An explosive whistleblower disclosure has thrust the Department of Government Efficiency (DOGE) into the center of one of the most alarming U.S. government cybersecurity controversies in recent memory. According to a meticulously documented report by Daniel Berulis, an experienced DevSecOps Architect with the National Labor Relations Board (NLRB), DOGE—established under the Trump administration and led by Elon Musk—allegedly orchestrated, facilitated, and concealed a major data breach at the NLRB in early March 2025. This incident not only exposed sensitive labor and personal data, but highlighted profound risks associated with highly privileged, opaque access to critical government systems. The full breadth of the allegations, corroborated by NPR and major security journalists, as well as the subsequent political and legal fallout, is still unfolding, but the implications for federal data integrity and democratic oversight are already being fiercely debated.
Daniel Berulis’s account emerges not as an isolated complaint, but a carefully constructed chronology, replete with internal records, technical log excerpts, and corroborating testimony from other officials. Delivered to Congress and the U.S. Office of Special Counsel via Whistleblower Aid on April 14, Berulis’s signed declaration outlines a rapid sequence of events—beginning the first week of March—when DOGE engineers arrived at NLRB headquarters with extraordinary, and as he argues, unjustifiable demands.
The NLRB is the federal agency responsible for investigating unfair labor practices. It routinely handles deeply confidential information: not only details about ongoing unionization efforts and internal company processes, but also volumes of employee personally identifiable information (PII) and proprietary business intelligence. Such data is strictly protected under the Privacy Act, and is central to both labor rights and corporate strategy disputes.
It is reported that DOGE personnel required “tenant owner level” accounts within the NLRB’s Microsoft Azure cloud environment. According to Berulis, this would amount to “god-tier” access across the entire cloud infrastructure—unrestricted, and profoundly outside the normal operational needs of any external team. He notes that instructions were relayed to NLRB staff “that there were to be no logs or records made of the accounts created for DOGE employees,” and that other IT staff were told to “stay out of DOGE’s way entirely, and assist them when they asked.” As Berulis told NPR, “That was a huge red flag… It violates every core concept of security and best practice.”
Alarmingly, the ability to trace or analyze this disappearance was hampered, as outbound traffic logs were found missing or disabled. The primary account responsible had already been deleted. Moreover, essential security controls had been altered: multi-factor authentication (MFA) for mobile devices was disabled in Azure Purview, internal alerts were switched off, and foundational conditional access policies were changed without documentation or approval.
Further scrutiny uncovered that monitoring tools, such as Azure’s network watcher, were left inactive or misconfigured during the critical window. Unexpected and unexplained spikes in Azure billing, correlated with storage IO operations, hinted at both the deletion and manipulation of resources in the wake of the breach. Specialists familiar with cloud security describe this as textbook anti-forensics: deliberate efforts to erase footprints and hinder post-incident investigation.
Initially, Berulis considered whether anomalies could be attributed to the NLRB’s internal development teams. Subsequent checks, however, disproved this theory, tightening the focus on the DOGE team’s intentions and activities.
Further investigation uncovered additional suspicious administrator accounts, provisioned with nonstandard, easily-overlooked names—such as “Whitesox, Chicago M.” and “Dancehall, Jamaica R.” This practice, noted by former FBI cyber official Russ Handorf in interviews with NPR, reflects a broader pattern in which attackers may “ride the coattails of authorized access,” using legitimate, but excessive, credentials as ideal cover for lateral movement and secondary breaches.
Days later, Berulis discovered a note taped to his residence door. The note, detailed by his attorney Andrew Bakaj, included drone-captured images of Berulis and explicit references to his attempts at disclosure—a naked act of physical intimidation. Such tactics, he feared, “signal a deliberate intent to suppress evidence, and to instill fear in those attempting to uphold federal accountability.”
Some reports suggest DOGE teams leveraged AI-driven monitoring tools to surveil federal employees, and collaborated with data analytics contractor Palantir on a proposed Internal Revenue Service “mega API” project—a system purportedly integrating Palantir’s Foundry platform. These efforts coincided with a marked weakening of the Cybersecurity and Infrastructure Security Agency (CISA), including high-profile staff departures and abrupt role reductions.
Berulis’s claims echo persistent criticisms, voiced by security experts like Bruce Schneier, that DOGE’s methods—demanding “god-tier” access, disabling logging and audit trails, and resisting external review—amount to a “national cyberattack vector by policy.” Erie Meyer, former CTO of the Consumer Financial Protection Bureau, stated bluntly to NPR that the NLRB events mirrored patterns she personally witnessed during cross-agency DOGE interventions.
Initially, the NLRB denied both that DOGE had been granted access and that a breach took place. However, shortly after NPR’s exposé, further reporting indicated that DOGE representatives met with NLRB leadership again on April 16, and internal emails acknowledged compliance with DOGE requests for access.
Officially, the White House maintained that DOGE’s actions were conducted transparently. Nonetheless, Congressional scrutiny quickly intensified. House Oversight Committee members—including Reps. Gerald Connolly and Lori Trahan—formally questioned NLRB Chairman Lauren McFerran, highlighting possible violations of the Privacy Act and the Federal Information Security Modernization Act (FISMA). Under FISMA, agencies must notify Congress within seven days of discovering a major security incident; it is currently unclear whether this statute was fulfilled.
Multi-factor authentication (MFA), often considered a cornerstone of modern access security, is similarly regarded as essential. Disabling MFA on critical accounts—especially in combination with disabling logs and conditional access—is recognized by leading experts as a catastrophic security misstep, if not outright malfeasance.
KrebsOnSecurity, whose reporting is cited in Berulis’s account, corroborates multiple technical anomalies: the use of external libraries for IP rotation, rapid account creation and deletion, and outbound transfer of large data volumes at anomalous hours. NPR’s extensive interviews with both former government officials and independent security experts further validate the whistleblower’s account.
The risks are compounded by the growing practice, under DOGE and elsewhere, of granting third-party and contracted personnel sweeping access as a shortcut for system modernization or migration. While “tenant owner” and similar roles expedite technical integration projects, they represent an existential risk absent strict independent auditing, transparency, and legislative oversight.
It remains possible that certain NLRB systems were slated for urgent technical review or migration, a context sometimes used to justify broad access grants. Yet all credible cybersecurity frameworks require that even emergency access be both logged and time-limited, and never structured to evade audit. The pattern of deleted accounts, missing logs, and external threat artifacts (such as the Russian login attempts) are difficult to reconcile with routine IT operations.
Strengths and Areas of Vigilance:
Readers concerned with the integrity of their data, the future of digital labor rights, and the promise of secure government technology should follow this developing story closely. The stakes, reaching from individual privacy to the legitimacy of public institutions, could not be higher.
Source: WinBuzzer Whistleblower Says DOGE Facilitated NLRB Data Breach, Covered Tracks - WinBuzzer
Whistleblower Disclosure: A Chronology of Escalating Red Flags
Daniel Berulis’s account emerges not as an isolated complaint, but a carefully constructed chronology, replete with internal records, technical log excerpts, and corroborating testimony from other officials. Delivered to Congress and the U.S. Office of Special Counsel via Whistleblower Aid on April 14, Berulis’s signed declaration outlines a rapid sequence of events—beginning the first week of March—when DOGE engineers arrived at NLRB headquarters with extraordinary, and as he argues, unjustifiable demands.The NLRB is the federal agency responsible for investigating unfair labor practices. It routinely handles deeply confidential information: not only details about ongoing unionization efforts and internal company processes, but also volumes of employee personally identifiable information (PII) and proprietary business intelligence. Such data is strictly protected under the Privacy Act, and is central to both labor rights and corporate strategy disputes.
It is reported that DOGE personnel required “tenant owner level” accounts within the NLRB’s Microsoft Azure cloud environment. According to Berulis, this would amount to “god-tier” access across the entire cloud infrastructure—unrestricted, and profoundly outside the normal operational needs of any external team. He notes that instructions were relayed to NLRB staff “that there were to be no logs or records made of the accounts created for DOGE employees,” and that other IT staff were told to “stay out of DOGE’s way entirely, and assist them when they asked.” As Berulis told NPR, “That was a huge red flag… It violates every core concept of security and best practice.”
The Breach: Outbound Traffic Spikes and Vanishing Logs
Following DOGE’s acquisition of top-level access, Berulis and his team soon documented highly suspicious technical anomalies. Between 3 and 4 a.m. EST on March 4th and 5th, monitoring tools reportedly observed an abrupt spike of outbound data traffic. An initial estimate—attributed to security analyst Brian Krebs—puts the volume at roughly 10 gigabytes, largely unencrypted text files. Berulis feared, and later confirmed, that this exfiltrated data potentially included sensitive union information, ongoing litigation documents, and significant volumes of PII.Alarmingly, the ability to trace or analyze this disappearance was hampered, as outbound traffic logs were found missing or disabled. The primary account responsible had already been deleted. Moreover, essential security controls had been altered: multi-factor authentication (MFA) for mobile devices was disabled in Azure Purview, internal alerts were switched off, and foundational conditional access policies were changed without documentation or approval.
Further scrutiny uncovered that monitoring tools, such as Azure’s network watcher, were left inactive or misconfigured during the critical window. Unexpected and unexplained spikes in Azure billing, correlated with storage IO operations, hinted at both the deletion and manipulation of resources in the wake of the breach. Specialists familiar with cloud security describe this as textbook anti-forensics: deliberate efforts to erase footprints and hinder post-incident investigation.
Toolkits of Obfuscation and Intrusion
Among the most concerning findings was Berulis’s identification of advanced technical tools deployed by DOGE engineers. Through both manual investigation and automated threat hunting, it was discovered that:- A Docker container—an isolated execution environment, ideal for running covert scripts—was deployed inside the NLRB’s cloud.
- At least three external GitHub libraries, unused in standard NLRB operations, were imported using PowerShell scripts invoked with the “-noprofile” flag. This flag suppresses user configuration files and is a known technique for evading detection in PowerShell forensics.
- According to KrebsOnSecurity, one of these libraries, linked to DOGE employee Marko Elez, was specifically designed to generate large pools of IP addresses, a classic tool for activities such as web scraping, brute forcing, or obfuscation.
- Other observed tools included “requests-ip-rotator” and “browserless,” both recognized as mechanisms for evading tracking during automated data extraction or account probing.
Initially, Berulis considered whether anomalies could be attributed to the NLRB’s internal development teams. Subsequent checks, however, disproved this theory, tightening the focus on the DOGE team’s intentions and activities.
International Intrigue: Russian Login Attempts and “Riding Coattails”
Compounding technical concerns were alarming geopolitical implications. Around March 11, Berulis and colleagues detected login attempts from a Russian IP address (83.149.30.186, traced to Primorskiy Krai) targeting at least one newly-provisioned DOGE administrator account. These attempts, identified as using valid credentials but failing due only to the NLRB’s strict foreign login blocking, occurred within 15 minutes of account creation.Further investigation uncovered additional suspicious administrator accounts, provisioned with nonstandard, easily-overlooked names—such as “Whitesox, Chicago M.” and “Dancehall, Jamaica R.” This practice, noted by former FBI cyber official Russ Handorf in interviews with NPR, reflects a broader pattern in which attackers may “ride the coattails of authorized access,” using legitimate, but excessive, credentials as ideal cover for lateral movement and secondary breaches.
Suppression, Stonewalling, and Physical Intimidation
Berulis’s efforts to escalate the situation within NLRB leadership met resistance and, ultimately, chilling forms of intimidation. After initial reporting to CIO Prem Aburvasamy prompted the formation of an internal risk leadership group, a preliminary consensus was reached by late March to report the events to US-CERT, the federal cyber incident response team. Yet, on April 3-4, new instructions arrived: not only to halt reporting to US-CERT, but to cease all efforts to document or escalate the incident officially.Days later, Berulis discovered a note taped to his residence door. The note, detailed by his attorney Andrew Bakaj, included drone-captured images of Berulis and explicit references to his attempts at disclosure—a naked act of physical intimidation. Such tactics, he feared, “signal a deliberate intent to suppress evidence, and to instill fear in those attempting to uphold federal accountability.”
DOGE’s Broader Operations: Widespread Overreach and Security Weaknesses
The NLRB breach, while among the most dramatic, is portrayed by experts as symptomatic of broader, systemic issues with DOGE’s operational philosophy throughout 2025. Since its formation, DOGE has, by multiple independent accounts, aggressively pursued privileged access to critical federal data repositories, including Treasury payment backends and the Office of Personnel Management’s (OPM) personnel records.Some reports suggest DOGE teams leveraged AI-driven monitoring tools to surveil federal employees, and collaborated with data analytics contractor Palantir on a proposed Internal Revenue Service “mega API” project—a system purportedly integrating Palantir’s Foundry platform. These efforts coincided with a marked weakening of the Cybersecurity and Infrastructure Security Agency (CISA), including high-profile staff departures and abrupt role reductions.
Berulis’s claims echo persistent criticisms, voiced by security experts like Bruce Schneier, that DOGE’s methods—demanding “god-tier” access, disabling logging and audit trails, and resisting external review—amount to a “national cyberattack vector by policy.” Erie Meyer, former CTO of the Consumer Financial Protection Bureau, stated bluntly to NPR that the NLRB events mirrored patterns she personally witnessed during cross-agency DOGE interventions.
The Fallout: Legal, Political, and Ethical Consequences
The ramifications of the alleged NLRB breach extend far beyond technical damage. Labor law experts warn that confidential data released from NLRB systems could irreparably harm union organizing, expose witnesses to retaliation, and enable widespread corporate espionage. Richard Griffin, a former NLRB General Counsel, told NPR, “None of that confidential and deliberative information should ever leave the agency.” Sharon Block, Harvard Law’s labor policy director, flagged the egregious conflict of interest: “If [Elon Musk] really did get everything, then he has information about the cases the government is building against him,” referring to concurrent NLRB litigation against SpaceX.Initially, the NLRB denied both that DOGE had been granted access and that a breach took place. However, shortly after NPR’s exposé, further reporting indicated that DOGE representatives met with NLRB leadership again on April 16, and internal emails acknowledged compliance with DOGE requests for access.
Officially, the White House maintained that DOGE’s actions were conducted transparently. Nonetheless, Congressional scrutiny quickly intensified. House Oversight Committee members—including Reps. Gerald Connolly and Lori Trahan—formally questioned NLRB Chairman Lauren McFerran, highlighting possible violations of the Privacy Act and the Federal Information Security Modernization Act (FISMA). Under FISMA, agencies must notify Congress within seven days of discovering a major security incident; it is currently unclear whether this statute was fulfilled.
Cross-Referencing the Technical Claims
A review of open-source intelligence and cloud security guides confirms the extraordinary power of Azure tenant owner accounts: they possess unfettered administrative control, comparable to being a “superroot” across an enterprise’s entire virtual infrastructure. Security best practices, as laid out in Microsoft’s official hardening guides and endorsed by organizations such as NIST, universally prohibit the creation of unlogged, high-privilege admin accounts, and especially the willful suppression of log creation.Multi-factor authentication (MFA), often considered a cornerstone of modern access security, is similarly regarded as essential. Disabling MFA on critical accounts—especially in combination with disabling logs and conditional access—is recognized by leading experts as a catastrophic security misstep, if not outright malfeasance.
KrebsOnSecurity, whose reporting is cited in Berulis’s account, corroborates multiple technical anomalies: the use of external libraries for IP rotation, rapid account creation and deletion, and outbound transfer of large data volumes at anomalous hours. NPR’s extensive interviews with both former government officials and independent security experts further validate the whistleblower’s account.
Assessing the Risks: Systemic Weaknesses and the “Insider Attack”
Perhaps the most troubling aspect of the NLRB incident is what it reveals about the vulnerability of federal systems to insider threats and politicized access overreach. As the breach shows, even the most robust technical safeguards can be rendered moot when top-level credentials are provisioned arbitrarily, audit controls are bypassed, and whistleblowers face retaliation.The risks are compounded by the growing practice, under DOGE and elsewhere, of granting third-party and contracted personnel sweeping access as a shortcut for system modernization or migration. While “tenant owner” and similar roles expedite technical integration projects, they represent an existential risk absent strict independent auditing, transparency, and legislative oversight.
Alternative Narratives and Points of Contention
While the available documentation and testimony from Berulis and corroborating news organizations tilt strongly toward the whistleblower’s version of events, it is important to note that DOGE and the NLRB’s official statements contest both the scale and significance of the breach. The White House calls DOGE’s actions “transparent and in line with modernization goals.” However, the timing of internal email confirmations, as well as the pattern of suppressed investigations and intimidation, cast considerable doubt on the full candor of official responses.It remains possible that certain NLRB systems were slated for urgent technical review or migration, a context sometimes used to justify broad access grants. Yet all credible cybersecurity frameworks require that even emergency access be both logged and time-limited, and never structured to evade audit. The pattern of deleted accounts, missing logs, and external threat artifacts (such as the Russian login attempts) are difficult to reconcile with routine IT operations.
Critical Analysis: Strengths, Weaknesses, and Lessons for Federal Cybersecurity
The NLRB case offers a vivid, real-world test of several debated principles in government cybersecurity management:Strengths and Areas of Vigilance:
- Berulis’s methodical documentation, use of established whistleblower channels, and technical expertise lend the account significant credibility.
- Responsive investigation from third-party journalists, corroborated by technical telemetry and former law enforcement, underscores the seriousness of the allegations.
- The actions of certain NLRB officials, who initially formed a risk committee and flagged the breach for US-CERT reporting, demonstrate a vital chain of operational vigilance.
- The ability of DOGE to obtain and wield “tenant owner” access outside regular procedures, combined with instructions to disable logging, points to a profound governance breakdown.
- Suppression of reporting to federal cyber authorities, combined with intimidation of the whistleblower, implies a systemic inability to self-correct or remain accountable under stress.
- The technical sophistication of the breach (e.g., use of ephemeral containers, external IP rotation libraries, and one-time access tokens) highlights the need for continuous, independent security assessment—not ad hoc, permission-driven audits.
- The incident casts urgent light on the need for legislative and judicial review of emergency access practices in federal IT.
- It calls into question whether any modernization effort—even those touted as AI-enabled or “efficiency-driven”—can be justified at the cost of systemic transparency and durable oversight.
- The targeting of a labor rights agency by a group led by a high-profile, interested party (Musk, whose SpaceX was under NLRB scrutiny) underscores the irreplaceable role of conflict-of-interest checks.
Conclusion: Transparency as the First Line of Defense
The NLRB data breach, as described and verified through whistleblower testimony and independent journalism, stands as a wake-up call for the United States’ approach to modernizing— and securing—federal information systems. No set of technical achievements or modernization gains can justify a model predicated on secretive, unaccountable access and deliberate record suppression. As this incident continues to ripple through Congressional investigations and broader security policymaking, it remains a stark lesson: transparency and robust oversight are the first and last line of defense against both technical and institutional threats.Readers concerned with the integrity of their data, the future of digital labor rights, and the promise of secure government technology should follow this developing story closely. The stakes, reaching from individual privacy to the legitimacy of public institutions, could not be higher.
Source: WinBuzzer Whistleblower Says DOGE Facilitated NLRB Data Breach, Covered Tracks - WinBuzzer
