Full Report
Wired reported this week that a 19-year-old working for Elon Musk's so-called Department of Government Efficiency (DOGE) was given access to sensitive US government systems even though his past association with cybercrime communities should have precluded him from gaining the necessary security clearances to do so. As today's story explores, the DOGE teen is a former denizen of 'The Com,' an archipelago of Discord and Telegram chat channels that function as a kind of distributed cybercriminal social network for facilitating instant collaboration.
Analysis Summary
# Threat Actor: Individual Group Primarily Linked to Edward Coristine ("Big Balls" / "Rivage")
## Attribution & Identity
The primary focus is on **Edward Coristine**, a 19-year-old former affiliate of cybercrime communities ("The Com") who gained high-level access within Elon Musk's **Department of Government Efficiency (DOGE)**.
* **Aliases:** "Big Balls" (online nickname), "Rivage" (used in cybercrime channels, associated with DiamondCDN).
* **Associated Groups/Entities:**
* **"The Com":** A network of Discord and Telegram chat channels used for cybercriminal collaboration.
* **Past Employer:** Path Networks (a network monitoring/anti-DDoS firm known for hiring reformed hackers).
* **Founded Company:** **Tesla.Sexy LLC** (registered in 2021).
* **ISP/CDN:** **Packetware (AS400495)**, also advertised as "**DiamondCDN**."
## Activity Summary
The individual (Coristine/Rivage) gained significant access to sensitive US Government systems via DOGE after the second Trump inauguration, despite previous cybercrime associations. The activities noted in the article pertain more to establishing their background and infrastructure rather than active APT campaigns:
* Founding Tesla.Sexy LLC, which controls domains including Russian-registered ones (one hosting the AI bot Helfie targeting the Russian market).
* Soliciting **DDoS-for-hire services** in 2022 via the cybercrime channel "Dstat."
* Running an ISP (Packetware/DiamondCDN).
## Tactics, Techniques & Procedures
TTPs are related to cybercriminal interaction and infrastructure management rather than specific compromise techniques detailed in the summary:
* **Infrastructure Management:** Operating an autonomous system/ISP (Packetware/DiamondCDN).
* **Cybercrime Collaboration:** Participation in closed cybercrime forums/channels like "The Com" and "Dstat."
* **Acquisition of Illegal Services:** Soliciting DDoS-for-hire services.
* **Domain Management:** Registration and control of domains, including those registered in Russia.
## Targeting
Targeting is primarily focused on the **U.S. Federal Government** via access granted through DOGE structure:
* **Sectors:** U.S. Government (Treasury, OPM, Education, Health and Human Resources, Department of Labor).
* **Geography:** United States (agencies being accessed).
* **Victims:** Sensitive personal and government data held by federal agencies.
## Tools & Infrastructure
* **Malware Families Used:** None explicitly detailed, but solicitation indicates use of **DDoS-for-hire tools/services.**
* **Infrastructure:**
* **Domains:** `tesla[.]sexy`, `diamondcdn[.]com`.
* **Infrastructure:** Packetware (AS400495) running DiamondCDN.
* **Associated Infrastructure:** Helfie (AI bot for Discord, hosted on Russian domains).
* **External Services Used:** DDoS-for-hire services (solicited via the "Dstat" channel).
## Implications
The primary implication is a severe **insider risk** and **supply chain vulnerability** within advisory structures granting access to sensitive government data. An individual with a documented history in cybercrime communities was granted access that should have been precluded by security review processes, potentially leading to the unauthorized seizure and exploitation of vast amounts of citizen data within federal databases.
## Mitigations
* **Vetting and Personnel Security:** Implement rigorous and continuous vetting processes that effectively screen individuals with known associations to cybercrime communities ("The Com") before granting access to sensitive systems.
* **Infrastructure Scrutiny:** Thoroughly investigate personnel or contractors who own or operate internet infrastructure (ISPs, CDNs) to ensure no conflicts of interest or potential backdoors exist.
* **Security Clearance Review:** Address and account for international business dealings (e.g., Russian domain registration) during security clearance investigations.