DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

China 3%, Netherlands 26%: The Real Threat Landscape

Name: BlockedAssholes table
Creator: DugganUSA

Patrick Duggan
Dec 7, 2025
4 min read

--- title: "China 3%, Netherlands 26%: The Real Threat Landscape (Dec 7, 2025)" excerpt: "CrowdStrike says FAMOUS CHOLLIMA. Palo Alto says RansomHub. Our firewall logs say DigitalOcean and Dutch hosting providers. Here's what's actually hitting the internet today." category: opinions tags: threat-intelligence, osint, crowdstrike, palo-alto, wiz, comparison, data coverImage: https://static.wixstatic.com/media/e09876_security_globe.jpg ---

December 7, 2025 — Every quarter, the big security vendors release their threat reports. CrowdStrike trumpets a "150% surge in Chinese cyber espionage." Palo Alto warns of "DPRK insider threats." The headlines write themselves, the stock prices hold steady, and CISOs everywhere nervously increase their security budgets.

But what if the emperor has no clothes?

We decided to compare what the billion-dollar threat intel vendors *say* versus what we *actually observe* blocking attacks in real-time. The results are... illuminating.

What the Vendors Say

CrowdStrike Global Threat Report 2025 - FAMOUS CHOLLIMA (North Korea): 304 incidents, 40% insider threat operations - China-nexus adversaries: 150% surge, 7 new groups identified - LIMINAL PANDA, VAULT PANDA: Sophisticated nation-state actors - Headline: "China's Cyber Espionage Surges"

Palo Alto Unit 42 2025 - RansomHub: Top ransomware variant - Jumpy Pisces (DPRK/Lazarus): Nation-state ransomware - Social Engineering: 86% of incidents - Headline: "North Korean Insider Threats on the Rise"

Wiz Cloud Security 2025 - Nation-state campaigns: Diicot, 0ktapus - Edge appliance exploits: PAN-OS, Aviatrix - Headline: "Sophisticated actors targeting cloud environments"

The narrative is clear: Nation-states are coming for you. China and North Korea are the boogeyman. Be afraid. Buy our product.

What We Actually Observe

Over the past 30 days, we blocked 1,563 malicious IPs attempting to attack our infrastructure. Here's where they came from:

Top 10 Source Countries (Last 30 Days)

| Rank | Country | Percentage | |------|---------|------------| | 1 | Germany | 27% | | 2 | Netherlands | 27% | | 3 | United States | 14% | | 4 | Brazil | 5% | | 5 | France | 5% | | 6 | United Kingdom | 5% | | 7 | Singapore | 4% | | 8 | China | 3% | | 9 | Canada | 2% | | 10 | Sweden | 2% |

Germany and Netherlands combined: 54% of all attacks.

China: 3%.

Top Abused Hosting Providers

| Provider | Blocked IPs | Type | |----------|-------------|------| | DigitalOcean, LLC | 20 | US Cloud Provider | | TECHOFF SRV LIMITED | 16 | Offshore Hosting | | APNIC (Asia-Pacific) | 13 | Registry Abuse | | FBW NETWORKS SAS | 5 | French Hosting | | HOSTGLOBAL.PLUS LTD | 5 | Bulletproof Hosting | | VIRTUALINE TECHNOLOGIES | 5 | DE/NL Shell Company |

Usage Type Breakdown

| Type | Percentage | |------|------------| | Data Center/Web Hosting | 97% | | Fixed Line ISP | 3% |

Read that again: 97% of attacks come from commercial hosting providers, not nation-state infrastructure.

Fresh Data: Last 24 Hours (Dec 7, 2025)

As of today, we've blocked 1,468 threats in the past 24 hours. The top offenders right now:

| IP | Country | Provider | Asshole Score | |----|---------|----------|---------------| | 204.76.203.31 | Netherlands | Intelligence Hosting LLC | 172.3 | | 213.209.157.162 | Germany | VIRTUALINE TECHNOLOGIES | 169.8 | | 213.209.157.81 | Netherlands | VIRTUALINE TECHNOLOGIES | 167.9 | | 176.65.148.212 | Netherlands | Pfcloud UG | 163.6 | | 91.224.92.185 | Lithuania | Cloud hosting | 159.9 |

VIRTUALINE TECHNOLOGIES is running what appears to be a coordinated botnet across German and Dutch IP space. Not a nation-state. A shell company selling cheap VPS.

The irony of "Intelligence Hosting LLC" having the highest threat score today is not lost on us.

The Gap

| Vendor Narrative | Ground Truth | |------------------|--------------| | "China 150% surge!" | China = 3% of actual attacks | | "DPRK insider threats!" | 0% DPRK in our blocked list | | "Nation-state APTs!" | 97% from commercial hosting | | "Sophisticated actors!" | Script kiddies on DigitalOcean | | "AI-powered threats!" | Same old scanning + brute force |

Why the Disconnect?

1. Vendors sell to enterprises, not reality. A CISO can justify a $500/endpoint budget for "Chinese nation-state protection." Try selling that same budget for "blocking DigitalOcean abuse."

2. Nation-state narratives drive headlines. "FAMOUS CHOLLIMA Strikes Again" gets clicks. "Dutch Hosting Provider Needs Better Abuse Team" does not.

3. Attribution is hard, fear is easy. When you can't definitively prove who's behind an attack, default to the scariest option. Nobody got fired for blaming China.

4. The actual threats are boring. Most attacks are opportunistic scans from commodity infrastructure. That's not a compelling threat report. That's a Tuesday.

What This Means for Defenders

1. Block the right things. Focus on bulletproof hosting providers, cheap VPS abuse, and the Netherlands/Germany hosting corridor. That's where the volume is.

2. Don't overspend on APT theater. Unless you're a defense contractor or critical infrastructure, nation-state actors probably aren't your biggest problem. Commodity attackers are.

3. Watch the hosting providers, not the countries. DigitalOcean, Tencent Cloud (US datacenters), and offshore shells like TECHOFF SRV LIMITED are where the attacks originate. The country flag is just where they rented the server.

4. Question the vendor narratives. When CrowdStrike says "150% China surge," ask: compared to what baseline? Measured how? Against which customer segment?

Our Methodology

• Data Source: Azure Table Storage (BlockedAssholes table) - real blocked IPs with timestamps

• Time Range: Rolling 30 days, with 24-hour fresh data

• Enrichment: AbuseIPDB, Shodan InternetDB, VirusTotal

• Sample Size: 1,563 blocked threats (30 days), 1,468 (24 hours)

• Scoring: Composite "Asshole Score" based on abuse reports, open ports, known CVEs, and behavioral indicators

This isn't a marketing report. It's firewall logs.

The Bottom Line

The threat intelligence industry has a narrative problem. The vendors who dominate the conversation are incentivized to sell fear of sophisticated nation-state actors because that justifies enterprise pricing.

Meanwhile, the actual threats hitting most organizations are boring: commodity attackers, bulletproof hosting, and script kiddies running automated scans from cheap VPS providers.

Germany and Netherlands: 54%. China: 3%.

The next time you read a threat report claiming a "surge in Chinese cyber operations," ask yourself: is this data, or is this marketing?

*DugganUSA publishes free threat intelligence via our STIX feed and OTX pulses. 40,000+ indicators contributed. $0 raised.*

• [CrowdStrike 2025 Global Threat Report](https://www.crowdstrike.com/en-us/global-threat-report/)

• [Palo Alto Unit 42 2025 Reports](https://unit42.paloaltonetworks.com/)

• [Wiz Cloud Attack Retrospective 2025](https://www.wiz.io/reports/cloud-attack-report-2025)

• [CISA KEV Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)

Get Free IOCs

Subscribe to our threat intelligence feeds for free, machine-readable IOCs:

AlienVault OTX: https://otx.alienvault.com/user/pduggusa

STIX 2.1 Feed: https://analytics.dugganusa.com/api/v1/stix-feed

Questions? [email protected]

China 3%, Netherlands 26%: The Real Threat Landscape

What the Vendors Say

CrowdStrike Global Threat Report 2025 - FAMOUS CHOLLIMA (North Korea): 304 incidents, 40% insider threat operations - China-nexus adversaries: 150% surge, 7 new groups identified - LIMINAL PANDA, VAULT PANDA: Sophisticated nation-state actors - Headline: "China's Cyber Espionage Surges"

Palo Alto Unit 42 2025 - RansomHub: Top ransomware variant - Jumpy Pisces (DPRK/Lazarus): Nation-state ransomware - Social Engineering: 86% of incidents - Headline: "North Korean Insider Threats on the Rise"

Wiz Cloud Security 2025 - Nation-state campaigns: Diicot, 0ktapus - Edge appliance exploits: PAN-OS, Aviatrix - Headline: "Sophisticated actors targeting cloud environments"