DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

Cisco Paid. The Worst Week in Cybersecurity History Just Got a Final Chapter.

Patrick Duggan
Apr 3
4 min read

Cisco has been removed from ShinyHunters' dark web leak site. The listing that threatened to dump 3 million Salesforce records, 300 private GitHub repositories, AI product source code, and FBI/IRS/NASA customer data — gone. As of this morning, every other victim is still listed. Cisco is not.

In the ransomware world, removal from a leak site means one thing: the victim paid.

Cisco has not confirmed payment. They won't. But the $57 billion company that sells firewalls, intrusion detection, and zero-trust networking — the company whose own Firepower Management Center was exploited for 36 days before they disclosed it — appears to have paid extortion to the group that got in through a poisoned vulnerability scanner.

The Week

Monday: We wrote "Your Security Vendor Is Your Attack Surface" — CrowdStrike, Intune, Trivy.

Tuesday: We documented TeamPCP chaining Trivy → LiteLLM → Telnyx. We published the Cisco FMC zero-day timeline — 36 days of exploitation before disclosure, found by Amazon, not Cisco.

Wednesday: We reported Cisco's five simultaneous crises — two CVSS 9.8+ management interface vulns, ShinyHunters extortion, IRGC military target designation, and weaponized PoCs on GitHub. We called it "the worst week in cybersecurity history."

Thursday morning: We published that TeamPCP and ShinyHunters are collaborating, that the chain reached Cisco through Aqua's Trivy scanner, and that FBI/IRS/NASA customer data was in the dump.

Thursday afternoon: Cisco disappeared from the leak site.

Five crises. One payment. The worst week got its final chapter.

What Cisco Paid For

The listing included:

300 private GitHub repositories — source code for AI Assistants and AI Defense products
3M+ Salesforce CRM records — including engagement data for FBI, IRS, NASA, major banks
AWS account access — EC2 volumes and S3 buckets from March 16-17
UNC6040 breach data — from the voice phishing initial access vector
Salesforce Aura exploitation data — the vulnerability that ShinyHunters used across 400+ companies

Cisco paid to keep this offline. Whether they succeeded is another question — ShinyHunters' track record suggests copies exist. TELUS Digital paid. The data still circulated. The European Commission is still listed on the same page.

The Irony

Cisco sells security. Their product catalog includes:

Cisco Secure Firewall — the product whose management console (FMC) had a CVSS 10.0 zero-day
Cisco SecureX — their XDR platform
Cisco Umbrella — DNS security
Cisco Duo — multi-factor authentication
Cisco Talos — their threat intelligence group

The company that sells MFA was breached through vishing (voice phishing). The company that sells threat intelligence didn't detect TeamPCP in their supply chain. The company that sells firewalls had its firewall management console exploited for 36 days. The company that sells zero-trust networking paid ransom to a threat actor who got in through a third-party vulnerability scanner.

Every product in Cisco's security portfolio has a corresponding failure in this breach.

The Supply Chain Math

The entry point was Aqua Security's Trivy — a vulnerability scanner. Aqua's product was compromised by TeamPCP on March 19. The credential harvester ran for 3-12 hours. Those credentials cascaded:

Trivy → LiteLLM → Telnyx → Cisco.

Somewhere in that chain, a CI/CD pipeline at Cisco (or a Cisco partner) pulled the poisoned Trivy-Action. The stealer harvested tokens. Those tokens gave access to GitHub repos, Salesforce, AWS.

The total cost to TeamPCP: poisoning a git tag. The return: ransom payment from a $57 billion company plus the data from 300 private repos and 3 million customer records.

The Leak Site — What's Still There

While Cisco paid and disappeared, the rest of ShinyHunters' victims remain:

Victim	Records	Status
European Commission	350GB+	Still listed
Ameriprise Financial	236GB	"Failed to reach agreement"
Infinite Campus	1.2GB	Still listed
Berkadia Commercial Mortgage	27GB	"Failed to reach agreement"
Woflow (DoorDash, Deliveroo clients)	32GB	"You should've just paid"
Mercer Advisors	5M records	Still listed
Beacon Pointe Advisors	100K+ records	Still listed

Almost every victim was breached through Salesforce. The Salesforce Aura vulnerability is ShinyHunters' primary weapon in 2026. Cisco was the biggest name on the list. Now it's Ameriprise Financial — $1.4 trillion in assets under management, headquartered in Minneapolis.

What We Published This Week

Seventeen posts in four days:

Your Security Vendor Is Your Attack Surface
TeamPCP: One Actor, Three Supply Chains
Cisco FMC Got Owned for 36 Days
Dell RecoverPoint: Chinese Hackers for 2 Years
Iran Is Fighting Two Wars, We Have the IOCs
Hasbro Hacked: GenAI Pipeline from DNS
IRGC Names 18 Targets, We Have Files on Six
GitHub Wasteland: Nobody Else Is Looking
IP Reputation Is Dead
LinkedIn Scans 6,222 Extensions
FBI Wiretap Network Breached
Cisco's Worst Week in Cybersecurity History
CMMC: Two People Exceed Level 2
The Chain Reaches Government (TeamPCP → Cisco → EC)
Your GPU Is Your Attack Surface (Rowhammer)
This post: Cisco paid.

Every post connected. The Trivy supply chain from post #2 became the Cisco breach in post #14 became the ransom payment in post #16. We documented the chain in real time. From the poisoned scanner to the payment.

What It Means

A company with 90,000 employees, $57 billion in revenue, and a security product portfolio that includes firewalls, XDR, MFA, threat intelligence, and zero-trust networking — paid ransom because a vulnerability scanner they used in CI/CD was poisoned by a threat actor who manipulated git tags.

The attack cost: one git push. The defense budget: $57 billion in annual revenue, thousands of security engineers, Talos threat intelligence. The outcome: payment.

The chain didn't stop when the vendor published a blog post. It stopped when Cisco wrote a check.

DugganUSA documented the TeamPCP supply chain on April 1. The chain reached Cisco on April 3. Cisco disappeared from the leak site the same day. The security vendor that sold trust became the customer that bought silence.

Pattern 38. Instance 19. The credential hasn't expired. It's been paid for.