A clothing brand co-founded by FBI Director Kash Patel was compromised to serve infostealer malware targeting macOS users, with the payload built to harvest credentials from more than 200 cryptocurrency wallet browser extensions. The site, Based Apparel (basedapparel.com), went offline on Friday, May 23, 2026, roughly 24 hours after the attack was first flagged publicly.
The attack was discovered Thursday, May 22, by an X user in Portugal going by "debbie," who told PCMag she landed on the site after reading a piece in The Atlantic that linked to it. What she found was a spoofed Cloudflare verification page telling visitors their IP had been flagged for "irregular web activity." Clicking the copy button appeared to capture the innocuous phrase "I am not a robot: Cloudflare Verification ID: 801470" - but the clipboard was silently loaded with a long obfuscated terminal command. Running it on a Mac would download and install an infostealer without further interaction. PCMag independently reproduced the attack.
Security researcher "WifiRumHam" analyzed the payload and found it was designed to steal login credentials, browser cookies, data from more than 200 cryptocurrency wallet browser extensions, Apple Notes contents, and keychain passwords, per Straight Arrow News. The same researcher identified a payment skimmer on the site's checkout page aimed at harvesting credit card data. The attack was made possible through a malicious WordPress plugin installed by the attacker; how the attacker gained initial access to the site was not determined.
MetaMask flagged the site as "potentially deceptive," displaying a warning to users that identified "malicious transactions resulting in stolen assets" as among the risks, per Yahoo News and PCMag. By Friday morning, basedapparel.com displayed a message reading: "We're making improvements to better serve you. The store will be back online shortly - bolder than ever."
Based Apparel was co-founded by Patel and Andrew Ollis, who serves as CEO on the board of the Kash Foundation. The FBI issued a statement saying Patel "divested from any interest" in the site prior to his confirmation as FBI Director and does not profit from its sales, per Straight Arrow. The bureau declined to say whether it is investigating the hack. Based Apparel receives an estimated 33,600 monthly visits, per Ahrefs data cited by Decrypt.
The incident is the second security breach tied to Patel within months. In late March, the Iranian-linked hacker group Handala published more than 300 emails from Patel's personal Gmail account, per Straight Arrow, exposing family photos and personal documents.
ClickFix-style attacks have become a significant vector in crypto theft in 2026. The technique exploits users' trust in familiar interfaces - in this case a Cloudflare CAPTCHA page - to execute commands that would otherwise require deliberate installation. The FBI itself has been involved in investigations of infostealer distribution through other platforms.