the territory is less certain, but it must be explored regardless. Like many discoveries, they start with an idea of what might be found. That is what I want to do here.

Why I Was Looking at Poll Pads

To understand the hypothesis, it helps to understand why I initially focused on poll pads as the origin point of the exploit — and why that framing, while logical as a starting point, almost certainly does not describe what actually happened.

The poll pad is where this type of data is normally created. When a legitimate voter arrives at a polling location, a poll worker looks up their record, confirms their identity, and checks them in directly on the tablet. The poll pad is not just a display device. It is the point of data entry. That is where voter check-in records originate under normal, honest operation of the system. So my initial framing was reasonable: if check-in data was manipulated, start with where check-in data lives.

A quick check establishes that the poll pads used in Bexar County, and in Texas generally, are KnowInk Poll Pads. This is important because it implies the fraudulent records could in principle have originated on the poll pads themselves, with the original records then restored without ever touching the official county or state voter roll databases.

But this article is really about why that framing, while logical, almost certainly does not describe what actually happened. The reason is straightforward: the injection produced 4,110 records. Even setting aside the mathematical complexity of the algorithm — the alphabetical sorting, the integer constraint solving, the floating-point arithmetic, the address generation heuristics — the sheer volume rules out manual entry at a tablet. A poll worker typing names one at a time would need to work through the night, in full view of anyone present, to produce that many records. It is not plausible. It did not happen that way.

Which means the algorithm ran underneath the familiar poll worker interface — either on the poll pad itself at a level below what users see, or, more likely, somewhere else in the system entirely. That somewhere else is what this article is about.

The KnowInk System: More Than a Tablet

It is a simplification to say “poll pads,” because the poll pads are part of a larger system. That system includes the individual poll pad tablets themselves — commercial off-the-shelf Apple iPads running the KnowInk Poll Pad application — but also a centralized web-based platform called ePulse, which is the nerve center of the entire operation.

ePulse is where election administrators monitor every poll pad in real time: battery levels, check-in rates, ballots issued, and device status. It is also where data flows to and from the tablets via WiFi or cellular connection. Every poll pad in a jurisdiction connects to ePulse. ePulse connects to the broader election management infrastructure. The poll pad is the visible endpoint. ePulse is the hub that everything runs through.

Critically, the data flow is explicitly bidirectional. Before the election, voter files are downloaded to each poll pad from ePulse. After the election, voter history is exported back to ePulse. ePulse is not merely a monitoring dashboard — it is the source of the data going in and the destination of the data coming out. That makes it the logical chokepoint for manipulation in either direction.

The publicly available KnowInk operation manual confirms several additional details worth noting. First, the post-election export procedure is straightforward: a poll worker selects the post-election menu, selects the election from a dropdown, and presses Export Voter History. The manual describes no verification step, no cryptographic hash check, no independent audit of what is being exported. Second, several privileged functions — including canceling check-ins, manually importing voter files, and accessing administrative tools — require what the manual calls an “Extra Functions Password,” which poll workers are simply told will be provided to them. That password tier confirms there are administrative capabilities on the device that ordinary poll workers are not supposed to access, and that those capabilities include manually importing voter files directly onto the pad — a mechanism by which a modified file could be pushed to a device without going through the normal ePulse download channel at all.

The Gateway

While researching this article, I discovered something that materially affects the threat assessment. Access to the ePulse system is not restricted to a secure internal network or a hardened administrative console. It is available through a standard login page on the public internet at gateway.epulse.io — email address, password, sign in. That is the same basic access model as a webmail account. Any person with valid credentials can reach the central hub through which check-in data for hundreds of jurisdictions flows, from any device, anywhere in the world.

This does not mean the system is unprotected beyond that login screen. There may be additional authentication layers, access controls, and audit logging that are not visible from the outside. But it does mean that the outer perimeter of the system serving one in four American voters is a username and password field on the open internet. That is worth knowing.

The Server-Side Hypothesis

This is where the architecture of the exploit becomes important. As I established in my previous reporting, the injection required the completed check-in list. It could not have been run during the voting day, because the algorithm needed the full set of real voters in order to generate its anchor list, solve its clone distribution constraint, and determine its endpoints. It had to wait until polls closed.

That timing constraint is not consistent with someone manipulating individual poll pads in the field. Poll pad terminals are physically distributed across voting locations, handled by poll workers, and at least nominally under observation throughout the day. But it is entirely consistent with someone running a tool against the aggregated data on a back-end server after the day’s check-in records were complete — precisely where ePulse sits in the architecture.

If the injection occurred at the ePulse level, the operator would not need to touch a single tablet. They would have the complete, aggregated check-in list for an entire county available to them the moment polls closed, and the ability to push a modified file back out through the same channel it came in on.

How Many Inputs Does the Tool Require?

This is worth examining carefully, because the answer has direct implications for how the tool was operated and how simple it would be to deploy repeatedly.

My first instinct was that the operator needed to supply two numbers: how many anchor names to select, and how many synthetic records to generate. But the mathematics of the injection suggests it may require only one.

Here is why. The analysis establishes that 735 anchor names plus 4,110 synthetic records equals 4,845 — the exact total in the injected file for February 18. The genuine voter count was 4,851. The six-record difference was not an accident. It was a deliberate algebraic choice ensuring that all four key quantities — 735, 300, 435, and 4,110 — share a common factor of 15, producing the clean 300/435 anchor split. That optimization could be automatic rather than user-specified. If the operator inputs only the anchor count — 735 — the algorithm could then read the total real voter count directly from the completed check-in file, calculate the zero-discard synthetic count, find the largest number satisfying the divisibility constraint, and derive the correct split automatically. Everything else follows. The operator types one number, presses enter, and the algorithm does the rest.

If that is correct, deploying this tool against a new county on a new election night requires exactly one decision: how many anchors to use. Everything else is automatic.

How the File Was Obtained — and Why It Matters

The reason Bexar County was caught is specific and almost accidental. The manipulated file was downloaded directly from the Bexar County public data portal on February 19, 2026 — the day after the check-in data it contains — by a woman whose name appears in the file’s own metadata as the last person to save it. Her only modification was renaming it from an opaque machine-generated filename to something readable by recipients. That metadata record is the forensic anchor for the file’s provenance. It establishes that the file existed in its current form on February 19, before any cleanup had taken place.

From there it passed through GOP precinct chairs to candidate Weston Martinez, then to Dr. Daugherity, and finally to me. At each step the file was the same file. That chain matters because without it there is no surviving record of what happened on February 18. The county replaced the file on or before February 25, permanently breaking the chain of custody for the entire dataset. The original manipulated file — captured externally before the replacement — is the only surviving forensic record of the injection.

In jurisdictions where the file is never publicly posted, or where the cleanup is faster, or where nobody happens to be watching, the same operation would leave no publicly accessible trace whatsoever.

The Scale Question

KnowInk is not a small regional vendor. In the November 2024 presidential election, 36 million voters across 29 states — roughly one in four American voters — checked in using a KnowInk Poll Pad. Their system is deployed in jurisdictions representing a substantial portion of the American electorate. ePulse is not one server in one county. It is a platform serving hundreds of jurisdictions simultaneously.

If the tool I reverse-engineered in Bexar County runs server-side — and the operational logic strongly suggests it does — then the question is not whether this happened in Bexar County. The question is how many other counties received a similar file on a similar night, with different parameters, leaving a different mathematical fingerprint that nobody happened to capture.

The Unanswered Question

The tool requires prior knowledge of the dead zone in the Texas statewide voter ID space — a gap of approximately 777.7 million consecutive ID numbers containing no legitimate Texas registrations anywhere in the state, across all 254 counties and 18.3 million records. Finding that gap required querying the complete statewide database. That is not something any county-level tool can do.

That is not the profile of a local actor. It is the profile of someone with sustained, privileged access to a system that serves an entire state — or more. Whether that access runs through ePulse, through a separate data pipeline connected to the Texas voter registration system, or through some other channel is a question that requires technical subpoenas to answer.

The mathematics tells us the reconnaissance happened. It does not tell us from where. That is what investigators with subpoena power are for.