Have the DOGE TraitorTots Helped Russia Start a Cyberwar?
A security architect for the federal government has submitted a convincing formal complaint to Congress that suggests, "Maybe so."
Note: This post is too long for many email systems. Please click the title to view in the app or on the web (web is best for viewing footnotes). Trigger warnings: A few expletives.
A whistleblower from the National Labor Relations Board (NLRB) has evidence that the United States is now vulnerable to a Russian cyber attack as a direct result of DOGE activities.
More than that, according to the whistleblower, who I’ll call Dan, numerous attempts may have already been made from inside Russia to log in to NLRB cloud servers using valid credentials shortly after DOGE was granted access to the top layers of the NLRB computer systems.
In other words, someone in Russia may now have all the user names and passwords they needed to claw their way into part of the American government’s computer network infrastructure.
Dan is the whistleblower’s real name. He doesn’t hide his full name from view in formal complaint documents he sent to the Senate,1 specifically Tom Cotton, Chairman, Senate Select Committee on Intelligence, and Mark Warner, Vice-Chairman, Senate Select Committee on Intelligence. But I’ll keep calling him Dan to limit the ease of publicizing this brave soul’s name, even though it’s easy enough to find.2
Dan is a security architect with two decades of experience working with enterprise-level systems. In the commercial world, think of the largest companies in the world and their various public-facing systems, such as websites, point-of-sale, or inventory management systems, and you get the idea of the kinds of stuff he’s worked with, only his experience is in the world of the federal government.3
The whistleblower complaint he filed with Congress is not a random missive from a disgruntled federal employee. The complaint was jointly developed by Compass Rose Legal Group, PLLC,4 and the legal team at a nonprofit group called Whistleblower Aid.5 It is a formal legal document that will soon be part of the public record.
The legal document opens with the following ominous paragraph in its introductory summary by saying that Dan…
…is coming forward today because of his concern that recent activity by members of the Department of Government Efficiency (“DOGE”) have resulted in a significant cybersecurity breach that likely has and continues to expose our government to foreign intelligence and our nation’s adversaries.
I need to emphasize this point: Dan has twenty years of experience with internet security systems.
The breach occurred because the DOGE TraitorTots were granted access as tenant owners to NLRB computer systems.
A tenant owner is a computer account that is granted permission to do almost anything it wants within its domain, in this case, a cloud server infrastructure for NLRB called Microsoft Azure.6 They can add accounts throughout the organization7 at will. They can change passwords. They can revoke access from other users. They can even devise ways to hide their activities from the few folks who possess more advanced privileges. They can also delete trails of their activity.
There is no reason to give DOGE such advanced access, even if we somehow acknowledge their right to be there in the first place (which we should not). Their “job,” if we must call it that, is to read certain amounts of data related to organizational expenditures and activities, then report on it. DOGE was originally advertised as auditors. Nothing more. Instead, they’re going in with obscene levels of permissions and breaking things and installing malware.
This is a dangerous data breach, made more so because of reports that DOGE has been granted high-level access to other agencies throughout the government, including Treasury.
We’re talking here about a breach that exposes sensitive government data to foreign adversaries. Dan has presented evidence to Congress that the breach has not only already exposed the data, but that foreign actors, including some in Russia, have already acted on this exposure.
The breach is also a separate issue from the previously fairly well-publicized firings of three members of the NLRB board by the mad king, an action which had effectively neutered it because the board now lacks a quorum to handle major claims.
It seems fair for me to conclude that part of the reason Musk and his team of TraiterTots have targeted the NLRB as a staging area for Russian activity is the fact that as a federal agency, it’s essentially crippled. This makes it the perfect playground to, as the F-bombers would say, fuck around.
The only question is why. Musk, unlike Trump, has nothing to gain from a deep relationship with Russia. We’ll have to look beyond his motivations for now and simply explore what Dan found.
I’m going to take you step by step through this breach and try to explain it in a way that makes sense without too much technical jargon. When I was working in the software industry, I worked for major tech companies as a software engineer, but I’ll admit to not being up to snuff on the latest cloud infrastructure tech, because I’ve largely been out of the business for five years aside from fairly routine coding work outside of that domain.
The good part of that is that I’m describing things from that same point of darkness you will be in, with the advantage that I can read Dan’s complaint. The complaint is both a legal and technical jargon-infused document, but I understand what is going on.
The bad part is that I might get a few things slightly wrong. Luckily, Substack has included this cool feature called “Comments,” so if you’re a cloud server security architect and you notice something egregious, let me know. And, as my regular readers know, you don’t need to be a paid subscriber to comment.
The DOGE TraitorTots Invade
Let’s begin our journey with the invasion of NLRB offices by the TraitorTots. “TraitorTots” is a term frequently used by federal employees on Reddit (through r/fednews, mostly) to refer to Elon Musk’s young software minions who form the core of DOGE (also known, absurdly, as the Department of Government Efficiency).
According to the complaint, in early March, a black SUV, apparently containing a small band of TraitorTots, entered the garage of the NLRB offices where Dan worked. The SUV was accompanied by an unidentified police escort. Which agency this police escort represented, and who paid for it, was not named in the complaint.
The DOGE team was likely helmed by Marko Elez,8 who was briefly shown the DOGE doggy door after some of his racist tweets and other unsavory public statements were publicized,9 but has since quietly returned as the chief TraiterTot now that the uproar has subsided. However, the specific TraiterTots are unnamed.
As DOGE barged into the offices, one of the NLRB’s Associate Chief Information Officers (ACIO) issued directives that NLRB personnel were to ditch standard operating procedures if DOGE demanded various levels of access to computer systems, which they did.
Dan’s complaint states that DOGE met with a few members of the NLRB staff. Nobody from Information Technology was invited to the brief soiree, however.
The complaint doesn’t list who gave the ACIO the instructions to order his personnel to abandon standard operating procedure, but the intent was to give DOGE full access to the highest level of account manipulation possible. This access was at a higher level than both Dan and his supervisor possessed.
A tenant account, or an account owned by a “tenant owner,” is Microsoft tech jargon for an account that has “unrestricted permission to read, copy, and alter data,” according to the complaint.
The NLRB, like most large-scale software users, has account roles for the stuff DOGE should need for auditing and reporting purposes, which, even if you insist on beating your chest like a gorilla for Trump’s illegal DOGE insertion, is all DOGE should ever require to accomplish its illicit tasks.
If you use a computer at work, you see this concept in action every day. Unless you’re the Chief Information Officer (CIO), or someone similar, you only have access to the parts of your company’s computer network you absolutely need. You can’t create, delete, or modify user accounts. If you did, well, that would be silly.
That’s what Azure and other large-scale cloud computing services do, too, but on a massive scale. If DOGE needs to analyze various metrics, they can be given read-only access to do so. There is no reason to give them access to control user accounts.
Not even Dan, an NLRB security systems architect, has those kinds of powers. Dan, through the complaint, adds that the ACIO impressed upon him that full subservience to DOGE was a sudden, new job requirement:
In the same conversation it was conveyed that we were to hand over any requested accounts, stay out of DOGE’s way entirely, and assist them when they asked. We were further directed not to resist them in any way or deny them any access.
This is similar to instructions that have been given to other agencies.
Anomalies, anomalies!
The next day, Dan, being an inquisitive soul, discovered anomalies. You don’t need to be a tech person to know what an anomaly is in the world of computer systems if you know what the word means.
The anomaly in this case involved a record of container activity. A container in the computer world is a discrete chunk of software that “contains” a pile of software that can run, if the creator wishes, anonymously and with little or no trace.
Dan doesn’t describe it as such, but the way he describes this part of the breach reminds me of the old-fashioned Trojan horse malware of yore. This kind of covert malware is installed on a victim’s computer in stealth mode, out of sight to the user, often when they are tricked into opening an email and following a link. The Trojan horse then causes all kinds of mayhem on the user’s computer.
Containers of any kind are not used by the NLRB software system, which is mostly dedicated to the development and maintenance of an internally developed case management database system called NxGen.10
Dan says, in this case, the container created a series of access keys for the tenant account. The keys were created in stealth mode. The keys were designed to access storage accounts, but they had fast expiration times, and Dan and his team were unable to fully trace what was going on because much of the associated information disappeared.
Dan writes:
There was a large section of missing records in relation to recently created network resources and a network watcher in Azure was in the “off” state, meaning it wasn’t collecting or recording data like it should have.
Dan then noticed a suspicious network spike of outbound data without any corresponding inbound, a highly unusual occurrence even if the agency was under attack from outside hackers, in which case, there’d be both.
Again, you don’t need any computer expertise to notice that something’s not right in this image of outbound traffic:
This spike was concurrent with the apparent activity of the suspicious containers.
Once again, computer forensics was difficult, and Dan and his growing team of alarmed co-workers were unable to find out much about the cause of this spike.
The next day, Dan uncovered a new Azure account named Microsoft: DogeSA_2d5c3e0446f9@nlrb.microsoft.com that had its permissions managed strangely, including a lack of normal checks like multi-factor authentication. Multi-factor authentication is when your bank sends you a text message with a number you have to input during your bank login process. I imagine that this was one of Dan’s first clues that security issues were about to become a much bigger part of his life than they already were.
By now, you may already be detecting a pattern.
DOGE rolls into town, demands access to the NLRB’s most important accounts, including a tenant account that allows them to create and modify user names and passwords, and the next day, anomalies begin to pop up that would remind any security-minded computer whiz of a hacker attack.
But so far, that’s all this is. A bit of weirdness, but not enough to make Dan’s hair stand straight up. That comes later.
On March 7, Dan confirmed with the NLRB’s software development staff, the folks who created the NLRB’s home-rolled NxGen database, that they didn’t use containers during their development process. This was an important consideration because it would have helped explain the first anomaly if they had said, “Relax, Dan. We deploy containers for testing new features,” or something like that.
It’s worth noting, too, that generally these kinds of things are cleared with security teams before being used, so Dan was presumably just doing due diligence. He probably already knew there would be no containers originating from the NLRB development staff.
On that same day, another development took place.
Remember when I guessed that Marko Elez was part of the TraitorTot team that invaded the NLRB’s offices? On March 7, Dan discovered, and Krebs On Security has since confirmed, that three separate software hacking utilities written by Elez were downloaded from GitHub (a massive software repository) and used on the NLRB computer systems.11
Krebs, a leading journal for digital security experts, found that the downloaded software used by Elez and his TraitorTots was used to enable them to do a wide variety of crazy things after they gained access to the system, including masking, or hiding, IP addresses, and essentially using hacker tools to treat the NLRB systems like a big hacker playground.12
The utilities resembled hacker tools in multiple other ways, most importantly in that they contained scripts for performing something the industry calls brute force attacks, which is a continuous process of attempting various password combinations to log into systems. In other words, it was malware written by Elez, and downloaded by his team into the NLRB computer systems on Azure.
Specifically, Dan found a software tool written by Elez based on a four-year-old tool on the publicly available software code repository GitHub. You can find the original tool here. The original tool was designed to get around something called IP-based rate limits through Amazon Web Services.
Sorry, more jargon. Bear with me. This stuff is important.
Most folks aren’t aware that a large percentage of websites are run and maintained on Amazon Web Services (AWS) servers. I wouldn’t be surprised to find out that Substack is one of those. Smaller web hosting services can’t handle heavy loads. Bigger companies use AWS to do that for them. If they don’t use AWS, they probably use one of their competitors, such as Microsoft Azure, which is what the NLRB uses. Azure has been cutting into the AWS market share and is now also a major player in this space.
One reason people like using AWS (or Azure) is that it provides tools to battle attackers. One of those tools is something called IP-rate-limiters.
IP-based rate limiters restrict the number of requests a specific IP address can make within a set timeframe, typically to prevent excessive traffic. If you’ve ever heard of a DNS attack, which is a massive volley of requests made against a server to try to bring its memory capabilities to its knees, you will have an idea what rate limiters are intended to prevent.
This is a simplification, like a lot of the stuff I’m describing, but it’s close enough. It would be a little like if you had a small company with four extensions for your telephone number, and someone called it a million times so that nobody else could get through.
The original tool, stored on GitHub, is called requests-ip-rotator, and was written by an open-source developer. Open-source software is free software, usually maintained by hardcore hobbyists, software professionals with side gigs, or even major companies that are simply sharing their work.13
The chief TraiterBot, Marko Elez, downloaded the requests-ip-rotator software and adapted it for Azure. This was probably perfectly legal at the time, because most publicly available software on GitHub is licensed so that anyone can modify it and/or extend it.
But if you look at the GitHub page, you’ll see an interesting note (highlighted in yellow by yours truly):
Many utilities like this are created by white hat hackers who are interested in combating the bad guys. I guess this developer is one of those. Hence the warning, which was surely added after Krebs released its findings.
The software utilities that the TraitorTots downloaded were used outside of the NLRB’s normal software build pipeline, which was a fully automated process. What this means is that when a software team develops software, they generally rely on a release team to handle the release process. These release teams are specialists who build tools that allow developers to (I’m simplifying things here for brevity) hit a “build” button or something like it, which then launches a tool (the pipeline) that collects all the necessary files to build and release the software. These kinds of release tools often require little more than filling in a few parameters for the developers who use them.
Are you still with me? Okay, great, but I understand if you’re fading fast. But seriously, try to keep going here. The nation depends on everyone understanding the seriousness of DOGE’s malevolence.
So far, there was still nothing to signify a major breach. It’s safe to assume Dan wasn’t going to run to Congress with his discoveries. They were simply curious developments. But Dan is a security professional. Like a good detective, he was developing a closer interest in the TraitorTots.
DOGE opens up the system to outside hackers
Then, on March 10th, Dan noticed that the software controls for preventing unauthorized access from mobile devices to that all-important tenant account had been disabled.
In addition, someone changed how the system’s multi-factor authentication worked, and even made a user interface that was intended for internal use available to the general public. Dan started tracking sensitive data leaving the servers: Up to 10 Gigabytes of the stuff was making its way off the premises.
Some of the data that was shipped out included, in Dan’s words, “…sensitive information on unions, ongoing legal cases, and corporate secrets,” but nothing DOGE would need to evaluate NLRB efficiencies.
This was turning into a criminal hacking event on a mass scale in the eyes of Dan, our intrepid cybercop and superhero.
It’s one thing when cyberattacks from other countries (Russia is a frequent culprit) harass companies from the outside. It’s another when the leaders of the federal government are handing them the keys for doing it.
But even all of this would probably not yet qualify as something you want to bother busy Senators with. They have big D.C. parties to attend and stock portfolios to maintain, after all.
The cybercop convinces the Chief Information Officer that the threat is real
The CIO responded to Dan’s concerns by putting together a team of about ten IT professionals to continually monitor the situation and meet about it every Friday.
The Russians are coming, the Russians are coming!
The next alarm was raised when Dan and his team discovered that a successful login, with valid credentials, was made from a Russian Internet IP address (83.149.30,186).
It’s important to note here that this access wasn’t gained as a result of a brute force attack. Whoever was at the Russian address had the correct login information.
I don’t think you need to be a security architect to understand the evolution of this pattern: Doge installs malware, spits out a bunch of data to Russia, and the Russians poke around with authenticated accounts. Allegedly. I’ll emphasize “allegedly” so that if Kash Patel decides to toss me into an El Salvadoran concentration camp for publicizing Dan’s work, I sort of have a bit of what is left of our legal protections.
The software engineer in me senses that what is going on here is that the NLRB computer systems are being used as a test bed for a much larger operation.
The aftermath of the report
So far, the aftermath has been negligible, but still a little scary. On April 7, while the complaint to Congress was being prepared, an unknown individual attached threatening materials to Dan’s door. The materials included a threatening note and drone photographs of Dan walking through his neighborhood. The harassment is a violation of federal law.14
Dan’s complaint requested that…
…both law enforcement agencies and Congress initiate an immediate investigation into the cybersecurity breach and data exfiltration at NLRB and any other agencies where DOGE has accessed internal systems.
“Exfiltration” is tech-speak that refers to any kind of unauthorized transfer of data outside of a computer system or network.
Take action now
You know those disaster flicks where everything goes dark before all the bad shit happens? This is very possibly your future if you don’t take action immediately. Contact your local congress critter now and demand that Congress act on this report before it’s too late.
Urge them to establish this as a criminal case. Time is of the essence.
Restack this like your life depends on it, because it might.
Notes
(follow/subscribe to him) may also be interested in helping urge congress critters to urgently follow up on this report.I’ve never been a conspiracy monger, although I do enjoy tall tales. When Robert Mueller outlined a pretty convincing argument and web of intrigue, I still stubbornly resisted. I was able to understand Trump’s motivations: Maybe Putin had something on him. But all the rest? What was in it for them? The web included dozens of people who would have had to participate. It didn’t make sense to me.
Naïve, perhaps, even as tempting trinkets of evidence continued to roll in.
With the latest pile of evidence against the Trump regime, including the betrayal of Ukraine, it’s getting harder to deny the Russian connection. Today, the motivations of even Trump don’t make sense. Even if Putin has something on him, why would Trump care? His worst-case scenario if his betrayal/treason is discovered is that he’d have to invent a lie. It’s not like his indefatigable MAGA shock troops won’t believe anything he tells them.
In a previous article, I said that DOGE couldn’t do much damage if we could stop them in time.15
Time’s up.
Thanks for reading!
Footnotes
Formal complaint (PDF) sent via WhistleblowerAid: “Report Government and Corporate Lawbreaking. Without Breaking the Law.” n.d. Accessed May 6, 2025. https://whistlebloweraid.org/wp-content/uploads/2025/04/2025_0414_Berulis-Disclosure-with-Exhibits.s.pdf.
The idea here is to keep the lazy, beer-drinking but heavily armed MAGA incels away from his door. There isn’t much he can do to keep more sophisticated enemies away than what he has already done.
I don’t know if all his experience is with the government. He may have corporate experience, too.
“Compass Rose Legal Group, PLLC.” 2016. Compass Rose Legal Group, PLLC. 2016. https://compassrosepllc.com/.
“Empowering Whistleblowers to Change the World.” 2025. Whistleblower Aid. March 28, 2025. https://whistlebloweraid.org/.
Cloud Computing Services | Microsoft Azure.” 2024. Microsoft.com. 2024. https://azure.microsoft.com/en-us/.
Not throughout the entire federal government, just the accounts of the NLRB. But reports have flooded in ever since Musk started jumping around with his kid that DOGE has been granted similar rights throughout the government, including the Treasury Department, and, if the Supreme Court lets them, Social Security.
You can find code he has written here, on GitHub.
“Markoelez - Overview.” 2025. GitHub. 2025. https://github.com/markoelez.
According to Krebs: “A key DOGE staff member who gained access to the Treasury Department’s central payments system, Elez has worked for a number of Musk companies, including X, SpaceX, and xAI. Elez was among the first DOGE employees to face public scrutiny, after The Wall Street Journal linked him to social media posts that advocated racism and eugenics.
“During Elez’s initial stint at Treasury, he violated the agency’s information security policies by sending a spreadsheet containing names and payments information to officials at the General Services Administration,” Politico wrote, citing court filings.”
“DOGE Worker’s Code Supports NLRB Whistleblower – Krebs on Security.” 2025. Krebsonsecurity.com. April 23, 2025. https://krebsonsecurity.com/2025/04/doge-workers-code-supports-nlrb-whistleblower/.
“Open Government | National Labor Relations Board.” 2023. Nlrb.gov. 2023. https://www.nlrb.gov/open. (Note: Government URLs often disappear/break during MadKing 2.0).
ibid, Krebs
ibid, Krebs
An example of a major company making software available to the public is Meta, home of Facebook, which maintains a comprehensive software library dedicated to its AI efforts. For example, here: https://github.com/meta-llama/llama-cookbook
The complaint points out the following:
This conduct is a violation of 18 U.S.C. § 1512, Tampering with a witness, victim, or an informant.
Furthermore, because my client is a lawful whistleblower and a prospective congressional witness, any threats to influence, obstruct, or impede my client’s cooperation is a violation of 18 U.SC. § 1505, Obstruction of proceedings before departments, agencies, and committees. Finally, reprisal against my client for this disclosure and cooperating with an investigation or inquiry would be a violation of 18 U.SC.
§ 1513, Retaliating against a witness, victim, or an informant and 5 U.SC. § 2302, Prohibited personnel practices.
“The materials included a threatening note and drone photographs of Dan walking through his neighborhood.”
Holy shit. I didn’t hear about this. I think you’re right about the NLRB systems being a test for something bigger. It wouldn’t be at the top of my list of organizations to hit if I was so inclined.
Thanks for dumbing down the jargon for us technologically challenged folks.
My god this is terrible!! I had made a complaint a couple months ago with our AG Frey , for identity theft regarding doge and their access. Im sure this puts me on some kind of list but there is not much else I can do , im physically unable to do much, like often I need to be driven to Dr appointments by my son. I make calls to Collins and King regularly. King answers and gives a response but Collins never ( except in the very beginning when I was worried about my ssdi check coming) she sent me a letter asking for all kinds of permissions to access my medical records and more. My therapist and psychiatrist told me not to fill it out ( İ wasnt going to either ) . The whole thing alarmed me. That was the beginning of February. Life has gotten more difficult with my last parent dying and some awful medical problems with myself. I’ve been calling and making complaints about everything. Almost daily if I can manage. I even was calling the day after I had to get most of my teeth removed.
I’ll show this to my son . He knows about computers. Myself pretty computer illiterate. We were talking about computers and nature last night. How his knowledge is different than mine differ , not about the breach in this article. He would definitely understand better than myself.