Full Report
Experts question whether Edward Coristine, a DOGE staffer who has gone by “Big Balls” online, would pass the background check typically required for access to sensitive US government systems.
Analysis Summary
# Threat Actor: Edward Coristine (Online Alias: "Big Balls")
## Attribution & Identity
* **Primary Identifier:** Edward Coristine (19-year-old technologist).
* **Known Online Aliases:** "Big Balls" (LinkedIn handle), "JoeyCrafter" (Telegram handle), "Rivage" (Discord/Telegram handle), "Steven French" (Older X/Twitter username).
* **Known Associations:** Worked at Elon Musk's Department of Government Efficiency (DOGE) as an "expert," previously worked at Neuralink, and briefly worked at Path Network (a firm known for hiring reformed cybercriminals). He founded multiple companies, including Tesla.Sexy LLC.
## Activity Summary
The focus of the article is on concerns surrounding Edward Coristine's background and suitability for access to sensitive US government systems, rather than a specific offensive campaign attributed to him as a threat actor.
* **Employment & Access:** Gained access to sensitive US government systems through his role at DOGE and OPM records list him as an "expert" at the latter. He reportedly joined calls where GSA employees justified their jobs and reviewed code.
* **Business Operations:** Established at least five companies across the US (Connecticut, Delaware) and the UK. Founded Tesla.Sexy LLC in 2021, which controls several domains, including two Russian-registered ones hosting the AI bot service Helfie targeting the Russian market.
* **Potential Cyber Engagement (Solicitation):** In November 2022, a Telegram handle tied to Coristine ("JoeyCrafter") solicited an L7 (Layer-7) DDoS attack service for hire using Bitcoin.
* **Past Associations:** His tenure at Path Network involved working alongside individuals known for past hacking activities (e.g., Eric Taylor/Cosmo the God, Matthew Flannery).
## Tactics, Techniques & Procedures
The article hints at potential technical competencies or interest in illicit services, but does not detail specific intrusion methods used against government systems.
* **Solicitation and Procurement:** Used Telegram to solicit specific cyberattack capabilities (L7 DDoS-for-hire).
* **Infrastructure Development:** Established and managed multiple corporate entities and web domains for various purposes (CDN, company representation, AI services).
* **Identity Obfuscation/Management:** Used multiple handles across different platforms (Telegram, Discord, X) and maintained multiple corporate entities, many of which were not publicly linked to him.
- *Unspecified MITRE ATT&CK IDs based on limited specific offensive details.*
## Targeting
* **Sectors:** US Federal Government systems (access gained via employment at DOGE and OPM).
* **Geography:** Activities linked to US, UK, and Russia (via domain registration/services).
* **Victims:** Implicitly, the systems he accessed within the US government structure.
## Tools & Infrastructure
* **Malware Families Used:** None specified, only solicitation for DDoS capability.
* **Infrastructure (C2, domains, IPs):**
* **Domains:** `tesla.sexy` (via Tesla.Sexy LLC), at least two Russian-registered domains hosting "Helfie," `faster.pw` (archived content showing Chinese language offering "encrypted cross-border networks").
* **Services:** DiamondCDN (Coristine's startup).
* **Platforms:** Telegram (used "JoeyCrafter" and "Rivage" handles), Discord (used "Rivage" handle), X/Twitter (used @edwardbigballer and "Steven French").
## Implications
The primary implication is a significant risk stemming from potential security clearance vulnerabilities due to Coristine's documented history, which includes: overseas business connections (Russian domains), youth-related corporate formation, associations with a company known for employing cybercriminals, and documented interest in procuring DDoS-for-hire services. Security experts strongly suggest he would have failed a standard background check for privileged access. This situation raises serious questions regarding the vetting and background check processes within DOGE and for federal contractors managing sensitive data.
## Mitigations
* **Rigorous Vetting:** Agencies managing privileged access (like OPM overseeing DOGE staff) must adhere strictly to security clearance investigation protocols, scrutinizing foreign contacts, overseas business dealings, associations with known malicious actors, and unusual online historical activity (including pseudonyms associated with cyber services).
* **Continuous Monitoring:** Ensure continuous monitoring of personnel holding security clearances, especially regarding new corporate formations or unusual online service procurement activities.
* **Background Review:** Re-evaluate initial security clearances granted to personnel whose background documentation has since revealed significant undisclosed or concerning histories.