My months-long investigation of Edward “Big Balls” Coristine shows that his company, Packetware, operates a global server network with capabilities and usage metrics befitting a large-scale data smuggling operation, not a simple web hosting company as he claims. Since February, I observed traffic patterns and security settings that appear designed to let co-conspirators extract data from anywhere on the planet. In fact, Packetware’s network security is worse than an average home Wi-Fi system. Foreign intelligence agencies, criminals, or anyone online can intercept or dump data at will.
Packetware’s poor cybersecurity allowed me to directly inspect the network’s metrics. At the height of DOGE activity in February 2025, the network sent 150% more data than it received, sending over 32,000 gigabytes from the U.S. through a labyrinth of virtual machines around the world in just half a day.
Critically dangerous settings [at PacketWare] include:
- No passwords or authentication needed to explore the entire network
- Logs deleted every 12 hours, compared to the weeks-long retention of normal monitoring systems
- Configuration that permits unlimited data extraction by any user
The network exhibits classic indicators normally associated with malware gangs stealing data/mass data exfiltration/stealing data: 26 times more data flowing out than coming in, servers spread across five countries to mask data trails, and open-access security that requires no credentials.
In 2022, when he was in high school, Big Balls created Packetware. Until 2024, Packetware provided web hosting designed to evade law enforcement. His customers were Russian hackers who bragged about selling stolen data and cyberstalking an FBI agent.
Big Balls met his hacker buddies through “the Com,” a loose online network that bridges North American and Russian cybercriminals with a reputation for doxxing, swatting, and extorting both victims and fellow hackers alike. Cybersecurity expert Brian Krebs calls the Com the “English-language cybercriminal hacking equivalent of a violent street gang.”
Packetware claims to be a small Virtual Private Server hosting provider, but its traffic patterns tell a different story.
In February, I discovered Packetware’s digital equivalent of an air traffic control tower hosted in Montreal. (Original spreadsheet here.) This server runs monitoring software that tracks network traffic from nodes worldwide. However, the overwhelming trend is data going out to destinations obscured by the layers of constantly changing proxies. The traffic patterns align precisely with how state-sponsored cyber threat groups move stolen information from victims to servers under their direct control.
February 6, 2025
- Total Received: 32,542 GB (31.78 TB) over 12 hours
- Total Sent: 47,872 GB (46.75 TB) over 12 hours
- Net Flow: ~15 TB outbound
- Ratio: ~1.5 TB out for every 1 TB in
- Combined Traffic Volume: 78.52 TB
In this exact same time frame, Big Balls’ Packetware network hosted around 60 remote servers in Germany. These 60 German servers almost certainly formed the backbone of a massive exfiltration network as part of the largest data heist in history. We can only assume that any data DOGE accessed, especially at the height of operations in February 2025, is now in the hands of America’s enemies.
Since the height of DOGE activity, the overall amount of data leaving Big Balls’ network has slowed significantly, but the proportion of data going out vs coming in has skyrocketed—with 26 times more going out than coming in.
Based on network analysis, here’s how the operation likely functions:
- Insider Access — DOGE personnel access federal networks using their unlimited privileges
- Initial Transfer — Data moves from government systems to U.S.-based proxy nodes
- Global Proxies — Information travels through multiple international proxy servers (Montreal, Amsterdam, Dallas, Los Angeles) to obscure its origin
- Final Delivery — Data arrives at remote SSH servers in Europe, completely untraceable
The sophisticated routing makes detection nearly impossible while providing plausible deniability for any intercepted communications.
The evidence is clear: we are witnessing the largest government data heist in American history, orchestrated by individuals with documented ties to Russian cybercriminals and executed with the full backing of the Trump administration. This goes beyond the risk the risk of your SSN being stolen. It cuts to the very foundation of our national security, from our first line of cyber-defense to our last line of nuclear deterrence.
Lambert here: Any mention of RussiaGate triggers my spidey sense. And if all the data is so easy to steal due to “poor cybersecurity”, what is Packetware’s actual product? And what is a Packetware “user”?
Add new comment