User with Russian IP address tried to log into NLRB systems following DOGE access, whistleblower says

A user with a Russian IP address tried to log into National Labor Relations Board systems just minutes after the Department of Government Efficiency moved to access and extract troves of sensitive data from inside the agency, according to an extensive whistleblower disclosure released Tuesday.

The whistleblower, Daniel Berulis, provided forensic evidence and internal documentation to Congress and the U.S. Office of Special Counsel, accusing DOGE of exfiltrating large volumes of confidential data and disabling various security monitoring systems used to scan for malicious behavior in NLRB’s networks, NPR first reported.

The user attempting to log in relied on a newly created DOGE email account and the attempts were “near real-time,” according to the Berulis disclosure. It’s not clear whether the user was actually in Russia because hackers often use techniques to remotely mask their true location.

The login attempts were blocked, but the person used a correct username and password, suggesting that adversaries may already be testing entry points potentially exposed by DOGE’s activities across the government.

The whistleblower’s disclosure was accompanied by a cover letter from his attorney, Andrew Bakaj of Whistleblower Aid, which said that, after he raised concerns internally about DOGE’s inroads into the agency, he received a physically taped threat on his door containing personal information and overhead photos of him walking his dog.

A DOGE spokesperson did not immediately return a request for comment. DOGE, overseen by Elon Musk, is not an official government agency and was stood up as a reworking of the U.S. Digital Service at the start of the Trump administration to eliminate perceived federal spending waste.

The accusations from Berulis are not an isolated incident, NPR reported, citing an aide for the Democratic minority on the House Oversight Committee who said the panel is “in possession of multiple verifiable reports showing that DOGE has exfiltrated sensitive government data across agencies” for reasons that are unknown. 

“This case has been particularly sensitive as it involves the possibility of sophisticated foreign intelligence gaining access to sensitive government systems, which is why we went to the Senate Intelligence Committee directly,” said Bakaj. Spokespeople for Sens. Tom Cotton, R-Ark. and Mark Warner, D-Va., the top lawmakers on the Senate panel, did not immediately return requests for comment.

The disclosures underscore the breadth of DOGE’s expansion across the federal landscape, and follow mounting legal challenges over its sweeping access to Americans’ financial and personal data. How that data is being protected, processed or used remains unclear.

Broader security and privacy concerns about DOGE have been compounded by the cost-cutting entity’s access to highly sensitive labor information and the potential conflict of interest posed by Elon Musk’s dual role in government and as chief of companies under active NLRB investigation, including SpaceX and Tesla. NLRB’s case systems contain data like union organizing activities, employee whistleblower identities, legal strategies and proprietary business information.

The whistleblower claims DOGE engineers used secretive and suspicious methods to pull sensitive information from the NLRB’s systems. They shut off security tools that track activity, deleted evidence of what they accessed and used software that made their work nearly invisible, Berulis alleged in filings.

A big spike in data leaving the agency followed, possibly through a technique that hides stolen data in normal-looking internet traffic, according to the disclosures. One engineer also appeared to be working on a tool designed to pull files from the agency’s internal case system. Security experts told NPR those tactics resemble the playbook of foreign hackers and not federal workers.