Big Balls Has Your Security Number. And a Global Black Box Network Perfect for Sending it Anywhere in the World

I Watched Big Balls’ Network for Almost a Year. Because He Left the Door to His Super Secret Network Wide Open

new packetwarw db coolify prasma whatever

Intro

DOGE seized the database holding every single American’s Social Security details and stores it in a “vulnerable cloud environment,” according to the highest-ranking data official at the SSA. https://whistleblower.org/wp-content/uploads/2025/08/08-26-2025-Borges-Disclosure-Sanitized.pdf Edward “Big Balls” Coristine is at the center of this disturbing tale. My investigation reveals that Coristine also runs a global proxy network that appears perfectly designed to steal data U.S. government data and destroy all evidence.

If You Wanted to Run a Digital Smuggling Operation to Move Stolen Government Data around the World, This Would Be a Great way to Do It

If you wanted to run a digital smuggling operation to move stolen government data around the world, this would be a great way to do it. Since February, I’ve mapped the global network used by Coristine’s private hosting company, Packetware. Yet the data I’ve collected contradicts the company’s stated purpose. The network’s design more closely resembles a cybercrime syndicate than a small-time web host. When Coristine hears this, he’ll likely insist Packetware is separate from his federal role at DOGE. We’ll get to that.

I Didn’t Hack Anything. Because Coristine Never Bothered to Set a Password to Access His Digital Switchboard. You Can Check for Yourself

Disclaimer: All linked metrics and server endpoints were publicly accessible at the time of observation, with no authentication or intrusion required. No hacking, credential misuse, or disruption was performed—only passive, open-source monitoring in the interest of transparency and public safety. Readers are encouraged to verify these endpoints themselves to confirm they require no special access and ensure this analysis did not involve unauthorized access.

If you’re feeling adventurous (because I ran out of time to host it nicely), you can download the web archive I made here https://limewire.com/d/mgyEr#vxjaIZxzk4 and upload the .WACZ to https://replayweb.page/ to view it in your browser.

( i might leave this out, anyone who’s a nerd knows what to do, maybe i shouldn’t suggest it to non-nerds. If you turn on your VPN and visit 51.222.40.149:30000, you will see it’s completely open to the public.)

Other Outlets and Whistleblowers Can Give You the Eyewitness Accounts of Where, when and what DOGE Did behind Closed Doors. As an Open-source Researcher, I’m here to Give You the Public Evidence of how They’re Likely Moving Your Data Overseas

I believe the totality of evidence shows we are facing the worst cybersecurity breach in history. And the call is coming from inside the house.

If I’ve been able to watch Coristine’s network for months, you can be certain Russia and China were way ahead of me.

It sounds alarmist, because it is alarming.

In legal terms, we are well beyond the threshold of probable cause. It’s time to bring this to trial in the court of public opinion and demand that DOGE prove their innocence. The burden lies with DOGE, “the most transparent organization in government ever,” to show us the receipts. https://americanoversight.org/doges-smoke-and-mirrors-how-the-agency-deliberately-avoids-transparency/

I’ll try to keep this as non-techy as possible, because every single American deserves to know the grave national cybersecurity crisis we face. But the details I’m about to disclose are based on months of direct observation and quantitative analysis. I need your help getting this in front of lawyers, Attorneys General, and whoever else has more power than to hold DOGE accountable.

For cyber nerds, I’ve included my methods and technical details at the end.

Edward “Big Balls” Coristine Owns Packetware (AS400495)

In February, I Discovered Packetware’s Digital Equivalent of Its Air Traffic Control Tower. The Most Important Server that Tells Us What’s Going on is Hosted in Montreal. Let’s Call it the Montreal Cluster

Source: https://www.shodan.io/host/51.222.40.149

and has been hosted by Packetware since at least February 2025 (date of my first archive)

What’s Prometheus?

The “air traffic control tower” runs on Packetware’s network and uses Prometheus—a monitoring tool that continuously collects and reports server metrics like network traffic from various nodes around the world. The “Montreal Cluster” is the core central hub that tracks and controls all the global proxy nodes in Coristine’s network.

On February 6, 2025, Packetware’s Montreal Cluster received approximately **37.7 TB of data **and sent approximately 55.9 TB over a 12-hour window. This is a ratio of 1.5 terabytes going out for every 1 terabyte coming in.

If These Files Are Indeed Stolen Databases and You Printed Them Out, that Would Be 839,000 Encyclopedias Coming In, and 1.48 Million Encyclopedias Going out in just One 12-hour Period. That Would Create a Stack 26.5 Miles and 46.6 Miles High Respectively

On August 29, 2025, the same Kubernetes cluster sent **26 times more data **than it received, which is the opposite of normal monitoring and suggests large-scale data exfiltration. Legitimate monitoring typically shows balanced or inbound-heavy traffic.

Outbound traffic: ~216 GB per 12 hours transmitted
Inbound traffic: ~8 GB received
Ratio: 26:1 outbound bias
Network capacity: 1.25 GB/s on most interfaces

Some of this volume likely reflects data bouncing between nodes, so the raw container-level totals may overstate the true volume. However, even accounting for intra-cluster duplication, the sheer scale of outbound traffic **far exceeds **any benign use case

Everything Wrong with Packetware (suggest Alternate Header here)

Packetware’s system provides a near-ideal setup for an insider to covertly send sensitive government data overseas. It also creates a massive risk of exposure to hostile intelligence agencies or cybercriminals.

Packetware’s network

is sending out 26 times more data than it receives, which is the opposite of normal monitoring and perfect for large-scale data exfiltration.
has computer servers spread across multiple countries, with most currently offline, suggesting a network designed to bounce data around the world to hide its source.
is configured with dangerous security settings that** allow anyone on the internet to access** it without authentication
only keeps logs for 12 hours before deleting, which is unusually short for normal monitoring and suggests intentional evidence destruction.
uses sophisticated container technology that can quickly create and destroy “virtual computers” to hide the path data takes through the network.

The access policy that allows anyone in the world to access these (metrics? nodes) also allows unauthorized attackers to intercept the data being transmitted (how does this work if it’s just metrics? or hackers would use the metrics to map the network and then attack egress?)

Big Balls’ Global Black Box Network Does the opposite of what His Business Claims to Do

Big Balls’ first excuse will be that Packetware is his private company entirely separate from his DOGE work. But the traffic is actually flowing the opposite way of his purported services.

Packetware.net claims to be a small-scale VPS (Virtual Private Server) hosting provider(packetware.net/services). VPS hosting typically generate balanced or inbound-heavy traffic—customers pull content from the servers—rather than the sustained outbound-heavy traffic flows observed (26:1 egress:ingress ratio).

In other words, a legitimate VPS host would not transmit hundreds of gigabytes out while receiving only a few gigabytes, so their claimed VPS services cannot explain the extremely high outbound traffic patterns.

Likewise, Packetware’s network activity shows the opposite traffic pattern of a small CDN (content delivery network), which would look like lots of data coming in from customers requesting web content.

This system sends out 26 times more data than it receives, which is backwards for a CDN.

216+ GB transmitted vs. 8+ GB received per 12 hour period (26:1 ratio)

Plus, I’ve never been able to find a single actual Packetware customer, let alone so many they would need over (?) gigabytes of data delivery. In short, there’s no evidence at all to support the idea that this network does what Coristine says it does.

Big Balls Has a Lengthy History of Stealing Information. Do You Think He Stopped on January 20?

Big Balls started his hacking career making friends with with The Com, a loose-knit hacker community that practices fascist Satanism/mysticism and delights in getting children to harm themselves. Good stuff.

From there, he was fired from the Path Network for leaking company secrets. https://www.cnn.com/2025/02/21/politics/doge-musk-edward-coristine-invs He immediately moved on to intern at Neuralink in summer 2024, which is where he likely caught Musk-senpai’s attention. For all we know, BB handed over the data he stole from his previous employer to land his new gig.

However, for as much as the media loves to dunk on thus guy, everyone missed a key detail about BB. At least until July 2024, just months before he would be hired as Elon Musk’s right hand man and handed a top-level security clearance, Big Balls was still hosting malware sites spreading viruses around the Internet. https://securitytrails.com/domain/files.dog/history/a

https://www.virustotal.com/gui/file/e72589d08acbf7938b731e9d35983775ea6e4628251d069c6a282d51d6547080/behavior

In short, I seriously doubt Big Balls suddenly found religion the day he was handed one of the highest levels of government security clearance.

This Isn’t Normal - Make This Section More Plain Language

Normally, a Prometheus monitoring system pulls data from servers or applications, so the amount of data coming in and going out is fairly balanced—an equal give and take of information about system health and performance. Here, the system is sending far more data out than it receives, which is unusual if it was just monitoring. This strongly suggests it’s sending secret or stolen data out rather than just monitoring network metrics.

Because the network is so open, it’s quite possible that other hackers not originally connected to the system or authorized by the attacker are sneaking in and using these same proxies for their own purposes. This means the original attacker’s stolen data could be intercepted or compromised by these third parties,

How Big Balls Can Move Federal Data Overseas

Here’s My Personal Theory

Insider accesses U.S. federal government networks. Possibly uses Border Gateway Protocol (BGP) hijacking to create the illusion that the outgoing connection is legitimate, bypassing government firewalls.
Data is sent from this origin point to a US-based proxy node that is part of the global Kubernetes cluster running global proxies.
The data is then forwarded across multiple proxy servers located worldwide (Montreal, Ashburn, Amsterdam, Dallas, Los Angeles), bouncing through encrypted and containerized nodes to obscure its origin and path.
After traveling around the globe to hide and confuse any observers, the data is delivered to remote SSH servers in Europe.

Brief Elaboration on Whistleblower Corroborating NLRB Whistleblower (where Does This Go? Tighten up This Section and Fit it Very Briefly into Overall Article flow)

The explosive new SSA whistleblower report has placed Edward “Big Balls” Coristine under fresh scrutiny.

One of the highest-ranking data officials at the Social Security Administration just dropped a bombshell: DOGE

Yet another federal whistleblower has come forward with explosive allegations: that DOGE transferred every Americans’ Social Security info into a private cloud no one else can access. A decorated US Navy veteran with over 20 years of service to our country, Borges’ disclosure gives us insight into what DOGE is doing behind the scenes with all of our personal data, and it’s even worse than you think.

The drama that unfolded at SSA follows the same beats as an earlier whistleblower who says DOGE stole 10 gigabytes, or an entire encyclopedia’s worth, of data from the National Labor Relations Board.

(needs a plain language summary conclusion)

If Big Balls Burns His Network after He Sees This, We’ll Know He Has Something Big to Hide

The Montreal Cluster’s traffic patterns tell a story that Packetware’s business model simply cannot explain. When a “hosting company” pushes out 26 times more data than it receives, with zero visible customers and wide-open security, the burden of proof shifts squarely to Coristine. If this network truly hosts websites instead of smuggling stolen government data, he should have no problem opening his logs to independent review.

Technical Analysis Take 2

BLUF: We assess with HIGH CONFIDENCE (85-90%) this infrastructure is designed as a global data exfiltration proxy network. The Prometheus monitoring system reveals a geographically distributed Kubernetes cluster with critical security misconfigurations, suspicious traffic patterns, and architectural choices optimized for covert data routing rather than legitimate monitoring.

KEY FINDINGS

1. Global Proxy Network Architecture

This system has computer servers spread across multiple countries, with most currently offline, suggesting a network designed to bounce data around the world to hide its source.

The infrastructure spans 5+ geographical locations:

Montreal, Canada (operational)
Amsterdam, Netherlands (down)
Ashburn, Virginia (down)
Dallas, Texas (down)
Los Angeles, California (down)

Only 3 of 7 nodes operational suggests either recent disruption or intentional selective activation. This geographical distribution is ideal for multi-hop proxy routing to obscure data origins.

2. Critical Security Misconfigurations

The system is configured with dangerous security settings that allow anyone on the Internet to access it and extract information without authentication.

CORS Policy: --web.cors.origin=.* (wildcard access)
Network Binding: 0.0.0.0:9090 (publicly accessible)
Query Limits: 50 million samples (excessive resource allocation)
No authentication mechanisms detected

These configurations are incompatible with legitimate monitoring but perfect for covert data access and extraction operations.

3. Suspicious Data Management

The system only keeps data for 12 hours before deleting it, which is unusually short and suggests intentional evidence destruction. Standard monitoring retains data for 15+ days

Retention Period: --storage.tsdb.retention.time=12h
Auto-reload: 30-second configuration refresh
Memory limits: 90% auto-tuned with aggressive garbage collection

4. Advanced Container Orchestration for Traffic Obfuscation

The system uses sophisticated container technology that can quickly create and destroy virtual machines to hide the path data takes through the network. This architecture enables sophisticated traffic routing and makes forensic analysis of *what *data is in transit difficult.

20+ active LXC containers with dynamic networking
Cilium service mesh providing advanced overlay networking
Kubernetes orchestration across multiple nodes
Envoy proxy endpoints at multiple geographical locations

5. Anomalous Traffic Patterns

On February 6, 2025, Packetware’s Kubernetes cluster received approximately **37.7 TB of data **and sent approximately 55.9 TB over a 12-hour window yielding an egress:ingress ratio of about 1.5:1.

Key namespaces driving traffic:

kube-system: ~31.9 TB received, ~31.9 TB sent
internal: ~4.9 TB received, ~9.4 TB sent
cilium-test-1: ~4.3 TB received, ~6.4 TB sent

On August 29, 2025, the same Kubernetes cluster sent **26 times more data **than it receives, which is the opposite of normal monitoring and suggests large-scale data exfiltration. Legitimate monitoring typically shows balanced or inbound-heavy traffic.

Outbound traffic: ~216 GB per 12 hours transmitted
Inbound traffic: ~8 GB received
Ratio: 26:1 outbound bias
Network capacity: 1.25 GB/s on most interfaces

Some of this volume likely reflects internal hops (data bouncing between containers and nodes) so the raw container-level totals may overstate the true volume of exfiltrated data. However, even accounting for intra-cluster duplication, the sheer scale of outbound traffic **far exceeds **any benign use case

Methods

Primary Evidence Sources:

Direct technical analysis of Packetware’s Prometheus configuration files and metrics data. Observation period between February 2025 and present (August 2025)
Quantitative network traffic pattern analysis
Infrastructure architecture assessment against known attack patterns
Literature review of BGP hijacking and network obfuscation techniques

Probability Weighting Criteria:

Systematic security misconfigurations indicating deliberate design rather than accidental exposure (40% weight)
Quantitative analysis of inbound/outbound traffic ratios compared to legitimate monitoring baselines (30% weight)
Production-grade infrastructure (20% weight)
Destruction of logs every 12 hours (10% weight)

Technical Analysis:

Outbound Traffic: 216+ GB transmitted vs. 8+ GB received (26:1 ratio)
Container Transmit Rates: Montreal node at 1.15 MB/s, control-planes at 466-715 KB/s
Interface Disparity: Low interface traffic (5 KB/s) vs. high container traffic suggests traffic aggregation/obfuscation

The evidence strongly supports the assessment that this infrastructure represents a sophisticated global data exfiltration proxy network. The combination of geographical distribution, security misconfigurations, traffic patterns, and advanced container orchestration creates an ideal platform for covert data routing and exfiltration operations.

Packetware’s system allows any website or user anywhere in the world to access it without restrictions. This likely means the network owner wants trusted collaborators to be able to use these proxies remotely from anywhere, without needing credentials. It could also allow automated tools or bots worldwide to interface with the system for coordinating or distributing stolen data without detection.

Thoughts to Add

a nice network attack flow diagram

ssh server analysis, maybe just for technical version? i wld have to get into bgp route hijacking

reach out to lawyers in case they burn the network?

Sus Doge Named Servers

LA Vultr

https://www.shodan.io/host/45.77.125.22

Germany Hetzner DOGE rdp with login screen

https://www.shodan.io/host/135.181.86.101

Finland Hetzner H-DOGE-PC

https://www.shodan.io/host/37.27.235.245