#Boasberg says if the #Trump admin won’t purge potential #contempt, he’ll appoint a prosecutor who will ID the officials in the admin responsible & the court will appoint attys to prosecute #criminal contempt!

Judge #Boasberg finds probable cause to hold #Trump admin in #contempt of court for defying his order to turn around planes, demands new details in order for officials to “purge” their contempt.

Boasberg said the evidence shows #willful defiance by the Trump admin that amounts to #criminal contempt. Full 46-page opinion:

https://ecf.dcd.uscourts.gov/cgi-bin/show_public_doc?2025cv0766-81

…language is very important. When the state carries out #criminal #terror against its own people, it calls them “criminals” or “terrorists.” During the 1930s, this was the normal practice. Looking back, we refer to #Stalin’s “Great Terror,” but at the time it was the Stalinists who controlled the language. Today in Berlin stands an important museum called "Topography of Terror"; during the era it documents, it was the Jews & the chosen enemies of the regime who were called "terrorists."

Russ Handorf, who served in the #FBI for a decade in various #cybersecurity roles, also reviewed Berulis' extensive technical forensic records & analysis….

"All of this is alarming," he said. "If this was a publicly traded company, I would have to report this [breach] to the Securities and Exchange Commission…."

"We've seen Russian threat actors do things like this on US government systems," said one #threat #intelligence researcher…. That analyst, who has extensive experience hunting nation - #StateSponsored #hackers, reviewed the #whistleblower's technical claims.

"The difference is, they [DOGE] were given the keys to the front door," the researcher continued.

While investigating the #data taken from #NLRB, Berulis tried to determine its ultimate destination. But whoever had exfiltrated it had disguised its destination too….

#DOGE staffers had permission to access the system, but removing data is another matter.

Berulis says someone appeared to be doing something called DNS tunneling to prevent the data exfiltration from being detected.

In the days after Berulis & his colleagues prepared a request for #CISA's help…, Berulis found a printed letter in an envelope taped to his door, which included threatening language, sensitive personal info & overhead pictures of him walking his dog…. It's unclear who sent it, but the letter made specific reference to his decision to report the breach. Law enforcement is investigating the letter.

The IT team met to discuss insider threats — namely, the #DOGE engineers…. "We had no idea what they did," he explained.…

They eventually launched a formal breach investigation, …& prepared a request for assistance from #CISA. However, those efforts were disrupted w/o an explanation, Berulis said. That was deeply troubling to Berulis….

In fact, when they looked into the spike, they found that logs that were used to monitor outbound traffic from the system were absent. Some actions taken on the network, including #data exfiltration, had no attribution—except to a "deleted account," he continued. "Nobody knows who deleted the logs or how they could have gone missing," Berulis said.

For #cybersecurity experts, that spike in #data leaving the system is a key indicator of a #breach, Berulis explained.

When Berulis asked his IT colleagues whether they knew why the data was exfiltrated or whether anyone else had been using containers to run code on the system in recent weeks, no one knew anything about it or the other unusual activities on the network….

Even when external parties like lawyers or overseers like the inspector general are granted guest accounts on the system, it's only to view the files relevant to their case or investigation, explained #labor #law experts who worked with or at the #NLRB….

"None of that confidential & deliberative information should ever leave the agency," said Richard Griffin, who was the NLRB general counsel 2013–2017, in an interview w/NPR.

Regardless, that kind of spike is extremely unusual, …because #data almost never directly leaves from the #NLRB's databases. In his disclosure, Berulis shared a screenshot tracking data entering and exiting the system, & there's only one noticeable spike of data going out. He also confirmed that no one at the NLRB had been saving backup files that week or migrating data for any projects.

From what he could see, the #data leaving, almost all text files, added up to around 10GB…. It's a sizable chunk of the total data in the #NLRB sys, though the agency itself hosts over 10TB in historical data. It's unclear which files were copied & removed or whether they were consolidated & compressed, which could mean even more data was exfiltrated. It's also possible that #DOGE ran queries looking for specific files…& took only what it was looking for….

On its own, that wouldn't be suspicious, though it did allow the engineers to work invisibly & left no trace of its activities once it was removed.

Then, Berulis started tracking sensitive #data leaving the places it's meant to live…. First, he saw a chunk of data exiting the NxGen case management system's "nucleus," inside the #NLRB system, Berulis explained. Then, he saw a large spike in outbound traffic leaving the network itself.

About a week after arriving, the #DOGE engineers left #NLRB & deleted their accounts….

In the office, Berulis had had limited visibility into what the DOGE team was up to in real time.

That's partly because, he said, NLRB isn't advanced when it comes to detecting insider threats…. "We as an agency have not evolved to account for those," he explained. "We were looking for [bad actors] outside," he said.

"If he didn't know the backstory, any [chief information security officer] worth his salt would look at network activity like this & assume it's a nation-state attack from #China or #Russia," said Braun, the fmr White House #cyber official.

…engineers were also concerned by #DOGE staffers' insistence that their activities not be logged, allowing them to probe the NLRB's systems & discover info about potential #security flaws or vulnerabilities w/o being detected.

“The whole idea of removing logging & [getting] tenant-level access is the most disturbing part to me," one engineer said.

…while many of the #NLRB's records are eventually made public, the NxGen case management system hosts #proprietary #data from #corporate competitors, personal information about #union members or employees voting to join a union, & #witness testimony in ongoing cases. Access to that data is protected by numerous federal #laws, including the #Privacy Act.

While NPR was unable to recover the code for that project, the name itself suggests that Wick could have been designing a #backdoor, or "Bdoor," to extract files from #NLRB's internal case management system, known as NxGen, acc/to several #cybersecurity experts who reviewed Berulis' conclusions.

…NxGen is an internal system that was designed specifically for the NLRB in-house, acc/to several of the engineers who created the tool….

After journalist Roger Sollenberger started posting…about the account, Berulis noticed something Wick was working on: a project, or repository, titled "NxGenBdoorExtract."

Wick made it private before Berulis could investigate further, he told NPR. But to Berulis, the title itself was revealing.

"So when I saw this tool, I immediately panicked,"…He immediately alerted his whole team.