Democratic lawmakers are calling for an investigation after a tech staffer at the US National Labor Relations Board (NLRB) blew the whistle on the cost-trimming DOGE’s activities at the employment watchdog – which the staffer claims included being granted superuser status in contravention of standard operating procedures, exfiltrating data, and seemingly leaking credentials to someone with a Russian IP address.

The claims above were made by Dan Berulis, an NLRB DevSecOps architect and client of nonprofit Whistleblower Aid, in a disclosure document [PDF] to Congress that details his observations of what apparently happened when DOGE arrived at the labor watchdog.

According to Berulis’ disclosure, DOGE operatives arrived at the agency on March 3 in a black SUV that enjoyed a police escort. The same day, he claims, an agency assistant chief information officer (ACIO) told him that DOGE aides would be given accounts “with essentially unrestricted permission to read, copy, and alter data.” Creation of such accounts was not standard operating procedure, but the ACIO said those rules must be ignored and the opening of the accounts was not to be logged.

Berulis’s document points out that not even his CIO enjoyed the level of access given to DOGE unit operatives, and that the NLRB already had auditor accounts set up that provided enough privileges to check data without being able to edit, copy, or remove it. The “suggestion that they use these accounts instead was not open to discussion,” he wrote.

“In the same conversation it was conveyed that we were to hand over any requested accounts, stay out of DOGE’s way entirely, and assist them when they asked,” he recounted.

Within days, Berulis says, he began to notice worrying signs, such as alerting and monitoring tools being switched off and changes to multi-factor authentication.

He also observed “gigabytes” of data “exiting” a case management application called NxGen over the network, and claimed he later saw 10 GB of data exfiltrated from the agency. He described that latter exfiltration as a “similar spike” to the movement of data from the application and feels whatever happened was noteworthy as NLRB almost never moves information outside the org.

“It is unclear which files were copied and removed, and I’ve tried multiple routes to prove this was not an exfiltration event but none have yielded fruit,” he wrote.

He talked to his CIO, who set up meetings and created an internal task force to examine the possibility of an insider threat. Those meetings are ongoing.

The Russian connection

On March 11, while examining logs, Berulis says he noticed a huge spike in outside login attempts being blocked – in particular one with an IP address that has the Primorskiy Krai region in Russia’s Far East listed as its location.

The person was trying to log into an account that had been set up for one of the DOGE aides, Berulis claimed. The login attempts started within 15 minutes of the account being established, and used the correct username and password, he told Congress. The login attempts were blocked because the agency does not allow access to its systems from overseas.

Berulis tried to investigate the oddities he observed after DOGE arrived, and said he found “misconfigured or missing tools” made it impossible to analyze outgoing traffic.

The NLRB team decided to contact the United States Computer Emergency Readiness Team (US-CERT), an outfit that works to investigate suspicious activity in government systems to safeguard security.

“Between April 3-4, 2025, [assistant CIO] of security and I were informed that instructions had come down to drop the US-CERT reporting and investigation and we were directed not to move forward or create an official report,” Berulis’s document recounts.

At this point he decided to blow the whistle.

The denial twist

Before Berulis’s whistleblower document was publicly shared, an NLRB spokesperson denied that DOGE had access to the agency’s network. After Berulis went public, the agency changed its tune and confirmed it did have DOGE workers in the house.

Democratic lawmakers are now stomping their feet.

“I write regarding developments that DOGE employees may be engaged in technological malfeasance and illegal activity at the National Labor Relations Board and the Department of Labor (DOL),” wrote House Representative Gerald Connolly (D-VA) in a letter [PDF] to the inspector generals of both agencies.

“Individuals associated with DOGE have attempted to exfiltrate and alter data while also using high-level systems access to remove sensitive information—quite possibly including corporate secrets and details of union activities. I also understand that these individuals have attempted to conceal their activities, obstruct oversight, and shield themselves from accountability.”

Connolly also cites an obvious conflict of interest for SpaceX oligarch and Tesla tycoon Elon Musk who, while technically not the head of DOGE, is certainly its overseer as President Trump’s eminence grease.

“Mr Musk’s companies face a series of enforcement actions from NLRB and DOL [the Department of Labor], creating an inherent conflict of interest for him to direct any work at either agency – let alone benefit from stolen nonpublic information,” the House Dem wrote.

Let’s talk about Elon

Musk has a history of conflicts with the labor agency.

SpaceX and Tesla are involved in a legal attempt to eliminate the NLRB on the grounds that it’s allegedly unconstitutional. In the case of SpaceX, the agency gets in the way of Musk’s desire to fire staff who disagree with the noted fee-speech advocate. So far, judges are less than impressed with such arguments.

Tesla is also having words with the NLRB after the company fired workers at its Buffalo, New York, gigafactory in 2023, the day after they announced plans to form a union. The NLRB also ruled against Tesla in 2021 after the billionaire threatened staff with the loss of their stock options if they tried to unionize, as is their right.

We’re sure Elon would never hold a grudge. He seems like such an easy-going chap. ®