Democrats Can Launch Criminal Investigations into DOGE, Today.

Dozens of investigations can bring accountability top to bottom, and Democrats have the power right now.

Feb 16, 2026

Cross-posted by The Existentialist Republic

"This is brilliant, and has specific action steps we can all do! "

(Image credit: Illustration by Julia Wytrazek / Getty Images)

Every state in the country can investigate and criminally prosecute the people who ran DOGE. That's a legal fact, and it fell out of a routine exchange between one of the Existentialist Republic's followers and the Washington State Attorney General's office.

Every state constitution grants its attorney general different authority. Some can prosecute independently; others need a referral from a county prosecutor or a governor. The specifics will vary. But what happened in Washington shows how reaching out and engaging the system teaches you exactly how it works and where to push next. The process is the same everywhere, even if the statutes aren't.

She wrote asking about investigating and criminally prosecuting corrupt federal officials. She got a letter back from a staffer in the Policy Division, a courteous and thorough response that explained the legal landscape, pointed to the AG's ongoing civil litigation, and offered contact information for her state legislators.

But the letter also explained that under Washington state law and the state constitution, the Attorney General can't investigate or prosecute crimes without a referral from a county prosecutor or the governor. The staffer then pivoted to the four dozen civil lawsuits AG Nick Brown has filed against the Trump administration, and Brown deserves credit for that. He's among the most aggressive AGs in the country right now on the civil side. Civil suits and criminal prosecution are two completely different tools, though, and the letter blurs that line. She asked about criminal prosecution, and the office answered by talking about civil suits. Those lawsuits can slow things down, block specific actions, buy time. They're a necessary but not sufficient part of the equation. The people dismantling federal agencies and looting public funds aren't afraid of injunctions. They're afraid of handcuffs.

Now, I want to be fair here. We don't know what Brown is doing behind the scenes. He may be laying groundwork for criminal referrals that we can't see yet. He may be coordinating with county prosecutors privately. The letter doesn't tell us either way, and I don't want us assuming the worst because it doesn't gain us allies among the officials we hope to persuade. What I can say is that the public posture of the office, based on this letter, doesn't suggest that criminal prosecution is on their radar. And that's the gap we need to close.

The letter tells us what we need to do. The AG needs a referral to prosecute. County prosecutors and the governor can make that referral. That's the lock and the key, described in the same letter. The next step was obvious: contact the county prosecutor and the governor and ask them to refer specific criminal conduct to the AG for investigation.

But "specific" is the word that matters. A vague letter about federal overreach gets a vague response. We needed crimes with names, statutes, and victims who live in Washington.

We didn't have to look far.

On January 16, 2026, the Department of Justice filed a "Notice of Corrections to the Record" in AFSCME v. Social Security Administration, a lawsuit pending in the U.S. District Court for the District of Maryland.1 The filing corrected numerous statements that top SSA officials had previously made to the court, and the corrections painted a picture of systematic misconduct by DOGE employees embedded at the agency.

The filing revealed that from March 7 to March 17, 2025, DOGE team members used a third-party server called Cloudflare to share SSA data among themselves. Cloudflare is not approved for storing SSA data, and the agency did not know DOGE employees were using it until a review months later.1 Because Cloudflare is a third-party entity, SSA has not been able to determine what data was shared or whether it still exists on that server.1 The SSA maintains records that can include names, Social Security numbers, dates of birth, addresses, citizenship status, parents' names, bank account information, medical histories, wage records, and tax return data on hundreds of millions of Americans.2 We don't know which of those categories ended up on the Cloudflare server. That's exactly the problem.

On March 3, 2025, a DOGE team member sent an encrypted, password-protected file to the Department of Homeland Security, copying DOGE adviser Steve Davis and a DOGE employee at the Department of Labor.3 The SSA believes the file contained the names and addresses of roughly 1,000 people derived from SSA systems. The agency's Chief Information Office has been unable to access the file to determine exactly what it contained.3 That's SSA data leaving the building, going to DOGE leadership at other agencies, in a format the agency itself cannot open or verify.

The filing also revealed that a political advocacy group contacted two members of SSA's DOGE team with a request to analyze state voter rolls that the group had acquired. The group's stated aim was to find evidence of voter fraud and to overturn election results in certain states.1 One of the DOGE team members signed a "Voter Data Agreement" with the group in his capacity as an SSA employee and sent the executed agreement back on March 24, 2025.1 The agreement was never reviewed or approved through SSA's data exchange procedures. The agency only discovered it during an unrelated review in November 2025 and made two Hatch Act referrals to the Office of Special Counsel in late December.1 The SSA has not yet confirmed whether agency data was actually shared with the group, but email communications reviewed by SSA suggest that DOGE team members could have been asked to assist the group by accessing SSA data to match against the voter rolls.1

That alone would be enough to warrant a criminal investigation. But reporting by NPR, drawing on public records obtained by the watchdog group American Oversight, fills in the picture further.

Aram Moghaddassi, a DOGE engineer who held simultaneous roles at SSA and the Department of Homeland Security, was granted access to a DHS data system called SAVE that checks individuals' citizenship and immigration status.4 On March 15, 2025, he wrote to SSA officials that this access was "absolutely critical to get detailed immigration status for non-citizen SSNs to detect fraud and improper payments."4 Later that same week, Moghaddassi emailed the deputy chief of staff for Florida Governor Ron DeSantis from a DHS email account. "We're working on SAVE access for Florida law enforcement now," he wrote. "On our end, Florida voter registration and voting data would be helpful immediately to check for voter fraud."4 Court filings at the time indicated his work at SSA was supposed to focus on death data and reducing improper payments.4

Antonio Gracias, a private equity investor and ally of DOGE leader Elon Musk who was working with DOGE inside SSA, was copied on Moghaddassi's SAVE access request.4 Days later, at a March 30 rally in Wisconsin with Musk, Gracias publicly claimed that a sample review of Social Security data matched against voter rolls had found noncitizens who were registered and cast a ballot.4 The temporary restraining order that Judge Ellen Hollander had issued on March 20 was still in effect at the time, which raises the obvious question of how Gracias obtained the data he claimed to have analyzed.

NPR also reported that a DHS official briefed Cleta Mitchell's Election Integrity Network, a group led by an activist involved in efforts to overturn the 2020 election, about changes the administration was making to the SAVE system, before those details had been shared publicly.4

The agency's former chief data officer, Chuck Borges, filed a whistleblower complaint warning that DOGE employees put the records of more than 300 million Americans at risk by creating a copy of the SSA's Numident database in a vulnerable cloud environment without following required security protocols.5 The SSA denied his claims and forced him to involuntarily resign.5 His attorney, Debra Katz, stated after the January 2026 court filing that the government had conceded many of his allegations were accurate.6

When you line all of this up, a pattern of conduct emerges that goes well beyond careless data handling. DOGE employees moved SSA data to unauthorized servers. They sent encrypted files containing personal information to DOGE leadership at other agencies. One signed an agreement with a political group seeking to overturn elections. Another simultaneously reached out to a state governor's office about matching federal data against voter rolls. A Musk ally publicly claimed to have done exactly the kind of data matching the Voter Data Agreement described. And the agency's own chief data officer warned about all of it, was told he was wrong, and was pushed out. None of this was reviewed or approved through SSA's standard procedures. None of it was disclosed to the federal judge overseeing the case until the government was forced to correct the record months later.

Here is where it opens up for the entire country. Most states already have the statutes we need. Identity theft laws, cybercrime acts, and venue provisions that let prosecutors charge crimes where the victim lives rather than where the defendant sat when they committed them. Washington is the example because that's where the letter came from, but the legal architecture looks similar almost everywhere.

RCW 9.35.020 makes it a felony to knowingly obtain, possess, use, or transfer another person's financial information or means of identification with intent to commit or aid any crime.7 The statute requires intent, and that's where the pattern of conduct matters. Moving data to an unauthorized server, standing alone, might look like an IT policy violation. But when the data movement happens alongside a signed agreement to use SSA data for partisan election operations, alongside outreach to a state governor's office about voter data, alongside public claims of having matched Social Security records against voter rolls, the conduct stops looking accidental and starts looking like a coordinated effort to harvest personal information for unauthorized political purposes. Using government data for partisan political operations violates the Hatch Act. Accessing and transferring personal information as part of a scheme to violate the Hatch Act satisfies the "intent to commit or aid any crime" element of the identity theft statute.

Washington's Cybercrime Act, RCW 9A.90, provides additional tools. Electronic data tampering in the first degree covers malicious and unauthorized alteration of data maintained by a government agency, and electronic data theft applies when someone intentionally and without authorization devises or executes any scheme to defraud, deceive, or commit any other crime, or wrongfully obtains electronic data.8

And critically, RCW 9.35.020(8) says the crime of identity theft is considered committed in any locality where the victim resides, regardless of whether the defendant was ever actually in that locality.7

It doesn't matter that the DOGE employees were sitting in Washington, D.C., when they moved the data. If the victims live in Washington state, the crime is considered committed in Washington state. The defendant never has to have set foot there.

Washington isn't alone in this. North Carolina, Minnesota, Georgia, Illinois, Nebraska, and dozens of other states have similar venue provisions in their identity theft statutes that define the crime as committed where the victim resides.9 The SSA holds records on virtually every American who has ever received a federal payment, worked a job, or filed taxes. Victims live in all 50 states, and most state identity theft statutes allow prosecution where those victims live.

Now add dual sovereignty. State criminal prosecutions operate independently from the federal system. A presidential pardon can't reach a state conviction. And federal officials don't have blanket immunity from state prosecution. As Lawfare documented extensively, states have a long history of prosecuting federal actors for state crimes stretching back to the early 1800s, and the Supreme Court has emphasized that federal employees don't secure general immunity from state law while acting in the course of their employment.10 When federal officials exceed the scope of their authorized duties, that shield disappears.

The best defense a DOGE attorney could raise is the Supremacy Clause, which protects federal officials from state prosecution when they're acting reasonably and within the bounds of their authorized duties. But the SSA itself didn't know its data was being moved to a Cloudflare server. The agency's own review found the conduct was potentially outside SSA policy. The Hatch Act referrals confirm the SSA viewed the Voter Data Agreement as unauthorized. When the agency that employs you says what you did was outside policy, the Supremacy Clause argument collapses.

We can't prove today that any specific Washington resident's data ended up on that Cloudflare server or in the encrypted file sent to DHS, because the SSA itself can't determine that. That's exactly the argument for an investigation, not a prosecution. We're asking county prosecutors and governors to refer these matters to their state attorneys general so they can determine whether residents of their states were victims of crimes under state law.

I put together three letters for her. Two of them are the emails referenced in the title. The first goes to her county prosecutor. The second goes to the governor. Both ask for the same thing: a criminal referral to the AG under RCW 43.10.232. The third goes back to the AG's office to let them know the referrals are on the way. If you're in Washington, you can use these now.

Email 1: To Your County Prosecutor

Dear [County Prosecutor's Name],

I'm writing to request that your office refer a matter to Attorney General Nick Brown for criminal investigation under RCW 43.10.232.

In a January 16, 2026 court filing in AFSCME v. Social Security Administration (D. Md., No. 1:25-cv-00596), the U.S. Department of Justice admitted that employees of the Department of Government Efficiency, while embedded at the Social Security Administration, transferred agency data to an unauthorized third-party server called Cloudflare outside all SSA security protocols. The SSA has confirmed it cannot determine what data was shared or whether it still exists on that server. A DOGE team member also sent an encrypted file believed to contain the names and addresses of roughly 1,000 people to the Department of Homeland Security and DOGE leadership, and the SSA has been unable to access the file to verify its contents.

The filing further revealed that a DOGE employee signed a "Voter Data Agreement" with a political advocacy group seeking to match Social Security records against state voter rolls to overturn election results in certain states. The SSA made two Hatch Act referrals to the Office of Special Counsel as a result. Separately, NPR has reported that DOGE engineer Aram Moghaddassi contacted the Florida governor's office about state voter data while working simultaneously at SSA and DHS, and that a DOGE associate publicly claimed to have matched SSA data against voter rolls at a political rally.

SSA records include the personal information of Washington residents in [your county]. This conduct may constitute violations of Washington's identity theft statute (RCW 9.35.020) and the Washington Cybercrime Act (RCW 9A.90). Federal officials do not have blanket immunity from state criminal prosecution when they exceed the scope of their authorized duties.

I'm asking you to refer this matter to Attorney General Brown so his Criminal Justice Division can investigate whether Washington residents were victims of state crimes. The AG's office has confirmed it needs a referral from a county prosecutor or the governor to act. You have the authority to open that door.

Thank you for your time and your service to our community.

Sincerely,

[Your Name]

[Your Address]

Email 2: To the Governor

Dear Governor Ferguson,

I'm writing to request that your office refer a matter to Attorney General Nick Brown for criminal investigation under RCW 43.10.232.

The filing further revealed that a DOGE employee signed a "Voter Data Agreement" with a political advocacy group seeking to match Social Security records against state voter rolls to overturn election results in certain states. The SSA made two Hatch Act referrals to the Office of Special Counsel as a result. Separately, NPR has reported that a DOGE engineer contacted the Florida governor's office about state voter data while working simultaneously at SSA and DHS, and that a DOGE associate publicly claimed to have matched SSA data against voter rolls at a political rally.

These actions may constitute violations of Washington's identity theft statute (RCW 9.35.020) and the Washington Cybercrime Act (RCW 9A.90). The personal information of millions of Washington residents is contained in SSA records. Federal officials do not have blanket immunity from state criminal prosecution when they exceed the scope of their authorized duties, and a state conviction cannot be erased by a presidential pardon.

The Attorney General's office has confirmed it requires a referral from a county prosecutor or the governor to investigate and prosecute criminal matters. I'm asking you to make that referral so Attorney General Brown can determine whether Washington residents were victims of state crimes.

Thank you for your leadership.

Sincerely,

[Your Name]

[Your Address]

Email 3: Reply to the AG's Office

Dear Ms. Austin Hall,

Thank you for your response. I appreciate learning about the referral requirement under Washington law.

Based on your explanation that the Attorney General's office requires a referral from a county prosecutor or the governor to investigate and prosecute criminal matters, I've written to both my county prosecutor and Governor Ferguson requesting that they make such a referral. Specifically, I've asked them to refer the matter of DOGE employees' handling of Social Security Administration data, as described in the January 2026 DOJ court filing and subsequent reporting, for investigation under Washington's identity theft statute (RCW 9.35.020) and the Washington Cybercrime Act (RCW 9A.90).

I wanted your office to be aware that this request is coming, and I hope Attorney General Brown will be prepared to act when the referral arrives.

Sincerely,

[Your Name]

If you're in Washington, you can use these letters now. Send them today.

If you're in another state, the underlying legal architecture is the same: state identity theft laws, venue provisions that follow the victim, dual sovereignty that makes convictions pardon-proof, and a DOJ court filing where the administration admitted the conduct. The statutes differ, the referral mechanisms depend on each state's constitution, and some AGs can prosecute independently while others need the same kind of referral Brown does. But every state with residents in the SSA database has the raw material to do what we just did in Washington.

Comment your state on this post and we will get you your state's relevant statutes.