Daniel Berulis

Berulis’s direct supervisor at the NLRB was Chief Information Officer Prem Aburvasamy. As the agency’s network security architect, Berulis was responsible for monitoring and maintaining the Azure environment that DOGE personnel accessed beginning March 3, 2025 ⁵. The CIO chain of command is relevant because DOGE access provisioning bypassed the standard approval process that would ordinarily require CIO-level authorization for tenant-owner privileges ¹.

Andrew Bakaj of Whistleblower Aid represented Berulis in both the original April 14 disclosure to Congress and the Office of Special Counsel and in the subsequent supplemental disclosure that added the physical intimidation evidence. Bakaj confirmed to journalists that the threatening note left at Berulis’s home referenced the specific disclosure then being prepared ⁴.

Lasharn Hamilton, who served as NLRB Director during this period, stated on April 16 that there had been no “official” prior DOGE contact with the agency. Berulis’s disclosure, filed two days earlier, directly contradicts that characterization. The qualifier “official” may technically exclude informal or undocumented access of the kind Berulis documented as occurring outside standard IT provisioning channels ⁵.

The DOGE operation at the NLRB followed a pattern documented across multiple federal agencies, combining rapid provisioning of high-privilege accounts, suppression of logging and monitoring, and data movement that preceded or accompanied the suppression of incident reporting channels ¹. Berulis documented the following technical steps at the NLRB: account creation with tenant-admin privileges exempt from logging on March 3; deployment of container technology the agency had not previously used on March 3; Azure network watcher disabled by March 5; alerting and monitoring tools disabled on March 10; a 10 GB data transfer from NxGen in the early morning hours of March 4–5 ²; and instructions to halt US-CERT reporting on April 3–4 ⁵.

The NxGen case management system held data with significant competitive and legal sensitivity. Employers and labor organizations submit confidential business records, witness identities, and litigation strategy documents to NLRB proceedings under confidentiality protections that are foundational to the agency’s adjudicatory function. Press reporting and Congressional records indicate that SpaceX had active NLRB cases at the time of the access and was simultaneously pursuing a constitutional challenge to the NLRB’s structure in the Fifth Circuit. Elon Musk served as a DOGE special government employee during this period.

A September 2025 Senate Homeland Security and Governmental Affairs Committee report identified a cross-agency pattern in which career cybersecurity officials who raised objections were sidelined or terminated, and DOGE personnel were installed in chief information officer roles to approve their own data access without standard oversight procedures. According to that report, DOGE operations likely violated the Privacy Act of 1974, the E-Government Act of 2002, FISMA, the Federal Records Act, and potentially the Computer Fraud and Abuse Act. The NLRB sequence Berulis documented is among the incidents named in the report.

On March 11, 2025, more than twenty login attempts arrived against the DOGE accounts newly created at the NLRB, originating from IP address 83.149.30.186, which geolocates to Primorskiy Krai in Russia’s Far East. Berulis’s disclosure records that many of these attempts occurred within fifteen minutes of the accounts being created, and that the attempts used the correct username and password for those accounts ⁶. The attempts were blocked only by the NLRB’s standing geolocation policy that does not permit overseas logins.

The Krebs on Security forensic review, which corroborated Berulis’s account through independent analysis, noted the presence of three external GitHub libraries downloaded to NLRB systems, including one specifically designed for proxy pool rotation for web scraping and brute-forcing — a tool consistent with credential enumeration or external data harvesting ⁵. The disclosure does not assert attribution for the Russian login attempts; it records them as observed events. The proximity of the attempts to account creation — within minutes, using valid credentials — is a factual detail whose explanation remains unresolved.

While Berulis was preparing the supplemental disclosure, a note was affixed to the door of his home alongside drone photographs showing him walking in his neighborhood. Attorney Bakaj confirmed to journalists that the note made direct reference to the specific disclosure Berulis was then preparing. Berulis included this evidence in the supplemental filing as the basis for witness intimidation allegations ⁴.

The timing of institutional events around his disclosure is documented. On April 14 — the date of the original filing and the date NPR published its account of the disclosure — administrative access was stripped from career NLRB IT staff ⁵. On April 16, DOGE personnel visited the NLRB ³. That same day, Director Hamilton publicly characterized the DOGE contact as having no “official” prior existence ⁵. The sequence — access stripped on the day of publication, DOGE physically present two days later — is documented but not explained in any NLRB public statement.