The Department Of Government [Data] Exfiltration?

NLRB building sign with 'HACKED' stamp on top

On April 14, 2025, Daniel Berulis, a DevSecOps Architect at the National Labor Relations Board (NLRB), filed a whistleblower disclosure to several members of Congress. The disclosure alleges that the Department of Government Efficiency appears to have facilitated a significant cybersecurity breach that exposed sensitive government data, potentially to foreign entities including Russia.

Berulis isn't some random IT guy with a conspiracy theory. He's a seasoned professional with nearly two decades of experience who previously held a Top Secret security clearance with access to Sensitive Compartmented Information. In other words, this is someone who knows what they're talking about when they say "holy 💩, someone's stealing our data."

According to Berulis' declaration, in late February 2025, DOGE personnel arrived at NLRB offices with a police escort. Instead of following standard security protocols, they demanded the highest level access possible to NLRB systems — what's called "tenant owner" access. This is essentially the digital equivalent of handing someone not just the keys to your house, but also the deed, your banking information, and permission to add their name to all your accounts.

Here's where it gets properly nightmarish. Shortly after DOGE created these accounts, Berulis observed login attempts from Russia using these exact credentials. Yes, Russia. The login attempts were blocked by existing geographic security policies, but the fact they happened at all — and with the correct credentials — should have triggered every alarm in Washington.

Berulis also documented large spikes in outbound data traffic — graphs showing what appears to be approximately 10 gigabytes of data being exfiltrated (covertly whisked away) from NLRB systems. For context, that's roughly equivalent to stealing an entire encyclopedia set's worth of government information.

The Cover-Up

If stealing sensitive government data wasn't concerning enough, Berulis found evidence suggesting someone deliberately disabled monitoring tools, erased logs, and took other steps to hide their activities. These actions mirror what security professionals call "indicators of compromise" — telltale signs of attackers trying to conceal their tracks.

When Berulis and his team attempted to investigate, they discovered network monitoring systems had been switched off, connection logs were missing, and various security tools had been misconfigured or disabled. This isn't accidental. It's like a burglar not just stealing your valuables but also erasing your security camera footage, removing their fingerprints, and sweeping away their footprints.

By late March, the Associate Chief Information Officer (ACIO) of Security concluded this warranted reporting to US-CERT, the government's cybersecurity response team. But here's the plot twist — between April 3-4, instructions suddenly came down to drop the investigation and not file an official report. That's like finding evidence of a crime, preparing to call the police, and then your boss telling you to just forget about it.

The Intimidation

As if all this wasn't disturbing enough, on April 7, 2025, while Berulis was preparing his disclosure, someone physically taped a threatening note to his home door, accompanied by drone-taken photographs of him walking in his neighborhood. The note explicitly referenced the disclosure he was preparing.

Let that sink in.

Someone knew what Berulis was doing, found his home address, surveilled him using a drone, and delivered a physical threat to intimidate him. This isn't just digital crime anymore — it's stepped into the real world with targeted intimidation of a federal employee.

Why This Matters

This disclosure raises critical questions about government oversight, cybersecurity, and whistleblower protection. The data potentially compromised could include personally identifiable information protected under the Privacy Act, confidential business information, and data related to ongoing legal cases before the NLRB.

The alleged actions would violate multiple federal laws, including the Federal Information Security Modernization Act (FISMA) and guidelines from the Cybersecurity and Infrastructure Security Agency (CISA). The intimidation of Berulis potentially violates laws against witness tampering and obstruction of proceedings.

What's Being Done?

Berulis, represented by Whistleblower Aid and Compass Rose Legal Group, has requested that Congress and law enforcement agencies launch an immediate investigation into both the cybersecurity breach and the intimidation incident.

As this story develops, the key questions remain: Who authorized DOGE to access these systems without proper security protocols? Where did the exfiltrated data go? Who attempted to log in from Russia? And who physically threatened a federal employee to try to silence him?