A whistleblower at the National Labor Relations Board<\/strong> (NLRB) alleged last week that denizens of Elon Musk\u2019s Department of Government Efficiency<\/strong> (DOGE) siphoned gigabytes of data from the agency\u2019s sensitive case files in early March. The whistleblower said accounts created for DOGE at the NLRB downloaded three code repositories from GitHub<\/strong>. Further investigation into one of those code bundles shows it is remarkably similar to a program published in January 2025 by Marko Elez<\/strong>, a 25-year-old DOGE employee who has worked at a number of Musk\u2019s companies.<\/p>\n A screenshot shared by NLRB whistleblower Daniel Berulis shows three downloads from GitHub.<\/p>\n<\/div>\n According to a whistleblower complaint<\/a> filed last week by\u00a0Daniel J. Berulis<\/strong>, a 38-year-old security architect at the NLRB, officials from DOGE met with NLRB leaders on March 3 and demanded the creation of several\u00a0all-powerful \u201ctenant admin\u201d accounts that were to be exempted from network logging activity that would otherwise keep a detailed record of all actions taken by those accounts.<\/p>\n Berulis said the new DOGE accounts had unrestricted permission to read, copy, and alter information contained in NLRB databases. The new accounts also could restrict log visibility, delay retention, route logs elsewhere, or even remove them entirely \u2014 top-tier user privileges that neither Berulis nor his boss possessed.<\/p>\n Berulis said he discovered one of the DOGE accounts had downloaded three external code libraries from GitHub<\/strong> that neither NLRB nor its contractors ever used. A \u201creadme\u201d file in one of the code bundles explained it was created to rotate connections through a large pool of cloud Internet addresses that serve \u201cas a proxy to generate pseudo-infinite IPs for web scraping and brute forcing<\/em>.\u201d Brute force attacks involve automated login attempts that try many credential combinations in rapid sequence.<\/p>\n A search on that description in Google brings up a code repository at GitHub for a user with the account name \u201cGe0rg3<\/strong>\u201d who published a program roughly four years ago called \u201crequests-ip-rotator<\/a>,\u201d described as a library that will allow the user \u201cto bypass IP-based rate-limits for sites and services.\u201d<\/p>\n The README file from the GitHub user Ge0rg3\u2019s page for requests-ip-rotator includes the exact wording of a program the whistleblower said was downloaded by one of the DOGE users. Marko Elez created an offshoot of this program in January 2025.<\/p>\n<\/div>\n \u201cA Python library to utilize AWS API Gateway\u2019s large IP pool as a proxy to generate pseudo-infinite IPs for web scraping and brute forcing,\u201d the description reads.<\/p>\n Ge0rg3\u2019s code is \u201copen source,\u201d in that anyone can copy it and reuse it non-commercially. As it happens, there is a newer version of this project that was derived or \u201cforked\u201d from Ge0rg3\u2019s code \u2014 called \u201casync-ip-rotator<\/a>\u201d \u2014 and it was committed to GitHub in January 2025 by DOGE captain Marko Elez<\/a>.<\/p>\n The whistleblower stated that one of the GitHub files downloaded by the DOGE employees who transferred sensitive files from an NLRB case database was an archive whose README file read: \u201cPython library to utilize AWS API Gateway\u2019s large IP pool as a proxy to generate pseudo-infinite IPs for web scraping and brute forcing.\u201d Elez\u2019s code pictured here was forked in January 2025 from a code library that shares the same description.<\/p>\n<\/div>\n A key DOGE staff member who gained access to the Treasury Department\u2019s central payments system, Elez has worked for a number of Musk companies, including X<\/strong>, SpaceX<\/strong>, and xAI<\/strong>. Elez was among the first DOGE employees to face public scrutiny, after The Wall Street Journal<\/strong> linked him to social media posts<\/a> that advocated racism and eugenics.<\/p>\n Elez resigned after that brief scandal, but was rehired after President Donald Trump and Vice President JD Vance expressed support for him. Politico<\/strong> reports<\/a> Elez is now a Labor Department<\/strong> aide detailed to multiple agencies, including the Department of Health and Human Services<\/strong>.<\/p>\n \u201cDuring Elez\u2019s initial stint at Treasury, he violated the agency\u2019s information security policies by sending a spreadsheet containing names and payments information to officials at the General Services Administration,\u201d Politico wrote, citing court filings.<\/p>\n KrebsOnSecurity sought comment from both the NLRB and DOGE, and will update this story if either responds.<\/span><\/p>\n The NLRB has been effectively hobbled since President Trump<\/strong> fired three board members, leaving the agency without the quorum it needs to function. Both\u00a0Amazon<\/strong>\u00a0and Musk\u2019s\u00a0SpaceX<\/strong>\u00a0have\u00a0been suing<\/a>\u00a0the NLRB over complaints the agency filed in disputes about workers\u2019 rights and union organizing, arguing that the NLRB\u2019s very existence is unconstitutional. On March 5, a U.S. appeals court\u00a0unanimously rejected<\/a>\u00a0Musk\u2019s claim that the NLRB\u2019s structure somehow violates the Constitution.<\/p>\n Berulis\u2019s complaint alleges the DOGE accounts at NLRB downloaded more than 10 gigabytes of data from the agency\u2019s case files, a database that includes reams of sensitive records including information about employees who want to form unions and proprietary business documents. Berulis said he went public after higher-ups at the agency told him not to report the matter to the US-CERT, as they\u2019d previously agreed.<\/p>\n Berulis told KrebsOnSecurity he worried the unauthorized data transfer by DOGE could unfairly advantage defendants in a number of ongoing labor disputes before the agency.<\/p>\n \u201cIf any company got the case data that would be an unfair advantage,\u201d Berulis said. \u201cThey could identify and fire employees and union organizers without saying why.\u201d<\/p>\n Marko Elez, in a photo from a social media profile.<\/p>\n<\/div>\n Berulis said the other two GitHub archives that DOGE employees downloaded to NLRB systems included Integuru<\/strong>, a software framework designed to reverse engineer application programming interfaces (APIs) that websites use to fetch data; and a \u201cheadless\u201d browser called Browserless<\/strong>, which is made for automating web-based tasks that require a pool of browsers, such as web scraping and automated testing.<\/p>\n On February 6, someone posted a lengthy and detailed critique<\/a> of Elez\u2019s code on the GitHub \u201cissues\u201d page for async-ip-rotator, calling it \u201cinsecure, unscalable and a fundamental engineering failure.\u201d<\/p>\n \u201cIf this were a side project, it would just be bad code,\u201d the reviewer wrote. \u201cBut if this is representative of how you build production systems, then there are much larger concerns. This implementation is fundamentally broken, and if anything similar to this is deployed in an environment handling sensitive data, it should be audited immediately.\u201d<\/p>\n Further reading:\u00a0Berulis\u2019s complaint<\/a>\u00a0(PDF).<\/p>\n Update 7:06 p.m. ET<\/strong>: Elez\u2019s code repo was deleted after this story was published. An archived version of it is here<\/a>.<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/krebsonsecurity.com\/wp-content\/uploads\/2025\/04\/db-powershellcmds.png?ssl=1\")
<\/a><\/p>\n<\/p>\n<\/a><\/p>\n<\/p>\n