DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

Big Trouble in Big China

Patrick Duggan
1 minute ago
4 min read

# Big Trouble in Big China

Just remember what ol' Jack Burton always says at a time like that: "Have ya paid your dues, Jack?" "Yessir, the check is in the mail."

This is the third post in a trilogy I did not plan to write today. The first was an investigation. The second was a follow-up when the subject went dark. This one is the one where I sit in the cab of the Pork Chop Express, crack open a Coors, and tell you what happened on the CB radio.

This is the part of the story where comedy comes in threes.

One

On February 7, 2026, someone started polling our STIX/TAXII threat intelligence feed. Every 30 seconds. From a mobile phone near Kennedy Space Center. The collection name they hardcoded into their script was "idkkk" — a GitHub username belonging to a developer at Alibaba Group in Beijing who runs a Chinese-language AI blog and recently forked a leaked Claude Code repository.

We logged 100,000 requests. We published the investigation. We put a link to the blog post in the 410 response.

They stopped within minutes. First time in 65 days.

That was Part One: "One IP. One Script. 100,000 Requests."

Two

While we were writing about Actor One going dark, we found Actor Two. A different Chinese IP, no user agent, hammering our STIX feed CSV export — /api/v1/stix-feed/ips.csv — 362 times in 24 hours. All 403. Different infrastructure, different technique, same target.

Then we found Actor Three. A third Chinese IP, two days earlier, also hitting the CSV export. Different hash, different user agent (Windows this time), same endpoint.

Three actors. Three techniques. Three different IPs. Same country. Same target. Same week.

That was Part Two: "They Stopped the Moment We Said Their Name."

Three

This is Part Three. The Aristocrats.

Here is what our threat intelligence platform's endpoint now returns when someone polls /api/v1/stix-feed/collections/idkkk/objects/:

The collection does not exist and never did. Neither does your operational security. Three GitHub accounts, one copy-paste error. 谢谢您的光临。

For our Mandarin-speaking readers: 谢谢您的光临 means "thank you for visiting." We mean it sincerely. You gave us a six-signal precursor detection system, two blog posts, a Rewards for Justice submission, and a story worth telling. We are genuinely grateful. 真的，谢谢你们。

祝你好运 means "good luck." You will need it.

What ol' Jack Burton would say

There is a scene in Big Trouble in Little China where Jack Burton — a truck driver from San Francisco who is in way over his head — faces down an immortal sorcerer, an army of supernatural warriors, and a situation that makes absolutely no sense. He looks at the camera and says:

"When some wild-eyed, eight-foot-tall maniac grabs your neck, taps the back of your favorite head up against the barroom wall, and he looks you crooked in the eye and he asks you if ya paid your dues, you just stare that big sucker right back in the eye, and you remember what ol' Jack Burton always says at a time like that: 'Have ya paid your dues, Jack?' 'Yessir, the check is in the mail.'"

We are two people. We run on $600 a month. We are not a government agency. We are not a defense contractor. We are a truck driver from Queens with a threat intelligence platform and an unreasonable tolerance for interesting problems.

Three Chinese actors converged on our STIX feed in one week. We caught all three. We published the investigation while they were still polling. We put the blog post in the HTTP response. We filed with Rewards for Justice. We wired the detection pattern into our precursor system so the next convergence triggers automatically.

And then we wrote this, the third one, because comedy comes in threes and because ol' Jack Burton always says: "It's all in the reflexes."

The serious part

We have forwarded the complete evidence package — all three actors, all timestamps, all behavioral profiles, all GitHub cross-confirmations — to the appropriate authorities. The Rewards for Justice submission references our prior submission on Handala Hack Team infrastructure from March 2026.

We are not making accusations. We are presenting evidence and asking questions. The geographic correlation between the primary actor's infrastructure and the Kennedy Space Center defense corridor is documented by the FBI, DCSA, and Vanity Fair. The GitHub identity correlation is suggestive, not conclusive. The behavioral response to our publication — 65 days of persistence followed by immediate silence on first contact — is a data point, not a conviction.

But we did catch it. And we will catch the next one. Because we built the thing that sees, and we wired Signal Number Six — the "Princess and the Pea" — so the itch becomes an alarm.

谢谢。再见。祝你好运。

Thank you. Goodbye. Good luck.

It's all in the reflexes.

— Patrick

Part One: dugganusa.com/post/one-ip-one-script-100-000-requests-who-is-polling-our-stix-feed-from-the-space-coast

Part Two: dugganusa.com/post/they-stopped-the-moment-we-said-their-name

Search our feed: analytics.dugganusa.com/api/v1/search?q=AS7018

Her name was Renee Nicole Good.

His name was Alex Jeffery Pretti.