DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

Article 77 and the 48-Hour Coincidence

Name: DugganUSA Threat Feed Indicators by Source IP Prefix
Creator: DugganUSA LLC

Patrick Duggan
Jan 3
4 min read

The Panama Sequence

BlackRock's $22.8 billion acquisition of CK Hutchison's port operations—including the strategically critical Cristobal and Balboa ports at either end of the Panama Canal—had been stalled since March 2025.

By August, the deal "won't close before year-end."

On December 25, China's state-owned Cosco demanded a majority stake. BlackRock and Mediterranean Shipping Company were "considering walking away."

Then:

Date	Event
Jan 1	Panama crisis "resolved"
Jan 1	US troops granted 3-year exercise rights on Panamanian soil
Jan 2	Hutchison-BlackRock sale confirmed
Jan 3	Venezuela invaded

The deal that was dying on December 25 closed on January 2. What changed wasn't the terms. It was the context.

What Our Threat Feed Shows

We run a production auto-blocking system that processes threat intelligence from multiple sources. Here's what the last seven days look like by source IP prefix:

Prefix	Indicators	Owner
47.79.x.x	118	Alibaba Cloud
47.82.x.x	62	Alibaba Cloud
180.153.x.x	24	China Telecom Shanghai
43.130.x.x	14	Tencent Cloud
43.153.x.x	8	Tencent Cloud
43.157.x.x	11	Tencent Cloud

250+ indicators from Chinese cloud infrastructure in one week.

This isn't anomalous in isolation. Chinese cloud providers have been a consistent source of scanning and reconnaissance traffic. What's notable is the timing correlation with Article 77's implementation and the kinetic events in Latin America.

Article 77: The Legal Framework for Retaliation

The original 2017 Cybersecurity Law targeted overseas activities harming China's Critical Information Infrastructure. The 2026 amendment expands scope dramatically:

"Any overseas institution, organization, or individual that engages in activities endangering the cybersecurity of the People's Republic of China will be held legally responsible."

Asset freezing
Sanctions
"Other necessary measures"

Against anyone, anywhere, for "any activity" that "endangers" Chinese cybersecurity—a term left deliberately undefined.

This isn't defensive posture. It's a legal framework for offensive operations with plausible domestic justification.

The DPRK Angle

North Korea's Lazarus Group stole $2.02 billion in cryptocurrency in 2025—a 51% increase over 2024. The February Bybit hack alone netted $1.5 billion, the largest crypto heist in history.

Lazarus funds approximately 40% of North Korea's weapons of mass destruction program.

Venezuela under Maduro was a sanctions evasion partner. Venezuelan shell companies, PDVSA oil trades, and Caracas banking relationships provided pathways for North Korean financial operations.

With Maduro on a Navy ship heading to New York, one of those pathways just closed.

Expect Lazarus to accelerate. They need to replace the revenue stream.

Salt Typhoon Is Still Inside

While everyone watched Caracas, Salt Typhoon—the Chinese APT that compromised at least nine major US telecommunications providers—remains active.

Per DHS reporting, between January and March 2024, Salt Typhoon exfiltrated configuration files from US government entities including Army National Guard networks nationwide. They compromised lawful intercept systems. They're still there.

The NSA claims Volt Typhoon (the critical infrastructure prepositioning campaign) "failed" and forced China "back to the drawing board."

Salt Typhoon didn't fail. Salt Typhoon is reading your text messages.

The Hypothesis

Panama ports — to BlackRock
Venezuela — a BRICS ally with 303 billion barrels of oil

Article 77 went live 48 hours before the invasion. Coincidence assumes no coordination. The alternative is that China saw this coming and prepared legal justification for cyber response.

Our threat feed shows Chinese cloud infrastructure as the dominant source of indicators. That's not proof of state-directed activity—Alibaba and Tencent host legitimate and illegitimate traffic alike. But it's signal.

The cyber landscape is the shadow of the kinetic one.

When the US conducts a regime change operation against a Chinese ally, the response won't come from the PLA Navy. It'll come from infrastructure you can't attribute, using legal frameworks you didn't read, against targets you haven't patched.

What to Watch

Chinese APT activity against US financial infrastructure — BlackRock just became a symbol
DPRK acceleration — Lazarus needs new revenue channels
Salt Typhoon activation — They're pre-positioned; the question is whether they act
Latin American targeting — Other China-aligned governments (Nicaragua, Cuba) may see increased US pressure and respond asymmetrically

The Pattern

Kinetic Event	Cyber Shadow
Panama Canal threatened	Cosco demands majority stake
Panama "resolved"	Article 77 takes effect
Venezuela invaded	Chinese cloud IPs spike in threat feeds
Maduro captured	DPRK loses sanctions evasion partner

This isn't conspiracy. It's convergence. Geopolitics and cyber operations aren't separate domains—they're the same conflict expressed through different mediums.

The 48-hour window between Article 77 and the Venezuela invasion isn't coincidence. It's the gap between legal preparation and operational execution.

Whether that preparation was Chinese or American depends on who you think saw this coming first.

Sources

Patrick Duggan is founder of DugganUSA LLC, a Minnesota-based threat intelligence company. The analysis above is based on open-source intelligence and production telemetry from DugganUSA's auto-blocking system.

This post contains no classified information. All sources are public.