The most famous member of the U.S. DOGE Service technology team of Elon Musk once provided support to a cybercriminal group that boasted of trading stolen data and cyberstalking an FBI agent, according to digital records reviewed by Reuters.
Edward Koristin is one of the most prominent members of the DOGE project, who gained significant access to official networks during the team's efforts to radically cut U.S. government spending.
Reports on Koristin's activities have focused on his young age — he is only 19 years old — and his chosen alias "BigBalls," which has become a pop culture element. Musk supported the teenager on his platform X, telling his followers last month, "Big Balls are awesome."
Since about 2022, while still in high school, Koristin led the company DiamondCDN, which provided network services, according to corporate and digital records reviewed by Reuters, as well as information from former partners. Among DiamondCDN's clients was a website operated by a cybercriminal group called "EGodly," as evidenced by data from the internet intelligence company DomainTools and the cybersecurity tool Any.Run.
Previously, Koristin's connection to EGodly had not been reported.
On February 15, 2023, EGodly published a message on Telegram, thanking Koristin's company: "We would like to express our gratitude to our esteemed partners DiamondCDN for generously providing us with amazing DDoS protection and caching systems that allow us to securely host and protect our website."
Digital records reviewed by Reuters confirm that the EGodly website, dataleak.fun, used IP addresses registered to DiamondCDN and other organizations owned by Koristin from October 2022 to June 2023. Users of the site during this period underwent "security checks" by DiamondCDN.
Koristin did not respond to requests for comment. Musk's team, known as the "Government Efficiency Department," though not an official government body, also did not respond to inquiries about Koristin. He is listed as a "senior advisor" at the State Department and the Cybersecurity and Infrastructure Security Agency (CISA), according to officials from both agencies who have seen his name in staff directories.
On LinkedIn, Koristin describes himself as a "volunteer-plumber-intern" in the U.S. government.
The State Department declined to comment on the matter concerning Koristin. CISA, which is responsible for protecting federal networks from cybercriminals and foreign spies, also declined to comment.
EGodly's Telegram channel has not been active for the past year. Efforts to obtain comments from eight individuals associated with EGodly were unsuccessful.