It’s been a rough few days for ventures tied to MAGA figures. First reported by Straight Arrow News, FBI director Kash Patel’s merchandise website went dark on Friday after hackers allegedly compromised it with malware. Then, just days later, Trump Mobile admitted to leaving customer data exposed online. The pattern is hard to ignore, and it raises some uncomfortable questions about operational security in this political ecosystem.
Let’s start with the apparel angle. Based Apparel, which operated Patel’s merch site, took the website offline after an X user named Debbie flagged what appeared to be an infostealer malware infection. An infostealer is exactly what it sounds like: malicious software designed to harvest credentials and passwords from unsuspecting visitors. A security researcher later examined the malware and confirmed the threat.
When TechCrunch reached out to Based Apparel for comment, they got radio silence. An email sent to a Gmail address previously linked to Patel also went unanswered. That lack of transparency is its own kind of problem.
The Trump Mobile Disaster
But that’s just the warm-up act. On Friday, Trump Mobile’s provider confirmed that customer personal information had been sitting exposed on the internet. We’re talking names, email addresses, mailing addresses, phone numbers, and order identifiers. All of it just… out there. Researchers had flagged this vulnerability to YouTubers who’d purchased Trump Mobile phones, and only then did the company acknowledge the exposure.
This wasn’t some sophisticated, unpreventable attack. This was basic operational security failing at a fundamental level. The kind of failure that suggests either negligence or a lack of resources dedicated to protecting customer data.
What This Pattern Tells Us
One security breach is an incident. Two in a single week involving related political figures starts to look like a trend. And the trend suggests that companies operating in this political space may not have the technical infrastructure or expertise to handle basic cybersecurity.
That’s not meant as partisan criticism. It’s an observation about operational readiness. Any company handling customer data or accepting payments has a responsibility to secure that information. When multiple ventures fail at the same time, it points to either a shared weak link or a broader culture that doesn’t prioritize these fundamentals.
Neither option looks great for customers who trusted their personal information to these platforms.
The question now is whether these incidents trigger any broader reckoning about how these ventures approach security, or whether they’ll be treated as isolated incidents and forgotten by next week.
