Democrats Can Launch Criminal Investigations into DOGE, Today.
Dozens of investigations can bring accountability top to bottom, and Democrats have the power right now.
Every state in the country can investigate and criminally prosecute the people who ran DOGE. That's a legal fact, and it fell out of a routine exchange between one of the Existentialist Republic's followers and the Washington State Attorney General's office.
Every state constitution grants its attorney general different authority. Some can prosecute independently; others need a referral from a county prosecutor or a governor. The specifics will vary. But what happened in Washington shows how reaching out and engaging the system teaches you exactly how it works and where to push next. The process is the same everywhere, even if the statutes aren't.
She wrote asking about investigating and criminally prosecuting corrupt federal officials. She got a letter back from a staffer in the Policy Division, a courteous and thorough response that explained the legal landscape, pointed to the AG's ongoing civil litigation, and offered contact information for her state legislators.
But the letter also explained that under Washington state law and the state constitution, the Attorney General can't investigate or prosecute crimes without a referral from a county prosecutor or the governor. The staffer then pivoted to the four dozen civil lawsuits AG Nick Brown has filed against the Trump administration, and Brown deserves credit for that. He's among the most aggressive AGs in the country right now on the civil side. Civil suits and criminal prosecution are two completely different tools, though, and the letter blurs that line. She asked about criminal prosecution, and the office answered by talking about civil suits. Those lawsuits can slow things down, block specific actions, buy time. They're a necessary but not sufficient part of the equation. The people dismantling federal agencies and looting public funds aren't afraid of injunctions. They're afraid of handcuffs.
Now, I want to be fair here. We don't know what Brown is doing behind the scenes. He may be laying groundwork for criminal referrals that we can't see yet. He may be coordinating with county prosecutors privately. The letter doesn't tell us either way, and I don't want us assuming the worst because it doesn't gain us allies among the officials we hope to persuade. What I can say is that the public posture of the office, based on this letter, doesn't suggest that criminal prosecution is on their radar. And that's the gap we need to close.
The letter tells us what we need to do. The AG needs a referral to prosecute. County prosecutors and the governor can make that referral. That's the lock and the key, described in the same letter. The next step was obvious: contact the county prosecutor and the governor and ask them to refer specific criminal conduct to the AG for investigation.
But "specific" is the word that matters. A vague letter about federal overreach gets a vague response. We needed crimes with names, statutes, and victims who live in Washington.
We didn't have to look far.
On January 16, 2026, the Department of Justice filed a "Notice of Corrections to the Record" in AFSCME v. Social Security Administration, a lawsuit pending in the U.S. District Court for the District of Maryland.1 The filing corrected numerous statements that top SSA officials had previously made to the court, and the corrections painted a picture of systematic misconduct by DOGE employees embedded at the agency.
The filing revealed that from March 7 to March 17, 2025, DOGE team members used a third-party server called Cloudflare to share SSA data among themselves. Cloudflare is not approved for storing SSA data, and the agency did not know DOGE employees were using it until a review months later.1 Because Cloudflare is a third-party entity, SSA has not been able to determine what data was shared or whether it still exists on that server.1 The SSA maintains records that can include names, Social Security numbers, dates of birth, addresses, citizenship status, parents' names, bank account information, medical histories, wage records, and tax return data on hundreds of millions of Americans.2 We don't know which of those categories ended up on the Cloudflare server. That's exactly the problem.
On March 3, 2025, a DOGE team member sent an encrypted, password-protected file to the Department of Homeland Security, copying DOGE adviser Steve Davis and a DOGE employee at the Department of Labor.3 The SSA believes the file contained the names and addresses of roughly 1,000 people derived from SSA systems. The agency's Chief Information Office has been unable to access the file to determine exactly what it contained.3 That's SSA data leaving the building, going to DOGE leadership at other agencies, in a format the agency itself cannot open or verify.
The filing also revealed that a political advocacy group contacted two members of SSA's DOGE team with a request to analyze state voter rolls that the group had acquired. The group's stated aim was to find evidence of voter fraud and to overturn election results in certain states.1 One of the DOGE team members signed a "Voter Data Agreement" with the group in his capacity as an SSA employee and sent the executed agreement back on March 24, 2025.1 The agreement was never reviewed or approved through SSA's data exchange procedures. The agency only discovered it during an unrelated review in November 2025 and made two Hatch Act referrals to the Office of Special Counsel in late December.1 The SSA has not yet confirmed whether agency data was actually shared with the group, but email communications reviewed by SSA suggest that DOGE team members could have been asked to assist the group by accessing SSA data to match against the voter rolls.1
That alone would be enough to warrant a criminal investigation. But reporting by NPR, drawing on public records obtained by the watchdog group American Oversight, fills in the picture further.
Aram Moghaddassi, a DOGE engineer who held simultaneous roles at SSA and the Department of Homeland Security, was granted access to a DHS data system called SAVE that checks individuals' citizenship and immigration status.4 On March 15, 2025, he wrote to SSA officials that this access was "absolutely critical to get detailed immigration status for non-citizen SSNs to detect fraud and improper payments."4 Later that same week, Moghaddassi emailed the deputy chief of staff for Florida Governor Ron DeSantis from a DHS email account. "We're working on SAVE access for Florida law enforcement now," he wrote. "On our end, Florida voter registration and voting data would be helpful immediately to check for voter fraud."4 Court filings at the time indicated his work at SSA was supposed to focus on death data and reducing improper payments.4
Antonio Gracias, a private equity investor and ally of DOGE leader Elon Musk who was working with DOGE inside SSA, was copied on Moghaddassi's SAVE access request.4 Days later, at a March 30 rally in Wisconsin with Musk, Gracias publicly claimed that a sample review of Social Security data matched against voter rolls had found noncitizens who were registered and cast a ballot.4 The temporary restraining order that Judge Ellen Hollander had issued on March 20 was still in effect at the time, which raises the obvious question of how Gracias obtained the data he claimed to have analyzed.
NPR also reported that a DHS official briefed Cleta Mitchell's Election Integrity Network, a group led by an activist involved in efforts to overturn the 2020 election, about changes the administration was making to the SAVE system, before those details had been shared publicly.4
The agency's former chief data officer, Chuck Borges, filed a whistleblower complaint warning that DOGE employees put the records of more than 300 million Americans at risk by creating a copy of the SSA's Numident database in a vulnerable cloud environment without following required security protocols.5 The SSA denied his claims and forced him to involuntarily resign.5 His attorney, Debra Katz, stated after the January 2026 court filing that the government had conceded many of his allegations were accurate.6
When you line all of this up, a pattern of conduct emerges that goes well beyond careless data handling. DOGE employees moved SSA data to unauthorized servers. They sent encrypted files containing personal information to DOGE leadership at other agencies. One signed an agreement with a political group seeking to overturn elections. Another simultaneously reached out to a state governor's office about matching federal data against voter rolls. A Musk ally publicly claimed to have done exactly the kind of data matching the Voter Data Agreement described. And the agency's own chief data officer warned about all of it, was told he was wrong, and was pushed out. None of this was reviewed or approved through SSA's standard procedures. None of it was disclosed to the federal judge overseeing the case until the government was forced to correct the record months later.
Here is where it opens up for the entire country. Most states already have the statutes we need. Identity theft laws, cybercrime acts, and venue provisions that let prosecutors charge crimes where the victim lives rather than where the defendant sat when they committed them. Washington is the example because that's where the letter came from, but the legal architecture looks similar almost everywhere.
RCW 9.35.020 makes it a felony to knowingly obtain, possess, use, or transfer another person's financial information or means of identification with intent to commit or aid any crime.7 The statute requires intent, and that's where the pattern of conduct matters. Moving data to an unauthorized server, standing alone, might look like an IT policy violation. But when the data movement happens alongside a signed agreement to use SSA data for partisan election operations, alongside outreach to a state governor's office about voter data, alongside public claims of having matched Social Security records against voter rolls, the conduct stops looking accidental and starts looking like a coordinated effort to harvest personal information for unauthorized political purposes. Using government data for partisan political operations violates the Hatch Act. Accessing and transferring personal information as part of a scheme to violate the Hatch Act satisfies the "intent to commit or aid any crime" element of the identity theft statute.
Washington's Cybercrime Act, RCW 9A.90, provides additional tools. Electronic data tampering in the first degree covers malicious and unauthorized alteration of data maintained by a government agency, and electronic data theft applies when someone intentionally and without authorization devises or executes any scheme to defraud, deceive, or commit any other crime, or wrongfully obtains electronic data.8
And critically, RCW 9.35.020(8) says the crime of identity theft is considered committed in any locality where the victim resides, regardless of whether the defendant was ever actually in that locality.7
It doesn't matter that the DOGE employees were sitting in Washington, D.C., when they moved the data. If the victims live in Washington state, the crime is considered committed in Washington state. The defendant never has to have set foot there.
Washington isn't alone in this. North Carolina, Minnesota, Georgia, Illinois, Nebraska, and dozens of other states have similar venue provisions in their identity theft statutes that define the crime as committed where the victim resides.9 The SSA holds records on virtually every American who has ever received a federal payment, worked a job, or filed taxes. Victims live in all 50 states, and most state identity theft statutes allow prosecution where those victims live.
Now add dual sovereignty. State criminal prosecutions operate independently from the federal system. A presidential pardon can't reach a state conviction. And federal officials don't have blanket immunity from state prosecution. As Lawfare documented extensively, states have a long history of prosecuting federal actors for state crimes stretching back to the early 1800s, and the Supreme Court has emphasized that federal employees don't secure general immunity from state law while acting in the course of their employment.10 When federal officials exceed the scope of their authorized duties, that shield disappears.
The best defense a DOGE attorney could raise is the Supremacy Clause, which protects federal officials from state prosecution when they're acting reasonably and within the bounds of their authorized duties. But the SSA itself didn't know its data was being moved to a Cloudflare server. The agency's own review found the conduct was potentially outside SSA policy. The Hatch Act referrals confirm the SSA viewed the Voter Data Agreement as unauthorized. When the agency that employs you says what you did was outside policy, the Supremacy Clause argument collapses.
We can't prove today that any specific Washington resident's data ended up on that Cloudflare server or in the encrypted file sent to DHS, because the SSA itself can't determine that. That's exactly the argument for an investigation, not a prosecution. We're asking county prosecutors and governors to refer these matters to their state attorneys general so they can determine whether residents of their states were victims of crimes under state law.
I put together three letters for her. Two of them are the emails referenced in the title. The first goes to her county prosecutor. The second goes to the governor. Both ask for the same thing: a criminal referral to the AG under RCW 43.10.232. The third goes back to the AG's office to let them know the referrals are on the way. If you're in Washington, you can use these now.
Email 1: To Your County Prosecutor
Dear [County Prosecutor's Name],
I'm writing to request that your office refer a matter to Attorney General Nick Brown for criminal investigation under RCW 43.10.232.
In a January 16, 2026 court filing in AFSCME v. Social Security Administration (D. Md., No. 1:25-cv-00596), the U.S. Department of Justice admitted that employees of the Department of Government Efficiency, while embedded at the Social Security Administration, transferred agency data to an unauthorized third-party server called Cloudflare outside all SSA security protocols. The SSA has confirmed it cannot determine what data was shared or whether it still exists on that server. A DOGE team member also sent an encrypted file believed to contain the names and addresses of roughly 1,000 people to the Department of Homeland Security and DOGE leadership, and the SSA has been unable to access the file to verify its contents.
The filing further revealed that a DOGE employee signed a "Voter Data Agreement" with a political advocacy group seeking to match Social Security records against state voter rolls to overturn election results in certain states. The SSA made two Hatch Act referrals to the Office of Special Counsel as a result. Separately, NPR has reported that DOGE engineer Aram Moghaddassi contacted the Florida governor's office about state voter data while working simultaneously at SSA and DHS, and that a DOGE associate publicly claimed to have matched SSA data against voter rolls at a political rally.
SSA records include the personal information of Washington residents in [your county]. This conduct may constitute violations of Washington's identity theft statute (RCW 9.35.020) and the Washington Cybercrime Act (RCW 9A.90). Federal officials do not have blanket immunity from state criminal prosecution when they exceed the scope of their authorized duties.
I'm asking you to refer this matter to Attorney General Brown so his Criminal Justice Division can investigate whether Washington residents were victims of state crimes. The AG's office has confirmed it needs a referral from a county prosecutor or the governor to act. You have the authority to open that door.
Thank you for your time and your service to our community.
Sincerely,
[Your Name]
[Your Address]
Email 2: To the Governor
Dear Governor Ferguson,
I'm writing to request that your office refer a matter to Attorney General Nick Brown for criminal investigation under RCW 43.10.232.
In a January 16, 2026 court filing in AFSCME v. Social Security Administration (D. Md., No. 1:25-cv-00596), the U.S. Department of Justice admitted that employees of the Department of Government Efficiency, while embedded at the Social Security Administration, transferred agency data to an unauthorized third-party server called Cloudflare outside all SSA security protocols. The SSA has confirmed it cannot determine what data was shared or whether it still exists on that server. A DOGE team member also sent an encrypted file believed to contain the names and addresses of roughly 1,000 people to the Department of Homeland Security and DOGE leadership, and the SSA has been unable to access the file to verify its contents.
The filing further revealed that a DOGE employee signed a "Voter Data Agreement" with a political advocacy group seeking to match Social Security records against state voter rolls to overturn election results in certain states. The SSA made two Hatch Act referrals to the Office of Special Counsel as a result. Separately, NPR has reported that a DOGE engineer contacted the Florida governor's office about state voter data while working simultaneously at SSA and DHS, and that a DOGE associate publicly claimed to have matched SSA data against voter rolls at a political rally.
These actions may constitute violations of Washington's identity theft statute (RCW 9.35.020) and the Washington Cybercrime Act (RCW 9A.90). The personal information of millions of Washington residents is contained in SSA records. Federal officials do not have blanket immunity from state criminal prosecution when they exceed the scope of their authorized duties, and a state conviction cannot be erased by a presidential pardon.
The Attorney General's office has confirmed it requires a referral from a county prosecutor or the governor to investigate and prosecute criminal matters. I'm asking you to make that referral so Attorney General Brown can determine whether Washington residents were victims of state crimes.
Thank you for your leadership.
Sincerely,
[Your Name]
[Your Address]
Email 3: Reply to the AG's Office
Dear Ms. Austin Hall,
Thank you for your response. I appreciate learning about the referral requirement under Washington law.
Based on your explanation that the Attorney General's office requires a referral from a county prosecutor or the governor to investigate and prosecute criminal matters, I've written to both my county prosecutor and Governor Ferguson requesting that they make such a referral. Specifically, I've asked them to refer the matter of DOGE employees' handling of Social Security Administration data, as described in the January 2026 DOJ court filing and subsequent reporting, for investigation under Washington's identity theft statute (RCW 9.35.020) and the Washington Cybercrime Act (RCW 9A.90).
I wanted your office to be aware that this request is coming, and I hope Attorney General Brown will be prepared to act when the referral arrives.
Sincerely,
[Your Name]
If you're in Washington, you can use these letters now. Send them today.
If you're in another state, the underlying legal architecture is the same: state identity theft laws, venue provisions that follow the victim, dual sovereignty that makes convictions pardon-proof, and a DOJ court filing where the administration admitted the conduct. The statutes differ, the referral mechanisms depend on each state's constitution, and some AGs can prosecute independently while others need the same kind of referral Brown does. But every state with residents in the SSA database has the raw material to do what we just did in Washington.
Comment your state on this post and we will get you your state's relevant statutes.
Democracy merch, Oppositional Federalism booklets at TheExistentialistRepublic.com
All educational materials available for free download in the shop at BuyMeACoffee.com/TheER
Works Cited
1 Notice of corrections to the record, AFSCME v. Social Security Administration, No. 1:25-cv-00596-ELH (D. Md. Jan. 16, 2026).
AFSCME v. Social Security Administration, No. 1:25-cv-00596-ELH, slip op. at 8-10 (D. Md. Apr. 17, 2025) (describing categories of data maintained by SSA).
Johnson, D. B. (2026, January 21). DOGE likely violated order on Social Security data, court filing shows. FedScoop. https://fedscoop.com/doge-access-social-security-data-court-filing/
Fowler, S., & Jarenwattananon, P. (2026, January 23). The Trump administration admits even more ways DOGE accessed sensitive personal data. NPR. https://www.npr.org/2026/01/23/nx-s1-5684185/doge-data-social-security-privacy
Borges, C. (2025, August 26). Whistleblower complaint filed with the Office of Special Counsel regarding DOGE access to SSA data systems, as reported by CNN. https://www.cnn.com/2026/01/20/politics/doge-social-security-data-unauthorized-server
Katz, D. S. (2026, January 21). Statement on behalf of Charles Borges, as quoted in FedScoop. https://fedscoop.com/doge-access-social-security-data-court-filing/
Identity theft, RCW 9.35.020 (2024). Washington State Legislature. https://app.leg.wa.gov/rcw/default.aspx?cite=9.35.020
Washington Cybercrime Act, RCW 9A.90 (2024). Washington State Legislature. https://app.leg.wa.gov/RCW/default.aspx?cite=9A.90
National Conference of State Legislatures. (n.d.). Identity theft statutes. https://www.ncsl.org/financial-services/identity-theft
Godar, B. (2025, November 6). Are federal officials immune from state prosecution? Lawfare. https://www.lawfaremedia.org/article/are-federal-officials-immune-from-state-prosecution
Awesome!!!! I'm in CA and would like the info to send letters here! Thank you for your work!!!!
Georgia.
Georgia distributes criminal prosecution across 159 counties, the most of any state. Each judicial circuit elects a district attorney who holds original jurisdiction over felony prosecutions in Superior Court. The AG's criminal prosecution authority is constitutionally limited: under the Georgia Constitution, the AG needs a written request from the governor or specific statutory authorization to bypass local DAs. A Fulton County Superior Court judge confirmed this limitation in December 2025, dismissing RICO charges against Stop Cop City defendants because AG Chris Carr conceded Governor Kemp had never issued the required written request. This constitutional structure means the prosecution path for the SSA breach runs entirely through local district attorneys, not through the AG's office.
AG Chris Carr (R) actively defended DOGE. On February 14, 2025, he joined 20 Republican AGs in supporting the Trump administration against lawsuits seeking to block DOGE's access to federal data, calling the suits "politically motivated" and praising DOGE for "identifying and eliminating billions in federal fraud." Governor Brian Kemp (R) will not request AG prosecution. The AG is therefore a closed door for this application. The open doors are the independently elected DAs across Georgia's 159 counties, several of whom in metro Atlanta have demonstrated willingness to pursue politically complex prosecutions.
Three statutes under the Georgia Computer Systems Protection Act (O.C.G.A. Section 16-9-90 et seq.) fit the documented conduct, along with the state's identity fraud statute.
O.C.G.A. Section 16-9-93(a), Computer Theft: criminalizes using a computer or computer network with knowledge that such use is without authority and with the intention of taking or appropriating the property of another, whether or not with the intention of depriving the owner of possession. Felony: 1 to 15 years imprisonment, up to $50,000 fine. The statute defines "without authority" under Section 16-9-92(18) to include using a computer or computer network in a manner that exceeds any right or permission granted by the owner. DOGE personnel had no permission from SSA to access, copy, or transmit its records. Every record copied constitutes a separate taking of property.
O.C.G.A. Section 16-9-93(c), Computer Invasion of Privacy: criminalizes using a computer or computer network with the intention of examining any employment, medical, salary, credit, or any other financial or personal data relating to any other person with knowledge that such examination is without authority. Felony: 1 to 15 years imprisonment, up to $50,000 fine. This provision maps directly onto the SSA breach. SSA records contain exactly the categories of data the statute names: employment histories, salary information, financial data, and personal identifying information. DOGE personnel examined this data without any authority from SSA or from the individuals whose records they accessed. The statute requires no showing of intent to defraud or financial harm; the unauthorized examination itself completes the offense.
O.C.G.A. Section 16-9-121, Identity Fraud: criminalizes willfully and without authorization or consent using or possessing with intent to fraudulently use identifying information concerning a person. "Identifying information" includes Social Security numbers, names, dates of birth, and financial account numbers. Felony: 1 to 10 years, up to $100,000 fine on first offense; 3 to 15 years, up to $250,000 on subsequent conviction. Subsection (b) separately criminalizes willingly accepting identifying information the person knows to be fraudulent, stolen, counterfeit, or fictitious. Under Section 16-9-121(c), identity fraud offenses do not merge with any other offense, meaning each count stands independently and sentences can stack. The January 16, 2026 DOJ filing confirmed DOGE personnel sent private SSA records to outside affiliates, which constitutes transfer of identifying information without authorization.
Under O.C.G.A. Section 17-2-2, venue lies in the county where the crime was committed. When conduct constituting the offense occurs in multiple counties, prosecution may proceed in any of them. SSA data belonging to Georgia residents traveled to unauthorized servers, establishing venue in every county where an affected resident lives.
Georgia's distinctive feature is the combination of severe penalties and the computer invasion of privacy statute. Most states require prosecutors to prove intent to defraud, intent to steal, or some form of harmful purpose beyond the unauthorized access itself. Georgia does not. Section 16-9-93(c) criminalizes the mere act of examining personal data without authority, with no additional intent element. If DOGE personnel looked at a Georgia resident's SSA record without authorization, they committed a felony carrying up to 15 years. The AG's hostility is real but irrelevant to prosecution, because Georgia's constitution gives local DAs independent authority that the AG cannot override. Several metro Atlanta DAs have demonstrated precisely the kind of independence this application requires.
Under the dual sovereignty doctrine affirmed in Gamble v. United States, 587 U.S. 678 (2019), a presidential pardon cannot reach a state conviction.
Three pressure points.
Letter 1: Local Law Enforcement
Dear [Police Department / Sheriff's Office],
I am writing to report suspected criminal activity under Georgia law. On January 16, 2026, the DOJ filed a "Notice of Corrections to the Record" in AFSCME v. SSA, Case No. 1:25-cv-00596, confirming DOGE personnel copied SSA data to an unauthorized Cloudflare server, sent private records to outside affiliates, and communicated with a group seeking to overturn election results. As a Georgia resident whose Social Security records are maintained by the SSA, I believe this conduct violates O.C.G.A. Section 16-9-93(a), computer theft (felony, 1 to 15 years); O.C.G.A. Section 16-9-93(c), computer invasion of privacy through unauthorized examination of personal and financial data (felony, 1 to 15 years); and O.C.G.A. Section 16-9-121, identity fraud through unauthorized possession and transfer of identifying information (felony, 1 to 10 years, up to $100,000 fine). I request an incident report and referral to the District Attorney.
Respectfully,
[Name, Address, Contact Information]
Letter 2: District Attorney
Dear [District Attorney],
I am writing to request that your office evaluate criminal charges arising from DOGE personnel's unauthorized access to SSA data, as documented in the January 16, 2026 DOJ filing in AFSCME v. SSA, Case No. 1:25-cv-00596. This conduct may violate O.C.G.A. Section 16-9-93(a), computer theft through unauthorized taking of SSA property (felony, 1 to 15 years, $50,000 fine); O.C.G.A. Section 16-9-93(c), computer invasion of privacy through examining employment, salary, financial, and personal data without authority (felony, 1 to 15 years, $50,000 fine); and O.C.G.A. Section 16-9-121, identity fraud through unauthorized possession and transfer of identifying information including Social Security numbers (felony, 1 to 10 years, $100,000 fine). Georgia's computer invasion of privacy statute requires no showing of intent to defraud; the unauthorized examination of personal data alone completes the felony. Under Section 16-9-121(c), identity fraud offenses do not merge, meaning each affected person represents a separately chargeable count. Your office holds independent constitutional authority over felony prosecutions in your judicial circuit.
Respectfully,
[Name, Address, Contact Information]
Letter 3: Georgia Bureau of Investigation
Dear Director,
I am writing to request that the GBI investigate criminal violations of Georgia law arising from DOGE personnel's unauthorized access to SSA records containing the personal identifying information of Georgia residents, as documented in the January 16, 2026 DOJ filing in AFSCME v. SSA, Case No. 1:25-cv-00596. This conduct implicates O.C.G.A. Section 16-9-93(a), computer theft (felony, 1 to 15 years); O.C.G.A. Section 16-9-93(c), computer invasion of privacy (felony, 1 to 15 years); and O.C.G.A. Section 16-9-121, identity fraud (felony, 1 to 10 years). The GBI maintains an investigative division with jurisdiction over identity theft and computer crimes. Georgia has approximately 1.9 million Social Security beneficiaries whose records were exposed. I request that the GBI open an investigation and coordinate with local district attorneys on potential prosecution.
Respectfully,
[Name, Address, Contact Information]