DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

Doomsday for Cybercriminals: BreachForums Gets Breached

Patrick Duggan
Jan 11
3 min read

The Hunters Become the Hunted

January 9, 2026. A date that will live in cybercriminal infamy.

Someone calling themselves "James" - possibly a former ShinyHunters member - dumped the entire BreachForums database. 323,986 user records. Credentials. Emails. IPs. Registration data. Everything.

The next day, they published the password to the forum's PGP private key.

The largest dark web forum for data leaks just got data leaked.

What Got Exposed

Field	Value
Total Users	323,986
Database	MySQL (MyBB forum software)
Table	hcclmafd2jnkwmfufmybb_users
Contents	Credentials, emails, IPs, registration metadata
PGP Key	Private key password published

The Admin Accounts

Handle	Role	Email	IP
ShinyHunters	Admin	[email protected]	185.93.3.195
888	Moderator	[email protected]	-
Tanaka	Super Moderator	[email protected]	-
Hollow	Super Moderator	[email protected]	-
Loki	Moderator	[email protected]	-

The ShinyHunters admin used a Pokemon-themed email. Of course they did.

The ShinyHunters Admin IP

185.93.3.195

Network:   CDN77-MADRID-1
Provider:  CDN77.com
Location:  Madrid, Spain
Owner:     DataCamp Limited (London, UK)
AbuseIPDB: Score 1 (clean)

They're routing through legitimate CDN infrastructure. Smart OPSEC - CDN77 is a real content delivery network used by legitimate businesses. Hides in plain sight.

But now we know the entry point.

The "888" Connection

This is where it gets interesting.

Moderator 888 - email [email protected] - is the same threat actor who:

Date	Action
December 2025	Breached ESA (European Space Agency)
December 2025	Leaked 200GB from Bitbucket repositories
January 2026	Posted ESA spacecraft data on BreachForums

We covered 888's ESA breach in Scattered Spider Goes to Space. Now their email is burned.

The actor who leaked spacecraft operational procedures just got doxed on their own forum.

Infrastructure

The Leak Site

Field	Value
Domain	shinyhunte[.]rs
Registered	October 2, 2025
Registrar	Webglobe d.o.o.
Admin Contact	Key-Systems GmbH (St. Ingbert, Germany)
DNS	Cloudflare
Previous Hosting	DDoS-Guard

Timeline of Compromise

Date	Event
March 21, 2023	BreachForums shut down after Conor Brian Fitzpatrick arrest
Post-2023	Forum reopens under ShinyHunters / "Baphomet"
May 15, 2024	Domain seized, recovered via EPP code within hours
April 2025	ShinyHunters claimed MyBB zero-day, migrated infrastructure
October 2, 2025	shinyhunte[.]rs domain registered
January 9, 2026	"James" leaks full database
January 10, 2026	PGP private key password published

The PGP Problem

The forum's PGP private key password is now public.

Forge official admin communications
Verify historical signed messages (prove authenticity)
Impersonate ShinyHunters leadership
Decrypt any messages encrypted to that key

Every "official" forum announcement is now suspect. Trust in the platform is zero.

Geographic Distribution

Threat actors in the database originate from:

Region	Countries
North America	United States
Europe	Germany, Netherlands, France, United Kingdom
Middle East	Turkey
MENA	Morocco, Jordan, Egypt

Intel Value

For Law Enforcement

Ransomware affiliates
Data brokers
Extortionists
Sextortion operators
Credential stuffers
The entire dark web data trade ecosystem

Email addresses. IP addresses. Registration timestamps. Behavioral patterns. Cross-reference with existing investigations. Connect pseudonyms to real identities.

For Defenders

185.93.3.195 - ShinyHunters admin (CDN77 Madrid)
shinyhunte[.]rs - Leak site domain
Email patterns for attribution

For the Cybercriminal Ecosystem

Trust collapse. If BreachForums can't protect its own users, who can? The irony is perfect - a forum built on stolen data gets its data stolen.

IOCs

Infrastructure

Type	Value	Context
IPv4	185.93.3.195	ShinyHunters admin IP
Domain	shinyhunte[.]rs	Leak distribution site
Email	[email protected]	ShinyHunters admin
Email	[email protected]	Moderator "888" (ESA breach actor)
Email	[email protected]	Moderator "Tanaka"

Network Context

Field	Value
ASN	CDN77 (AS60068)
Netblock	185.93.0.0/22
Registrant	DataCamp Limited
Abuse Contact	[email protected]

The Pattern

BreachForums has been compromised multiple times:

2023: Founder arrested, forum shut down
2024: Domain seized (recovered quickly)
2025: Claimed zero-day, emergency migration
2026: Full database leaked by insider

Each time they rebuilt. Each time they claimed better security. Each time they got owned.

The forum that sold 323,986 people's data just had 323,986 people's data sold.

What Happens Next

Mass password resets (futile - emails are burned)
Forum migration attempts
Trust collapse in the ecosystem
Law enforcement cross-referencing

Arrests (some of these 323,986 will get knocks on doors)
Ecosystem fragmentation (smaller, more paranoid forums)
Increased OPSEC paranoia
More insider threats (trust no one)

The Lesson

There's a certain poetry to it.

A forum built entirely on stolen data. A community that celebrated every breach, every leak, every violation of privacy. A marketplace where 323,986 people traded in human misery.

And then someone did to them what they did to everyone else.

The cybercriminal's dilemma: you can't trust anyone, because everyone is exactly like you.

Resecurity - Doomsday for Cybercriminals
DugganUSA - Scattered Spider Goes to Space
CDN77/DataCamp WHOIS records
AbuseIPDB enrichment

Her name is Renee Nicole Good.

Doomsday for Cybercriminals: BreachForums Gets Breached

The Hunters Become the Hunted

What Got Exposed

The Admin Accounts

The ShinyHunters Admin IP

The "888" Connection

Infrastructure

The Leak Site

Timeline of Compromise

The PGP Problem

Geographic Distribution

Intel Value

For Law Enforcement

For Defenders

For the Cybercriminal Ecosystem

IOCs

Infrastructure

Network Context

The Pattern

What Happens Next

The Lesson

Recent Posts

Comments