According to NPR, DOGE engineers demanded top-tier access to the NLRB’s internal systems, and according to the whistleblower, they were granted unrestricted control, which was followed by a suspicious spike in data exfiltration and some very dodgy behaviour that cybersecurity experts say mirrors tactics used by criminal hackers.

The NLRB, which handles complaints about dodgy labour practices and holds sensitive data about unions and companies, was left reeling.  While many of the NLRB's records are eventually made public, the NxGen case management system hosts proprietary data from corporate competitors, personal information about union members or employees voting to join a union, and witness testimony in ongoing cases. Access to that data is protected by numerous federal laws, including the Privacy Act.

DOGE operatives asked for their system activity to be kept off the logs. They turned off monitoring tools and deleted records manually—an action several experts compared to cybercriminal evasion.

Whistleblower Daniel Berulis [pictured], a long-time tech consultant, said, "It violates every core concept of security and best practice. The bits of the puzzle I can quantify are scary.”

Berulis’ report to Congress and the US Office of Special Counsel was accompanied by internal documentation and reviewed by 11 external technical experts.

One key concern was DOGE engineer Jordan Wick’s GitHub activity, which briefly featured a project titled “NxGenBdoorExtract.” Experts believe this name refers to the NLRB’s internal NxGen system and a possible backdoor extraction tool. Wick made the project private after questions started flying.

While NPR was unable to recover the code for that project, the name itself suggests that Wick could have been designing a backdoor, or "Bdoor," to extract files from the NLRB's NxGen internal case management system, according to several cybersecurity experts who reviewed Berulis' conclusions.

 According to his official disclosure, Berulis started tracking sensitive data, leaving the places it was meant to live. First, he saw a chunk of data exiting the NxGen case management system's "nucleus" inside the NLRB system and a significant spike in outbound traffic leaving the network.

From what he could see, the data leaving, almost all text files, added up to around 10 gigabytes. It's a sizable chunk of the total data in the NLRB system, though the agency hosts over 10 terabytes in historical data. It's unclear which files were copied and removed or whether they were consolidated and compressed, which could mean even more data was exfiltrated. It's possible that DOGE ran queries looking for specific files in the NLRB's system and took only what it was looking for, according to the disclosure.

After the visit, a sudden login attempt with the correct password and username, which was traced to a Russian IP address, was logged as a potentially serious breach.

Meanwhile, the agency’s official line is denial. Acting NLRB press secretary Tim Bearese claimed DOGE never asked for or received access, and that internal probes found no breach. But Berulis’ report includes forensic evidence to the contrary, and several sources across government agencies have said they’ve seen similar signs of DOGE meddling elsewhere.

Berulis said someone taped a threatening note to his door, featuring drone-taken photos and personal details—classic whistleblower intimidation.

“This is a very bad picture we’re looking at and the public’s only seeing a corner of the canvas,”Berulis said