Stolen Credentials from DOGE Employee Found in Multiple Info-Stealer Leaks

Kyle Schutt, a 37-year-old software engineer for the Department of Government Efficiency (DOGE), is at the center of a growing cybersecurity controversy after his credentials appeared in multiple stealer log datasets-collections of sensitive data exfiltrated by infostealer malware.

The incident has raised alarms about operational security within DOGE, especially given Schutt’s recent access to FEMA’s core financial management systems.

What Are Stealer Logs?

Stealer logs are files generated by infostealer malware that infiltrates a victim’s device, silently harvesting sensitive information such as usernames, passwords, browser fingerprints, and even cryptocurrency wallet credentials.

Once the malware infects a system-often through phishing links or malicious downloads can log keystrokes, intercept form submissions, and extract stored credentials.

This data is then transmitted to the attacker, who may compile it into large-scale logs for sale or public release on underground forums or channels like Telegram.

The Technical Fallout: How Schutt’s Data Was Compromised

Schutt’s personal Gmail address has surfaced in four major stealer log datasets since late 2023, as well as in 51 separate data breaches tracked by Have I Been Pwned (HIBP).

Unlike typical data breaches, which often occur when a third-party service is hacked, stealer logs indicate a direct compromise of the victim’s device.

This means the malware was actively running on Schutt’s computer, capturing credentials as he typed them or as they were autofilled by his browser.

The datasets in which Schutt’s credentials appeared include:

• Naz.API (September 2023): Over 100GB of stealer logs and credential stuffing lists, containing 71 million unique email addresses and 100 million passwords, many sourced from infostealer malware.
• Stealer Logs Posted to Telegram (July 2024): 22GB of logs with 26 million unique email addresses, passwords, and associated websites, all harvested from malware-infected machines and distributed via Telegram channels.
• Jan 2025 Stealer Logs: A new HIBP feature enabled the retrieval of specific websites where 71 million email addresses and passwords were used, further exposing the breadth of the compromise.
• ALIEN TXTBASE (February 2025): A massive dump of 23 billion rows, including 284 million unique email addresses. However, analysis suggests this dataset is a mix of authentic stealer logs, recycled combo lists, and possibly fabricated data, so not every entry indicates a real-time malware infection.

Security Implications for DOGE and Federal Systems

Schutt’s dual roles at DOGE and the Cybersecurity and Infrastructure Security Agency (CISA) heighten the risk profile.

As a DOGE engineer, he reportedly accessed FEMA’s proprietary software for managing disaster and non-disaster grants, and requested source code for the Integrated Financial Management and Information System (IFMIS)-the backbone for federal grant payments.

If any government credentials were entered on his compromised device, attackers could potentially leverage them for unauthorized access to critical federal systems, risking exposure of Social Security numbers, bank information, and sensitive disaster relief data.

Credential-Based Attacks and Best Practices

This case underscores the dangers of credential-based attacks, which rely on acquiring valid login details through methods like keylogging, phishing, or infostealer malware.

To mitigate such risks, cybersecurity experts recommend:

• Using a password manager to generate and store unique, complex passwords.
• Enabling two-factor authentication (2FA) for all accounts, adding a secondary verification layer.
• Never reuse passwords across services.
• Regularly monitoring accounts for suspicious activity and immediately resetting credentials if a compromise is suspected.

The exposure of Kyle Schutt’s credentials in stealer logs is more than a personal security lapse- it is a stark warning about the vulnerabilities that can arise when individuals with privileged access to sensitive government systems are compromised.

As DOGE faces scrutiny over its cybersecurity practices, this incident highlights the urgent need for robust endpoint security, strict credential hygiene, and comprehensive incident response protocols to safeguard federal infrastructure against evolving threats.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates