If you bought a ‘Never Hillary’ sticker or ‘Make America Great Again’ wristband from the National Republican Senatorial Committee’s online store recently, you might want to contact your credit card company. Since as early as March, all credit card payments on the NRSC website have been intercepted and forwarded to a Russian server. The leak was discovered by security expert Willem de Groot; he shared his findings with Follow the Money.

Caps, stickers, tee shirts, mugs: in the US presidential elections, anything goes when it comes to demonstrating one’s political preference through consumer products. The Republican Senatorial Committee (NRSC) online store — which sells a number of such products — seems nothing out of the ordinary. However, its looks are deceptive.

‘The online store software has been cracked. A small piece of extra code has been added; it is practically invisible, but it forwards every word visitors type,’ says Willem de Groot. He is a co-founder of Byte, a Dutch web hosting company, and also advises web stores about data security. In this video, he shows how the hack works.

‘The more common website hacks are one-time break-ins,’ de Groot explains. Hackers break into the website and steal data like your name, address, email, and — in the worst cases — your credit card details. In the NRSC web store, however, something different is going on. De Groot: ‘This hack is a continuous one. Every time a customer enters their credit card data, the malicious code automatically forwards it. In a way, it’s an online version of skimming .’

Russia, Belize, Ukraine

De Groot found the hack using a scanner that automatically alerts him when it detects certain types of attacks. The hackers put a lot of effort into hiding themselves. The evidence Follow the Money has seen does show a trail, though: it leads from the Republican website in the US to a Russian server. In this case, the malicious code on the NRSC website sends the credit card data to a server registered in Saint Petersburg. According to De Groot, this almost certainly means that the server is located there in the real world as well: ‘Such registrations are almost impossible to fake.’ The trail then continues to a front company in Belize, finally ending up in Ukraine.

The evidence clearly points to Ukraine

The Russian server is registered under the name Dataflow, a company whose website is only available in Russian. The company itself, however, is registered at a mail address in Belize. This address also appears in the Panama Papers. It houses a number of other front companies, such as the trust office Alpha Offshore.