DOGE Denizen Marko Elez Leaked API Key for xAI
In a shocking revelation, a 25-year-old employee at Elon Musk's Department of Government Efficiency (DOGE) has inadvertently exposed a private key that granted access to over four dozen large language models (LLMs) developed by Musk's artificial intelligence company xAI. Marko Elez, who has been employed at DOGE since before joining the company's ranks in 2022, posted an API key on GitHub called "agent.py" that allowed anyone to interact directly with multiple LLMs.
The inclusion of the private key was first flagged by GitGuardian, a company specializing in detecting and remediating exposed secrets in public and proprietary environments. Their systems constantly scan GitHub and other code repositories for exposed API keys, and fire off automated alerts to affected users. Philippe Caturegli, "chief hacking officer" at the security consultancy Seralys, revealed that the exposed API key allowed access to at least 52 different LLMs used by xAI.
The most recent LLM in the list was called "grok-4-0709" and was created on July 9, 2025. Grok, the generative AI chatbot developed by xAI and integrated into Twitter/X, relies on these and other LLMs (a query to Grok before publication shows Grok currently uses Grok-3, which was launched in February 2025). Earlier today, xAI announced that the Department of Defense will begin using Grok as part of a contract worth up to $200 million. The contract award came less than a week after Grok began spewing antisemitic rants and invoking Adolf Hitler.
Marko Elez did not respond to a request for comment. However, it's worth noting that the code repository containing the private xAI key was removed shortly after Caturegli notified Elez via email. Nonetheless, Caturegli said the exposed API key still works and has not yet been revoked.
"If a developer can't keep an API key private, it raises questions about how they're handling far more sensitive government information behind closed doors," Caturegli told KrebsOnSecurity. This incident highlights a broader concern regarding the security culture at DOGE, as Elez has been granted access to databases at one federal agency after another.
Before joining DOGE, Marko Elez worked for several of Musk's companies. His DOGE career began at the Department of the Treasury, and a legal battle over DOGE's access to Treasury databases showed Elez was sending unencrypted personal information in violation of the agency's policies. While still at Treasury, Elez resigned after The Wall Street Journal linked him to social media posts that advocated racism and eugenics. When Vice President J.D. Vance lobbied for Elez to be rehired, President Trump agreed, and Musk reinstated him.
Since his re-hiring as a DOGE employee, Elez has been granted access to databases at multiple federal agencies, including the Social Security Administration, the Department of Labor, the U.S. Customs and Border Protection, the Immigration and Customs Enforcement (ICE) bureaus, and the Department of Homeland Security.
This incident is not an isolated incident, as another DOGE employee leaked a private xAI key on GitHub for two months, exposing LLMs that were custom-made for working with internal data from Musk's companies, including SpaceX, Tesla, and Twitter/X. Caturegli stated, "One leak is a mistake." However, when the same type of sensitive key gets exposed repeatedly, it's not just bad luck – it's a sign of deeper negligence and a broken security culture.
The Fallout
As a result of this incident, concerns are growing about the handling of sensitive information by DOGE employees. With multiple incidents of internal API keys being leaked on GitHub, it raises questions about the ability to protect confidential government systems. The Department of Defense's decision to use Grok as part of a $200 million contract has only added fuel to the fire.
The incident also highlights the need for better security protocols and operational security measures at DOGE. As Caturegli pointed out, "If a developer can't keep an API key private, it raises questions about how they're handling far more sensitive government information behind closed doors."
Conclusion
The leak of Marko Elez's private xAI API key on GitHub has exposed the vulnerabilities in DOGE's security culture. As the Department of Defense moves forward with its contract using Grok, it is essential to address these concerns and implement robust security measures to prevent such incidents from happening in the future.