DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

DPRK Read Our Math: How North Korea Inverted Blockchain Vulnerability

Patrick Duggan
Jan 2
4 min read

The Setup

In October 2025, we published "The Math on Blockchain Security Theater: Quorum Attacks for $0-$50."

The thesis was simple: enterprise blockchain security is theater. Oracle Cloud's Always Free Tier gives you 4 ARM cores per account. Spin up 13 accounts with different emails, and you control 52 validator nodes. That's enough to take over quorum on most enterprise deployments.

Cost to attack "secure enterprise blockchain": $0.

We showed the receipts. Hyperledger Fabric, Quorum, any permissioned chain - all vulnerable to a script kiddie with stolen credit cards and patience.

The piece ended with a table:

Chain Type	Attack Cost
Ethereum (public)	$27 billion
Hyperledger Fabric	$0-$50/month
Quorum (JPMorgan)	$1-$3/month

Ethereum was safe because Proof of Stake requires controlling 51% of staked ETH - roughly $27 billion at current prices. Economic security, not cryptographic theater.

We published. We moved on.

The Payoff

December 28, 2025. Sunday morning threat sweep. Coffee in hand.

DPRK surfaces with new toys. Two days after CVE-2025-55182 (React2Shell) dropped, North Korean actors had already weaponized it. But the exploit wasn't interesting.

The command and control was.

EtherHiding: They built a C2 system that stores its address in an Ethereum smart contract.

Queries 9 different Ethereum RPC endpoints in parallel
Uses consensus voting to determine the real C2 URL
Retrieves the address from the blockchain
Connects to the attacker's server

They read our math. And they inverted it.

The Inversion

Enterprise blockchain (permissioned) = vulnerable to $0 attack
Public blockchain (Ethereum) = economically secure ($27B to attack)
The weakness is centralized validator trust

Don't attack the chain
Don't try to control validators
Freeload the read layer

The RPC endpoints (Infura, Alchemy, Ankr, etc.) provide free oracle compute. You can read from the blockchain without paying gas. Query as many endpoints as you want. They're designed for high availability.

DPRK turned our vulnerability analysis into a feature set:

Our Finding	Their Application
Public chain economically secure	Use it as immutable bulletin board
Can't 51% attack Ethereum	Don't need to - just store data
RPC endpoints are free	Free C2 lookup infrastructure
Consensus voting resists poisoning	Query 9 endpoints, majority wins

They didn't attack the blockchain. They used it as free, untakeable infrastructure.

Why "Untakeable" Matters

FBI identifies malicious server
Subpoena to hosting provider
Server seized or null-routed
Malware orphaned

FBI identifies smart contract address
Call... who exactly?
Ethereum Foundation? They don't control the chain.
Infura? There are 8 other RPC providers.
Vitalik Buterin? Smart contracts are immutable by design.

The C2 address lives on-chain forever. Update it anytime by calling the contract. No re-infection needed. Victims auto-discover new C2 on next beacon.

Researchers can't poison the pool - consensus voting across 9 endpoints filters out injected responses.

It's domain-native persistence. DPRK steals billions in crypto. They live in this ecosystem. Hiding C2 infrastructure on Ethereum is like a bank robber hiding getaway car keys in the vault.

The Free Oracle Compute Angle

From our October piece:

Oracle Cloud ARM - Always Free Tier - 4 ARM cores (Ampere A1) - 24 GB RAM - 10 TB outbound bandwidth/month - Forever free

We meant this as an attack vector for quorum consensus.

DPRK read it as: "Free compute exists. What else is free?"

Answer: Ethereum RPC queries.

Infura: 100K requests/day free
Alchemy: 300M compute units/month free
Ankr: Public endpoints, no auth required
QuickNode: 10M API credits free

That's unlimited C2 lookups. Forever. No stolen credit cards needed.

The blockchain itself becomes the oracle. The RPC providers become free compute for reading it. And nobody can turn it off because decentralization is the feature, not the bug.

IOCs (Block These)

EtherRAT Staging: `` 193.24.123.68 ``

React2Shell C2 (used in same campaign): `` 193.34.213.150 154.89.152.240 107.174.123.91 38.165.44.205 45.76.155.14 216.238.68.169 78.153.140.16 80.64.16.241 2.56.176.35 ``

Detection Opportunity:

Hunt for Ethereum RPC traffic from your web servers.

eth_call
eth_getStorageAt
Any Infura/Alchemy/Ankr endpoint

If it is? You're already compromised.

The Uncomfortable Truth

We published vulnerability research. Nation-state actors read it and found an application we didn't consider.

This isn't a criticism of our work. The quorum attack math is still valid - enterprise blockchain remains security theater. The point is that adversaries are reading the same research we are.

When we write "here's how to attack X for $0," someone in Pyongyang (or Beijing, or Moscow) is taking notes. They're not just consuming threat intel. They're consuming vulnerability research and finding novel applications.

DPRK didn't discover that Ethereum RPC is free. They read our analysis of free cloud compute, extrapolated to free blockchain compute, and built C2 infrastructure on it.

They're doing R&D. On our research.

What Comes Next

EtherHiding is version 1.0. Expect:

Multi-chain resilience: Store C2 on Ethereum, Polygon, Arbitrum, Base simultaneously
Smart contract obfuscation: Hide C2 address in complex contract state
Cross-chain consensus: Query multiple chains, not just multiple endpoints
L2 migration: Cheaper writes, same read availability
ENS integration: Human-readable C2 names that resolve on-chain

The substrate shifted. Once you realize the blockchain is a free, immutable, globally-distributed bulletin board with unlimited read capacity, the applications multiply.

The Meta-Lesson

Cui bono from our research?

Defenders who read it and hardened their blockchain deployments
DPRK, who read it and built untakeable C2 infrastructure

We can't control who reads public research. We can only make sure defenders get there first.

That's why we publish IOCs same-day. That's why the STIX feed is free. That's why this blog post exists before DPRK's next campaign.

The race isn't to discover vulnerabilities. It's to get the defense deployed before the offense catches up.

Today, we're publishing the detection opportunity (Ethereum RPC traffic from web servers) before it becomes the next big campaign.

Tomorrow, we'll see if we were fast enough.

Get Protected

OTX Pulse: DPRK EtherRAT

STIX 2.1 Feed: ``bash curl https://analytics.dugganusa.com/api/v1/stix-feed ``

Our October Analysis: The Math on Blockchain Security Theater

Free. Machine-readable. No NDA required.

They read our math. They inverted it. Now you know too.

Analysis by DugganUSA Threat Intelligence - January 2, 2026