Whistleblower: Musk’s “DOGE” Team Hijacked NLRB Systems, Extracted Case Files, Then Vanished
Whistleblower: Musk’s “DOGE” Team Hijacked NLRB Systems, Extracted Case Files, Then Vanished
A federal security architect at the National Labor Relations Board is accusing a covert agency linked to Elon Musk of siphoning out sensitive case data under the guise of government operations. In a whistleblower complaint filed April 14 with the Senate Intelligence Committee, 38-year-old Daniel J. Berulis alleges that members of Musk’s Department of Government Efficiency, or DOGE, orchestrated an intrusion into NLRB systems in early March using short-lived super-admin accounts that left little trace behind.
The complaint, first obtained by NPR, describes a rapid chain of events that began March 3 when a black SUV with police escort dropped off DOGE staff at the NLRB’s D.C. headquarters. Berulis says they bypassed IT entirely, meeting privately with leadership. Afterward, the agency’s acting chief information officer instructed Berulis and his team to violate standard operating procedures and provision new “tenant admin” accounts for DOGE—accounts that had unrestricted access and were explicitly exempt from logging mechanisms that normally record every action.
According to Berulis, the DOGE accounts could view, copy, and alter all information stored across NLRB databases, including the NxGen case management system, which houses information about union efforts, legal disputes, and sensitive corporate data. The accounts also had permission to suppress or delete system logs, reroute traffic, and prevent internal detection—privileges beyond what even Berulis or his supervisor possessed. When he raised concerns, he was told there would be no discussion and no audit trails.
Berulis noticed that one of the DOGE accounts spun up a virtual container immediately after creation—something never used at the NLRB before. Within 24 hours, he observed a massive spike in outbound data traffic between 3 and 4 a.m. on March 4. He and his colleagues later determined that approximately 10 gigabytes of data had been pulled from NxGen and exported externally, though due to permission restrictions they were unable to identify the files or destination. Berulis noted that the data may have been compressed before transmission, meaning the breach could be larger than it appears. Outbound data spikes of that size, he said, are practically nonexistent under normal operations.
What followed made the breach feel less like a government oversight and more like a coordinated operation. Within minutes of new DOGE accounts being created, over twenty login attempts from a Russian IP address—83.149.30.186—hit the system, each using valid credentials. Berulis said the attempts were blocked only because of a policy that rejects logins from outside the U.S., but the fact that someone had the correct usernames and passwords within minutes was alarming. One of the cloud accounts used during this time, [email protected], was deleted shortly after. Others used strange aliases not aligned with agency naming structures, including “Whitesox, Chicago M.” and “Dancehall, Jamaica R.”
By March 5, portions of the network logs had vanished and Microsoft Azure’s Network Watcher had been turned off entirely. Around the same time, three external GitHub libraries were downloaded onto NLRB systems—none of which were used by agency staff or contractors. One contained a script designed to rotate traffic through a pool of IP addresses for scraping and brute-force attacks. Berulis found the libraries had a readme explicitly describing their use for generating “pseudo-infinite IPs.”
As the days passed, it became clear to Berulis that NLRB no longer had the internal access to investigate. On March 17, the agency’s associate chief information officer reportedly agreed that the issue should be referred to US-CERT, the federal cyber incident response team. But two weeks later, Berulis says they were informed by higher-ups to
cancel the report, stop the investigation, and refrain from creating any official record.
That’s when Berulis decided to go public. He shared screenshots with KrebsOnSecurity showing email discussions about the DOGE account activity, Microsoft security alerts that coincided with the data exfiltration timeline, and the names of suspicious accounts created during the breach. One message, sent on April 14—the day NPR published its first story—announced that administrative privileges for all IT staff were revoked. Berulis said this effectively paralyzed the agency’s entire IT department. On April 16, another internal email from NLRB director Lasharn Hamilton claimed the agency had no prior “official” contact with DOGE but confirmed two DOGE
personnel would now be working on-site part-time for several months.
In the background, the NLRB remains politically fragile. A series of high-profile lawsuits from Musk’s SpaceX and Amazon argue the agency is unconstitutional, and the board has operated without a quorum since Trump fired several members. On March 5—the same day DOGE created its first container—an appeals court unanimously rejected Musk’s challenge to the agency’s legal structure.
Berulis said he was in the process of filing a support ticket with Microsoft to gather more data when his access was abruptly revoked. He believes Microsoft holds critical evidence that could reveal the full extent of what DOGE did and where the data went. He’s now asking lawmakers to subpoena Microsoft directly. “That would give us way more insight,” he said. “They can see what we can’t.”
Things escalated again on April 7. As Berulis and his legal team were finalizing the complaint, a threatening note appeared taped to the front of his home. It referenced the very disclosure he was preparing and included drone photos of him walking in his neighborhood. His attorney, Andrew P. Bakaj, told lawmakers the threat likely came from someone with direct access to NLRB internal systems.
Despite this, Berulis says the support he’s received from colleagues and the public has outweighed the risks. “I didn’t expec
t the letter on my door or the pushback from leadership,” he said. “If I had to do it over, would I do it again? Yes, because it wasn’t even a choice the first time.”
For now, Berulis is on paid family leave from the agency. He says that’s for the best. With DOGE in control, IT staff have been stripped of the tools they need. “They came in and took everything. We can’t do our jobs. We’re literally getting paid to count ceiling tiles.”
If you need cybersecurity, we offer security for both personal/family computers as well as businesses. You can get started here!
Related Posts
North Korea’s Hidden Remote Job Infiltration
North Korea’s Hidden Remote Job Infiltration The Day the FBI Came Knocking Imagine answering your…
Nuclear Access Through a Microsoft Hole
Nuclear Access Through a Microsoft Hole The agency that manages America’s nuclear weapons got breached…
Infostealer Malware Dump Exposes Billions of Logins
Infostealer Malware Dump Exposes Billions of Logins A massive data leak has just surfaced online,…
Massive Data Leak Exposes 184 Million Passwords from Major Platforms and Government Accounts
Massive Data Leak Exposes 184 Million Passwords from Major Platforms and Government Accounts A massive…
Texas-Based eWorldTrade and Pakistani Partner Abtach Exposed: Massive Scam Network Used Online Ads to Defraud U.S. Consumers
Pakistani Firm Shipped Fentanyl Analogs to US Using Scam Online Ads A Texas firm recently…
AI Voice Cloning Scams: The Threat You Can’t Ignore
AI Voice Cloning Scams: The Threat You Can’t Ignore Voice cloning scams are becoming a…