The FBI Director Has an Apparel Site and It Was Serving Malware

There’s a headline that crossed my feed last week that I’ve been sitting with. The FBI Director, Kash Patel, runs a merchandise site called BasedApparel.com. The site was caught serving a ClickFix malware attack to visitors, the kind where a fake Cloudflare prompt tricks you into running a malicious command in Terminal. Someone compromised a legitimate but poorly secured site and turned it into a credential harvester for less technically savvy users.

To be clear about the technical reality: Patel almost certainly didn’t set this up. His site got hacked, probably through a vulnerable plugin or exposed admin credentials, the same vector hackers use against thousands of sites weekly. One commenter in the thread where I found this story made the point clearly, and they were right to push back on the framing. It wasn’t his malware. It was a compromised site.

That said.

The FBI Director runs a branded merchandise site called BasedApparel.com. He spells his own name with a dollar sign sometimes. He wrote children’s books before his appointment where the central figure was a king named Donald. He is also, nominally, the head of the United States’ premier domestic law enforcement and counterintelligence agency.

I genuinely don’t know how to calibrate to this. My brain keeps trying to find the frame that makes it make sense and coming up empty.

What gets me isn’t really the malware angle. That part is almost mundane, technically speaking. What gets me is the side hustle itself. The sheer brazenness of it. A senior government official running an outside commercial enterprise while in office used to be considered an obvious conflict of interest, the kind of thing that ended careers. Jimmy Carter sold his peanut farm. That was the standard. Now the FBI Director is flogging branded jackets online, and it barely registers as news by the end of the week.

Someone in the thread made a comparison to Tom Haverford from Parks and Recreation, the character who was always spinning up ridiculous side businesses while nominally doing his actual government job. It’s a good comparison. The difference is that Tom Haverford was fundamentally harmless and genuinely loveable, and this is neither of those things. The comparison does more to illuminate the absurdity than to diminish the concern.

I’ve been in IT long enough to know that website security is genuinely hard, and that any site can be compromised if it’s not maintained well. The ClickFix attack vector is well documented and has been circulating for years. Security researchers have been warning about it. But there’s a particular irony in the director of an agency responsible for cybercrime investigation running a site that gets popped by a fairly standard attack, one that works specifically by exploiting users who don’t know what Terminal is or why they shouldn’t be pasting commands into it on a stranger’s instruction.

The broader thing that sits uncomfortably with me is the normalisation of it all. Not just the side hustles, not just this specific case, but the general sense that the people currently running American institutions are doing so with approximately zero interest in the institutions themselves, and considerable interest in everything adjacent to them. Branded merchandise. Books. Crypto. Watches. Bibles.

I’m watching this from the outer southeast of Melbourne, and I’m aware that American politics isn’t my circus. But Australia has meaningful exposure to what happens in the United States, economically and strategically, and the erosion of institutional credibility in the world’s largest economy isn’t purely an American problem.

The ClickFix attack itself is worth understanding regardless of whose site it appeared on. If you’re not technically confident: if any website ever asks you to open Terminal or Command Prompt and paste something in to “verify you’re human,” stop. Close the tab. That is not how verification works, ever. Tell someone you trust who knows computers. The attack works because it looks plausible to someone who doesn’t know what plausible looks like in this context.

The rest of it, the question of what it means that this is the person running the FBI, I don’t have a tidy answer to. I’m not sure there is one.