Caps, stickers, tee shirts, mugs: in the US presidential elections, anything goes when it comes to demonstrating one’s political preference through consumer products. The Republican Senatorial Committee (NRSC) online store — which sells a number of such products — seems nothing out of the ordinary. However, its looks are deceptive.

‘The online store software has been cracked. A small piece of extra code has been added; it is practically invisible, but it forwards every word visitors type,’ says Willem de Groot. He is a co-founder of Byte, a Dutch web hosting company, and also advises web stores about data security. In this video, he shows how the hack works.

‘The more common website hacks are one-time break-ins,’ de Groot explains. Hackers break into the website and steal data like your name, address, email, and — in the worst cases — your credit card details. In the NRSC web store, however, something different is going on. De Groot: ‘This hack is a continuous one. Every time a customer enters their credit card data, the malicious code automatically forwards it. In a way, it’s an online version of skimming.’

Russia, Belize, Ukraine

De Groot found the hack using a scanner that automatically alerts him when it detects certain types of attacks. The hackers put a lot of effort into hiding themselves. The evidence Follow the Money has seen does show a trail, though: it leads from the Republican website in the US to a Russian server. In this case, the malicious code on the NRSC website sends the credit card data to a server registered in Saint Petersburg. According to De Groot, this almost certainly means that the server is located there in the real world as well: ‘Such registrations are almost impossible to fake.’  The trail then continues to a front company in Belize, finally ending up in Ukraine.

The evidence clearly points to Ukraine

The Russian server is registered under the name Dataflow, a company whose website is only available in Russian. The company itself, however, is registered at a mail address in Belize. This address also appears in the Panama Papers. It houses a number of other front companies, such as the trust office Alpha Offshore.

Despite the fact that the RIPE owner data have been wiped, anonymized or linked to the mailbox in Belize, the evidence clearly points to Ukraine. It seems that Dataflow operates out of this country. ‘The servers and IP addresses definitely belong to Dataflow,’ De Groot says. ‘The company seems to operate out of Ukraine. Older files point to a small village close to Kiev, the Ukrainian capital. Another clue is the fact that Dataflow’s customer service Skype account shows Ukraine as its location. The Dataflow network also connects to the internet via two other networks: Telia in Sweden, and RETN in Ukraine.’

It is unknown how much credit card data has been stolen though the Republican web store, but we can make an educated guess. The Archive.org website keeps historical versions of millions of websites; this data shows that the Republican web store has been continuously hacked since March, 2016. De Groot suspects that the website was cracked before that, however. ‘On Traffic Estimates, you can see that the web store has had about 350,000 visitors per month. We don’t know how many visitors actually make a purchase on the store, but let’s say that one percent of visitors bought something: since March, that’s 21 thousand stolen credit card identities. One thing is certain: it’s a large number of credit cards.’

De Groot estimates the total value of the data leaked from the Republican web store to be about 600,000 dollars

The stolen credit card data is sold online — through Gold Bank Cards, for example. On this website, a simple German credit card can be bought for 15 dollars; a Visa Black Card goes for 120 dollars. Assuming an average price of 30 dollars per card, De Groot estimates the total value of the data leaked from the Republican web store to be about 600,000 dollars.

De Groot suspects that the NRSC web store is far from the only one that was hacked. He uses a scanner that can pick up suspicious signals on a global level; so far, De Groot says he has found the malicious code on 5800 websites.

Follow the Money has notified the Republican party of De Groot’s findings and asked for a comment. The party has not responded yet; however, De Groot notified us that the leak seems to have been patched as of this morning (October 6th, 2016).

***** Update October 7; 15:00 hours *****

In spite of repeated requests for comment the National Republican Senate Committee (NRSC) has not responded yet. Press agency Reuters reported about Follow The Money's story. NRSC did respond to questions asked by Reuters. Spokeswoman Andrea Bozek acknowledged that it had been targeted by a "skimming operation" and that the NRSC took down the website on Thursday because of that.