Part two of a three-part series.
March 3, 2025. A black SUV with a police escort pulled into the garage at the National Labor Relations Board’s Washington headquarters, according to a court-filed whistleblower declaration by NLRB IT staffer Daniel Berulis. The visitors did not introduce themselves to front-line IT staff. They went to leadership and demanded tenant-level administrative access to every system in the building—access Berulis later swore exceeded what his own chief information officer held, with exemptions from normal logging.
The NLRB already maintained auditor-style accounts designed for oversight visits: enough visibility to examine data without wholesale copy privileges. Berulis swore that suggestion was not open for discussion.
He did what security staff do when something is wrong. He watched.
What he saw
Internal alerting tools were disabled—not by accident, Berulis swore. Multi-factor authentication was turned off. An interface normally kept off the public internet was exposed. Controls blocking insecure mobile devices were removed. High-privilege accounts appeared under generic labels (“NLRB Admin”) that practitioners treat as a red flag because they obscure attribution.
Then data moved. Berulis tracked roughly ten gigabytes leaving the NLRB’s NxGen case-management system—union identities, confidential employer material, material labor-law experts told NPR should almost never leave the agency. He then saw a second spike: outbound traffic leaving the agency network itself—what he described as extremely unusual because raw database exports rarely traverse that path.
On March 11, his logs showed login attempts from an IP address in Russia’s Primorsky Krai region against an account created for a DOGE engineer—correct username and password, blocked only because the NLRB forbids overseas logins. Many attempts landed within fifteen minutes of account creation.
Separately, reporting tied a DOGE engineer’s public GitHub account to a repository named NxGenBdoorExtract—“NxGen” matches the NLRB system; “BdoorExtract” reads like backdoor extraction. House Oversight Democrats later asked Microsoft to preserve that repository and related access logs.
When Berulis went looking for logs from the spike window, he swore they were gone—not corrupted for the whole archive, missing for that interval alone.
What cybersecurity professionals said about it
Jake Braun, a former White House cyber official, told NPR that without the backstory, “any [chief information security officer] worth his salt would look at network activity like this and assume it’s a nation-state attack from China or Russia.”
It was not China or Russia—at least not in the sense of a foreign intelligence operation attributed as such. It was people with building badges and system owners who had turned off the lights.
Erie Meyer, who resigned from the Consumer Financial Protection Bureau in February 2025 after DOGE teams entered the agency, told NPR that DOGE granted itself “God-tier” access, disabled auditing and event logs, put insider-threat staff on administrative leave, and stonewalled an internal after-action review.
Same access posture. Same logging disabled. Same obstruction afterward—different agency, same playbook.
The working hypothesis: The sequence Berulis swore to—logging turned off, data moved, logs deleted, US-CERT reporting ordered dropped—is not what “reckless but innocent” usually leaves behind. Reckless actors trip alarms and generate messy evidence. The pattern here is consistent with people who understood what the logs would prove and ensured those logs would not survive intact.
The US-CERT filing that never happened
Not a chart of policy preference — a diagram of where the federal incident-handoff chain is supposed to convert suspicion into a durable file.
By late March 2025, NLRB security leadership concluded the episode met the bar for a US-CERT engagement—the CISA team agencies use after serious incidents. Berulis swore that between April 3 and April 4, 2025, instructions came down to drop the US-CERT reporting: close the investigation, file nothing.
No public US-CERT report followed from that sequence.
The NLRB initially denied DOGE had network access; after Berulis filed his disclosure, the agency acknowledged DOGE’s presence. The gap between denial and acknowledgment is where the missing logs live.
On April 7, 2025, someone taped a threatening note to Berulis’s door—photographs taken by a drone of him walking his dog, referencing the disclosure he was preparing. His attorney discussed the incident publicly.
He filed anyway.
This pattern has a name
At SSA, DOGE-linked personnel used environments not approved for holding SSA records, moved restricted datasets, and—per the government’s own January 2026 court correction—still could not verify what left or what persists.
At the CFPB, Meyer’s account matches the NLRB facts on logging and insider-threat teams (NPR). Congressional oversight letters in spring 2025 put similar questions to DOL and NLRB inspectors general about DOGE access paths (House Oversight Democrats).
SSA whistleblower filings and agency risk memos warned that copying massive extracts into environments without independent controls could produce catastrophic-scale harm if compromised—language from formal complaints, not a tidy percentage you can put in a headline.
If a foreign service ran this playbook across agencies—privileged access, monitoring disabled, logs gone, formal incident reporting stopped—the United States would call it espionage tradecraft. Berulis’s point in his sworn statement is blunter: the hallmarks match covert data extraction and record destruction.
White House credentials do not rewrite what disappeared from the disk.
What this means for you
The NLRB’s case files are not abstract rows in a database. They hold worker identities who filed confidential complaints, corporate secrets disclosed under seal, and organizer names people were told would stay inside a statutory process.
If adverse parties ever obtained that material, using it would violate labor law in obvious ways—and also be hard to prove once the evidentiary trail Berulis described is gone.
This installment is not about partisan taste. It is about whether people who trusted a federal process can trust that their filings stayed inside it.
That is the bridge to part three: once the logs are gone, “who meant well” stops being the operative question.
What would change my mind
-
A sworn, technically detailed explanation—accepted by CISA or an Article III finder of fact—for why disabling audit logs and deleting access records served a legitimate, documented operational need across independent agencies without coordinated concealment.
-
Chain-of-custody documentation showing the US-CERT stand-down between April 3 and April 4, 2025 reflected a legal bar on reporting that applied equally to comparable incidents—not political pressure to close a file.
-
An independent forensic audit naming what data left NLRB, SSA, and CFPB systems in the contested windows, where copies landed, and how destruction or retention was verified.
Related: Your Data Left the Building — part one: SSA’s court admissions and why chain-of-custody gaps change who gets a letter.
Related: It Doesn’t Matter Who Did It — part three: why intent debates miss the structural failure.
Related: We Already Paid for This — when political teams reshape federal data infrastructure, costs relocate rather than disappear.
If you found this useful, the best thing you can do is forward it to one person who would push back on it. I’d rather be wrong in public than right in private.