(Removes extra word 'turned' from paragraph 3)

By Raphael Satter

WILMINGTON, Delaware (Reuters) -The best-known member of Elon Musk's U.S. DOGE Service team of technologists once provided support to a cybercrime gang that bragged about trafficking in stolen data and cyberstalking an FBI agent, according to digital records reviewed by Reuters.

Edward Coristine is among the most visible members of the DOGE effort that has been given sweeping access to official networks as it attempts to radically downsize the U.S. government.

Past reporting had focused on his youth - he is 19 - and his chosen nickname of "bigballs," which became a pop culture punchline. Musk has championed the teen on his social media site X, telling his followers last month that "Big Balls is awesome."

Beginning around 2022, while still in high school, Coristine ran a company called DiamondCDN that provided network services, according to corporate and digital records reviewed by Reuters and interviews with half a dozen former associates. Among its users was a website run by a ring of cybercriminals operating under the name "EGodly," according to digital records preserved by the internet intelligence firm DomainTools and the online cybersecurity tool Any.Run.

The details of Coristine's connection to EGodly have not been previously reported.

On Feb. 15, 2023, EGodly thanked Coristine's company for its assistance in a post on the Telegram messaging app.

"We extend our gratitude to our valued partners DiamondCDN for generously providing us with their amazing DDoS protection and caching systems, which allow us to securely host and safeguard our website," the message said.

The digital records reviewed by Reuters showed the EGodly website, dataleak.fun, was tied to internet protocol addresses registered to DiamondCDN and other Coristine-owned entities between October 2022 and June 2023, and that some users attempting to access the site around that time would hit a DiamondCDN "Security check."

Coristine did not return messages seeking comment. Musk's team, which has adopted the name "Department of Government Efficiency" though it is not an official government department, did not respond to emails about Coristine. He is listed as a "senior adviser" at the State Department and the Cybersecurity and Infrastructure Security Agency, according to one official at each agency who told Reuters they had seen his name in their respective agencies' staff directory.

On LinkedIn, Coristine describes himself as a "Volunteer (Intern) Plumber" with the U.S. government.  

The State Department did not return messages asking about Coristine. CISA, which is responsible for protecting federal government networks from cybercriminals and foreign spies, declined comment.

EGodly's Telegram channel has been inactive for the past year; attempts to elicit comment from eight people who participated in or interacted with EGodly were unsuccessful.  

'THESE ARE BAD FOLKS'

DiamondCDN's website - CDN typically stands for "content delivery network" - was registered in mid-2022, according to records collected by DomainTools. It pitched itself as offering "excellent security tools" that would help "lower your infrastructure costs," according to copies of the site maintained by the Internet Archive. The site said the company "has no business inspecting user content."

In 2023, EGodly boasted on its Telegram channel of hijacking phone numbers, breaking into unspecified law enforcement email accounts in Latin America and Eastern Europe, and cryptocurrency theft. Early that year, the group distributed the personal details of an FBI agent who they said was investigating them, circulating his phone number, photographs of his house, and other private details on Telegram.

EGodly also posted an audio recording of an obscene prank call made to the agent's phone and a video, shot from the inside of a car, of an unknown party driving by the agent's house in Wilmington, Delaware at night and screaming out the window, "EGodly says you're a bitch!"

Reuters could not independently verify EGodly's boasts of cybercriminal activity, including its claims to have hijacked phone numbers or infiltrated law enforcement emails. But it was able to authenticate the video by visiting the same Wilmington address and comparing the building to the one in the footage. 

The FBI agent targeted by EGodly, who is now retired, told Reuters that the group had drawn law enforcement attention because of its connection to swatting, the dangerous practice of making hoax emergency calls to send armed officers swarming targeted addresses. The agent didn't go into detail. Reuters is not identifying him out of concern for further harassment.

"These are bad folks," the former agent said. "They're not a pleasant group."

He declined to comment further about the harassment or whether EGodly had been or still was the subject of an FBI investigation. The FBI didn't return messages seeking comment on EGodly.

Reuters was not able to ascertain how long EGodly used DiamondCDN, or whether EGodly paid Coristine's company. Archived copies of DiamondCDN's website said the firm envisioned having both paying and nonpaying customers.

Another individual who has been subject to abuse from EGodly and a cybercrime researcher who has followed the group said it was composed of hardened fraudsters, citing the group's makeup and the credibility of its claims. Both asked not to be identified, citing fears of retaliation.

Even if the connection between Coristine and EGodly were fleeting, Nitin Natarajan, who served as the deputy director of CISA under former President Joe Biden, told Reuters it was worrying that someone who provided services to EGodly only two years ago was part of a group that has gained wide access to government networks.

"This stuff was not in the distant past," he said. "The recency of the activity and the types of groups he was associated would definitely be concerning."

(Reporting by Raphael Satter in Wilmington, Delaware; additional reporting by AJ Vicens in Detroit; editing by Chris Sanders)