Sign in Subscribe

DOGE bro Kyle Schutt's computer infected by malware, credentials found in stealer logs

DOGE bro Kyle Schutt's computer infected by malware, credentials found in stealer logs
Photo by Kanchanara / Unsplash

Kyle Schutt is a 37 year old "DOGE software engineer," according to ProPublica. In February, Drop Site News reported that he gained access to FEMA's "core financial management system." His computer was apparently compromised with malware, because his email address and passwords have shown up in four separate stealer log datasets, all of them published since late 2023.

By searching for his personal Gmail address (which I'm not sharing) in Have I Been Pwned, he appears in 51 data breaches and in 5 pastes. These include a 2013 breach of 153 million Adobe users, a 2016 breach of 164 million LinkedIn users, a 2020 breach of 167 million users from Gravatar, a 2024 breach of the conservative news site The Post Millennial, and many more.

Being included in a data breach doesn’t mean you did anything wrong. It just means a website you were using was hacked. (Though, 51 different data breaches is particularly impressive.)

Everyone who has ever used the internet is included in data breaches. The only way to protect yourself from when this inevitably happens is to maintain good account security:

  • Use a password manager
  • Use strong passwords for all of your accounts
  • Never reuse passwords across accounts
  • Use two-factor authentication everywhere you can

If you follow these steps, it doesn't matter so much if your data is included in a breach because 1) your password is strong, so it should be difficult or impossible to crack, 2) even if your password is recovered, you don't reuse it anywhere else, and 3) if anyone tries logging in as you, they won't be able to because of 2FA.

But some of the datasets that Schutt is included in are much more concerning than normal data breaches because they're from stealer logs.

Stealer logs are collections of URLs paired with usernames and passwords, compiled with the help of malware. If malware infects your device, it can do things like log your keystrokes or record everything entered into forms in your web browser – building a list of your usernames and passwords for various websites – and then send this data back to the person who controls the malware. This is where stealer log data comes from.

I have no way of knowing exactly when Schutt's computer was hacked, or how many times. I don't know nearly enough about the origins of these stealer log datasets. He might have gotten hacked years ago and the stealer log datasets were just published recently.

But he also might have gotten hacked within the last few months.

There's a good chance that DOGE staff are using dedicated work devices. This would be smart, because if Schutt's personal computer has malware on it, at least he wouldn't be using it for his DOGE work, where he's crippling social services and taking food from starving babies and whatnot.

On the other hand, DOGE is run by an incompetent idiot, so there's also a good chance that DOGE staff have been using their personal computers. In Schutt's case, maybe his personal computer that's infected by malware, recording all of the usernames and passwords he types in?

Here are the stealer log datasets that Schutt's email address was found in, with descriptions of each dataset, along with links to blog posts explaining them in more details, from Have I Been Pwned:

Naz.API

In September 2023, over 100GB of stealer logs and credential stuffing lists titled "Naz.API" was posted to a popular hacking forum. The incident contained a combination of email address and plain text password pairs alongside the service they were entered into, and standalone credential pairs obtained from unnamed sources. In total, the corpus of data included 71M unique email addresses and 100M unique passwords.

Stealer Logs Posted to Telegram

In July 2024, info stealer logs with 26M unique email addresses were collated from malicious Telegram channels. The data contained 22GB of logs consisting of email addresses, passwords and the websites they were used on, all obtained by malware running on infected machines.

Stealer Logs, Jan 2025

In January 2025, stealer logs with 71M email addresses were added to HIBP. Consisting of email address, password and the website the credentials were entered against, this breach marks the launch of a new HIBP feature enabling the retrieval of the specific websites the logs were collected against.

ALIEN TXTBASE Stealer Logs

In February 2025, 23 billion rows of stealer logs were obtained from a Telegram channel known as ALIEN TXTBASE. The data contained 284M unique email addresses alongside the websites they were entered into and the passwords used.

And, as a side note, Kyle Schutt's Google Calendar is public (though he's hiding event details), lol.

If you found this interesting, subscribe to get these posts emailed directly to your inbox. If you want to support my work, considering becoming a paid supporter.