The Info Web
Events · Modern Incident

NLRB Data Exfiltration

The NLRB data exfiltration was a 2025 incident in which Department of Government Efficiency engineers accessed National Labor Relations Board systems and exfiltrated large volumes of sensitive data on union organizing and labor complaints, followed by multiple blocked login attempts from a Russian IP address, disclosed by NLRB cybersecurity whistleblower Daniel Berulis in April 2025.

Active 2025–present Location National Labor Relations Board (federal systems) Mentions 3 Tags EventNLRBDOGEDanielBerulisWhistleblowerDataExfiltrationRussiaElonMusk

The NLRB data exfiltration was a 2025 incident in which engineers from the Department of Government Efficiency (DOGE) accessed National Labor Relations Board (NLRB) systems and exfiltrated large volumes of sensitive data including union-organizing and labor-complaint records. The exfiltration was followed by multiple blocked login attempts to NLRB systems from an IP address in Russia, raising the documented concern that the exfiltrated data had been exposed to foreign adversaries. Daniel Berulis, an NLRB cybersecurity staffer, disclosed the incident in a sworn affidavit in April 2025, represented by Andrew Bakaj of Whistleblower Aid.123

The DOGE Access and the Data Exfiltration

Berulis documented in his sworn affidavit that DOGE engineers accessed NLRB systems using methods his affidavit characterized as secretive and suspicious. The access coincided with unusual large data outflows from NLRB systems. The exfiltrated data included records related to union-organizing campaigns and labor complaints, which is the NLRB's core case-management data and which contains identifying information on workers involved in organizing activity, the employers they filed against, and the status of the cases.124

The data outflow was documented in the NLRB's own system logs, which Berulis reviewed as part of his cybersecurity role. The volume and pattern of the outflows were inconsistent with normal NLRB operations, and the DOGE engineers' access methods (which Berulis described as bypassing normal access controls) were inconsistent with the standard federal-system-access protocols. The Krebs on Security reporting (April 2025) provided the technical detail on the outflow pattern and the access methods.2

The Russian IP Access Attempts

Following the DOGE access, NLRB systems logged multiple blocked login attempts from an IP address in Russia. The timing of the Russian attempts (immediately following the DOGE exfiltration) and the targeting of the systems DOGE had accessed produced the documented concern that the exfiltrated data had been transmitted to or made accessible to a Russian endpoint. The Nextgov/FCW reporting (April 2025) documented the Russian IP attempts and their temporal relationship to the DOGE access.35

The Russian IP access attempts are the documented datum that connects the Elon Musk-led DOGE to the broader Buma-documented pattern of Russian-intelligence interest in U.S. technology and government principals. The Buma disclosures (May 2025) on the GRU targeting of Musk, the documented Musk-Putin contact channel (WSJ October 2024), and the NLRB Russian-IP attempts together constitute the evidentiary set on the question of Russian access to federal data through the DOGE channel.6

The Berulis Disclosure and the Aftermath

Berulis came forward in April 2025 with a sworn affidavit through Whistleblower Aid, represented by chief counsel Andrew Bakaj. NPR, PBS NewsHour, Krebs on Security, and Nextgov/FCW each published detailed reporting on the disclosure in April 2025. VitalLaw characterized the incident as an "alarming data breach" that "might have exposed agency data to foreign adversaries."12345

After Musk publicly called Berulis a criminal on X, Berulis's brake lines were cut. Berulis is suing Musk for defamation. The physical intimidation of a federal cybersecurity whistleblower who disclosed the Russian-IP-connected exfiltration of union-organizing data is part of the documented aftermath of the disclosure.7

Sources

  1. "Whistleblower details how DOGE may have taken sensitive NLRB data." NPR, April 15, 2025. https://www.npr.org/2025/04/15/nx-s1-5355896/doge-nlrb-elon-musk-spacex-security
  2. "Whistleblower: DOGE Siphoned NLRB Case Data." Krebs on Security, April 2025. https://krebsonsecurity.com/2025/04/whistleblower-doge-siphoned-nlrb-case-data/
  3. "User with Russian IP address tried to log into NLRB systems following DOGE access, whistleblower says." Nextgov/FCW, April 2025. https://www.nextgov.com/cybersecurity/2025/04/user-russian-ip-address-tried-log-nlrb-systems-following-doge-access-whistleblower-says/404574/
  4. "DOGE Caused 'Alarming' Data Breach at NLRB, Whistleblower Says." VitalLaw, April 2025. https://www.vitallaw.com/news/doge-caused-alarming-data-breach-at-nlrb-whistleblower-says/cspd0179fa3355f64546db87b404df22f7725f
  5. "DOGE's Unlawful Plundering of Agency Systems." Whistleblower Aid. http://whistlebloweraid.org/case-study/doges-unlawful-plundering-of-agency-systems/
  6. "FBI whistleblower claims he tried to get to Musk to warn him he was being targeted by Russia." The Guardian, May 22, 2025. https://www.theguardian.com/us-news/ng-interactive/2025/may/22/fbi-whistleblower-musk-russia ; "Elon Musk's secret talks with Putin ramped up during his Twitter takeover: WSJ report." CNBC, October 25, 2024, on the Wall Street Journal report of Musk's regular contact with Putin since late 2022. https://www.cnbc.com/2024/10/25/elon-musk-and-putin-talks-ramped-up-during-twitter-takeover-wsj.html
  7. "Musk, DOGE, and the Whistleblower's Lawsuit Over Cut Brakes." FindLaw, 2026, on Berulis's defamation suit against Musk and the tampered brake lines following Musk's April 2025 X posts. https://www.findlaw.com/legalblogs/courtside/musk-doge-and-the-whistleblowers-lawsuit-over-cut-brakes/

Connected to

Person
Jonathan Buma
Johnathan Buma is a former FBI special agent who specialized in Russian counterintelligence at the Los Angeles field office, who handled Peter Thiel as a confidential human source from summer 2021, who originated the FBI's first Hunter Biden tax inquiry in January 2019, who worked the Giuliani-Ukraine investigation, who publicly accused the FBI of pro-Trump political bias, and who was arrested at JFK on March 17, 2025 and charged with unlawfully disclosing confidential records.
3 shared pages
viaIgor Kurganov · PayPal Mafia
Person
Donald Trump
Donald Trump is the 45th and 47th President of the United States whose two administrations functioned as the political vehicle through which the Peter Thiel commercial network, the Leonard Leo judicial-selection network, and the Jared Kushner Middle East network exercised documented federal power, including Palantir's expanded government contracting, the Federalist Society Supreme Court confirmations, and the Kushner-MBS relationship that produced the Abraham Accords.
2 shared pages
viaDonald Trump · PayPal Mafia

Find a path from NLRB Data Exfiltration to…

Full finder →

    Local network

    NLRB Data Exfiltration's direct connections. Click any node to navigate, drag to pan, scroll (or pinch) to zoom. + 2‑hop expands the neighborhood one level further.

    An interactive diagram of NLRB Data Exfiltration's connections, drawn on a canvas and explored with a pointer. The same connections are listed as links in the Connected and Mentioned-in sections below.

    Legend — how to read this graph
    Node colour — type
    • People
    • Organizations
    • Programs
    • Events
    • Concepts
    • Places
    Node size

    Larger = more mentions across the vault.

    Connections

    Explicit link (wikilink between entries).

    Inferred connection (name co-mention) — toggle with “Inferred”.

    Highlights

    Gold ring — a bridge entity linking distant clusters.

    Accent ring — your current selection.

    Mentioned in 3