How Tory hopefuls snapped up campaign web addresses well before Boris Johnson quit

How early is too early to start planning your run for party leadership? Do it too soon and you might look disloyal to the current prime minister, but leave it to late and you could miss the starting gun entirely.

You might think you could start planning in secret, like Rishi Sunak did, but one little thing will give you away: your web address.

Sunak’s team registered his official website,, on 6 July, the day after he quit his post as chancellor, according to public records. That might have been a bit forward, since Boris Johnson had yet to announce plans to resign as PM, but it’s barely a paper cut compared to the knife in the back he’d delivered the day before.

Except that six months earlier, as the prime minister was in the depths of the Partygate scandal, a very similar web address was registered: That address, which now redirects to Sunak’s official campaign, was snapped up on 23 December and kept secret for more than six months of supposed collegiality. Sunak’s team denies that they’re the owners of the second address, even though the spelling matches that of his campaign Twitter account.

Why might Sunak be so eager to secure his valuable online real estate? Look no further than the dark horse of the race for leader, Penny Mordaunt. Her slogan, “PM4PM”, might be a bit on the nose, but it seems like she settled on it a very long time ago: the address was registered in May 2019, months before the resignation of the last prime minister, Theresa May. In the end, Mordaunt decided not to run in that race, but kept hold of the web address anyway.

And her team’s fast fingers aren’t just playing defence. In the last few days, competitors who weren’t quick enough to secure their own turf have found Mordaunt already there. Nadhim Zahawi has been campaigning with “NZ4PM” – but as of Wednesday, will take you to Mordaunt’s page instead. Suella Braverman didn’t go for the short form of her campaign slogan, but lost out to Mordaunt nonetheless, with now hijacking would-be visitors to the attorney general’s website.

Sign up to First Edition, our free daily newsletter – every weekday morning at 7am BST

Such “domain squatting” is legal, though frowned upon, in most situations. It can be relatively easy to fight if the squatted domain is a registered trademark, or if the squatter is clearly attempting extortion by, for example, offering to sell the domain at an inflated price.

But there’s one leadership contender who Mordaunt’s campaign hasn’t nobbled: Kemi Badenoch – perhaps because they fear what could happen if they spark a head-to-head cyberwar. Badenoch is no stranger to playing dirty online, the former equalities minister admitted in 2018. That year, she came clean that she had been behind the hack and defacement of Harriet Harman’s website in 2008, when a then-unidentified prankster had guessed the password to the MP’s site and updated it with a message supporting Boris Johnson’s candidacy to become the mayor of London.

Badenoch confessed to the hack in response to a question about the “naughtiest” thing she had ever done, but insisted it wasn’t “real hacking”. Real hackers, however, were angry that the MP was laughing off an action for which others have gone to prison. “If a Conservative MP can admit to a computer crime on television and get away with it, then that says the law is not being enforced equally in the UK,” Mustafa Al-Bassam, a former member of the hacking collective LulzSec, told the Guardian at the time.