Kash Patel’s personal merch site hacked to trick users into installing malware
FBI Director Kash Patel’s personal merchandise site went offline Friday after a hack apparently tricked visitors into downloading malware.
The site — unprecedented for an FBI chief — sells “K$H”-branded patriotic goods, such as clothing and books. The site, known as Based Apparel, has offered “Love It Or Leave It” T-shirts for $35, “Government Gangster” playing cards for $10 and a “Fight with K$H” scarf for $25.
It also sells a line of children’s books.
This week, visitors to the website were met with a Cloudflare verification page, normally used to protect websites from malicious traffic. But it had been altered to claim that each visitor’s IP address had been flagged for “irregular web activity.”
Visitors were then prompted to copy a code from the website and paste it into the terminal on their computers, a social engineering technique known as a ClickFix attack. When entered, the code, designed specifically for Mac computers, would download and install malware onto the user’s devices.
By Friday morning, the site was down. “We’ll be right back,” the homepage read. “We’re making improvements to better serve you. The store will be back online shortly — bolder than ever.”
It urged users to “stay based.”
‘Infostealer’
The malware discovery was made on Thursday by a social media user identified as “debbie.” In statements to Straight Arrow, debbie declined the title of security researcher and instead referred to herself as a “big time nerd.”
An article from The Atlantic drew debbie’s attention to Based Apparel. The article detailed Patel’s merchandising and his personalized bourbon bottles, which showcase the words “Kash Patel FBI Director” beneath the FBI shield.
What debbie discovered is that the code users were asked to copy and paste into their terminal appeared to say, “I am not a robot: Cloudflare Verification ID: 801470.”
But clicking copy actually grabbed totally different text that contained instructions for the terminal to download the malware without the user’s knowledge.
The malware type is known as an infostealer. A security researcher known online as “WifiRumHam,” who carried out an analysis of the malware, said the infostealer is designed to grab login credentials, browser cookies, information from more than 200 cryptocurrency browser extensions, Apple Notes data and passwords from each victim’s keychain.
WifiRumHam also claimed to have discovered a payment skimmer on the Based Apparel checkout page, designed to steal credit card information.
The attack, the security researcher said, was made possible thanks to a malicious WordPress plugin installed by the attacker. It’s unclear how the attacker initially gained access to Patel’s website.
No comment from Patel
Straight Arrow reached out to Based Apparel over X, as its website does not include contact information, but did not hear back.
The FBI did not respond to Straight Arrow’s request for comment.
The incident on Based Apparel comes weeks after Patel faced similar embarrassment for the compromise of another personal account: his private email.
In late March, the Iranian-linked hacker group Handala published more than 300 emails from Patel’s Gmail inbox, exposing information such as family photos and his resume.
Round out your reading
- They built an Epstein files library, but realized they couldn’t let everyone read them.
- The doctor who claims functional medicine reversed her MS.
- For many Americans, ‘one more round’ no longer serves their lifestyle or budget.
- Trump claimed economic data is ‘rigged.’ Former officials pledge to ‘watch like hawks’ for political manipulation.
- We’re building a new Straight Arrow. Help us shape our future by taking our survey.
Ella Rae Greene, Editor In Chief
