BrianKrebs4d ago

I published a follow-up on NPR's scoop last week about a whistleblower at the National Labor Relations Board (NLRB), who alleges DOGE created super admin accounts (w/ no logging) at NLRB and transferred ~10GB worth of data from the agency's case files.

The story includes an interview with the whistleblower -- NLRB security architect Daniel Berulis -- and examines the technical claims in his report to lawmakers. He's taking some paid leave for now, noting that the same day the NPR story ran, the NLRB removed administrative rights for its IT staff and almost everyone else at the agency.

The backstory is that both Amazon and Musk’s SpaceX have been suing the NLRB over complaints the agency filed in disputes about workers’ rights and union organizing, arguing that the NLRB’s very existence is unconstitutional. On March 5, a U.S. appeals court unanimously rejected Musk’s claim that the NLRB’s structure somehow violates the Constitution.

Here's the lede:

"A security architect with the National Labor Relations Board (NLRB) alleges that employees from Elon Musk‘s Department of Government Efficiency (DOGE) transferred gigabytes of sensitive data from agency case files in early March, using short-lived accounts configured to leave few traces of network activity. The NLRB whistleblower said the unusual large data outflows coincided with multiple blocked login attempts from an Internet address in Russia that tried to use valid credentials for a newly-created DOGE user account."

https://krebsonsecurity.com/2025/04/whistleblower-doge-siphoned-nlrb-case-data/

Whistleblower: DOGE Siphoned NLRB Case Data – Krebs on Security

Show threadBrianKrebs4d ago

Okay this is really interesting. The NLRB whistleblower Daniel Berulis told me that he found the DOGE accounts had downloaded three different code libraries from GitHub that none of their IT people or contractors used or knew about. One of them, Berulis said, had in its "README" file a description that said the software was designed as "a proxy to generate pseudo-infinite IPs for web scraping and brute forcing."

One of the core DOGE employees is Marko Elez, and Elez's GitHub page has a very interesting code repository: async-ip-rotator, created in January 2025

https://github.com/markoelez/async-ip-rotator

Checking the history of this code, Elez's profile says it was forked from this

https://github.com/Ge0rg3/requests-ip-rotator, which says in its description:

"A Python library to utilize AWS API Gateway's large IP pool as a proxy to generate pseudo-infinite IPs for web scraping and brute forcing."

"This library will allow the user to bypass IP-based rate-limits for sites and services."

Gee, I wonder which DOGE employee was in the NLRB in early March?

GitHub - markoelez/async-ip-rotator

Contribute to markoelez/async-ip-rotator development by creating an account on GitHub.

GitHub
Show threadKris Hardy ☀️⛱️
@briankrebs FWIW, he also has a RCE project (https://github.com/markoelez/remote-exec), and an iOS exploit injector (https://github.com/markoelez/syringe). Not really concerning on their own, but given that he has shown intent...
GitHub - markoelez/remote-exec: isolate and execute code remotely in temporary microcontainers (supports java, javascript)

isolate and execute code remotely in temporary microcontainers (supports java, javascript) - markoelez/remote-exec

GitHub
Apr 23 at 1:45amWeb
Show threadGeneralX4d ago

@nonlinear @briankrebs GitHub activity:
5 commits in January
0 in February
1 commit in March
...
107 contributions in private repositories, Apr 12 – Apr 22 🤔

February 9: 5 ssh keys
April 23: 6 ssh keys
...generally means 6 devices with push/pull access. I hope all 6 keys are safe...

Show threaditgrrl 4d ago
@generalx @nonlinear @briankrebs we never ask the cursed questions…