DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

Follow the Followers: The SIM Swap Stack We Found in the Samsung Leak's Shadow

Patrick Duggan
Mar 2
4 min read

# Follow the Followers: The SIM Swap Stack We Found in the Samsung Leak's Shadow

**Date**: March 2, 2026

**Tags**: threat-intelligence, scattered-spider, sim-swap, rogue-bts, lte-downgrade, github, ioc, mfa-bypass

Earlier today we published a GitHub hunt for Lapsus$ and Scattered Spider tooling. We found two things: a fake DEV-0537 dropper preying on curious kids, and a real MFA fatigue toolkit targeting Azure AD, Okta, and Duo. That post is here.

Then we followed the followers.

The Samsung Leak's Social Graph

The most persistent artifact of the 2022 Lapsus$ Samsung breach isn't in the leaked source code. It's in who starred and forked the GitHub repo where the torrent was posted.

One of those accounts is `start837`.

Created November 10, 2022 — the same day it forked the Samsung Lapsus$ leak torrent. No bio. No followers. No activity for two years.

Then, starting in mid-2024, it got to work.

What start837 Built

| Repository | What It Does |

|------------|-------------|

| `yatebts` | YateBTS open-source GSM basestation |

| `openlte-lte_redirection` | LTE redirection code |

| `evilbts` / `evilbts2` | Rogue GSM BTS — "For Fun And Profit" |

| `bladerf-test` | BladeRF x40 software-defined radio scripts |

| `LTE-Redirection_Attack` | "Force target victim to unsafe network" |

| `redirect0r` | LTE/5G-NSA → EDGE/GSM downgrade attack |

That is, in order, the complete hardware and software stack for a SIM swap attack — conducted without a single phone call to a telecom insider.

How the Attack Works

You need a BladeRF x40 — a software-defined radio board available for a few hundred dollars. You run YateBTS or evilbts on it. You transmit a GSM signal that appears stronger than the nearest legitimate cell tower.

Phones in range connect to your tower. They think they're on their carrier's network.

Then you run the LTE redirection attack. Modern phones prefer LTE/5G — they'll switch back if they can. The redirect0r tool forces them to stay on GSM by making LTE appear unavailable. GSM encryption was broken in 2008. Once the phone is on your rogue tower on GSM, you read its traffic.

The target's SMS messages arrive in your terminal. Their MFA code. Their one-time password. Their bank's verification text.

No insider. No SIM port. No social engineering a carrier rep. Just hardware, open-source software, and patience.

Why This Is the Scattered Spider Connection

Scattered Spider — the group responsible for the MGM Resorts breach ($100M impact), the Caesars Entertainment breach ($15M ransom paid), and a string of telco compromises — built their reputation on exactly this technique. Their early operations relied on telecom insiders: bribing or social-engineering carrier employees to port target phone numbers to attacker-controlled SIMs. When law enforcement started rolling up those insiders and carriers hardened their processes, the group adapted.

The rogue BTS approach is the adaptation. No insider needed. The equipment is legal to own. The software is open source. The only thing stopping someone from running it outside your office building is knowing how to assemble the stack.

`start837` assembled the stack. They started by bookmarking the Samsung Lapsus$ leak. They spent two years learning. They published the LTE downgrade tool in May 2025 — six months after five Scattered Spider members were arrested.

We cannot say `start837` is Scattered Spider. We can say they built Scattered Spider's primary pre-arrest attack methodology from scratch, published it on GitHub, and were first attracted to the project by the Samsung breach.

The Full Picture: Two Repos, Complete Playbook

This morning's post covered the Uzseclab MFA fatigue toolkit — a shell-based tool targeting Azure AD, Okta, and Duo, published January 1, 2026.

The start837 stack handles the hardware layer. The Uzseclab toolkit handles the software layer.

Together:

> **Hardware**: BladeRF + evilbts + redirect0r → force target onto rogue GSM tower → intercept SMS MFA codes

> **Software**: mfa-fatigue-toolkit → spray Okta/Azure AD with push notifications → exhaust user into accepting

Either path bypasses MFA. Both paths are now documented on GitHub by accounts with no stated affiliation to each other, no stars, no followers, and publication dates that bracket the Scattered Spider arrests.

IOCs — Indexed to STIX Feed

Seven new indicators added to the feed today (14 total across both posts):

**Campaign: Scattered-Spider-SIM-Swap-Stack**

- `github.com/start837` — telecom attack account, Lapsus$ leak adjacent (URL, 82%)

- `github.com/start837/redirect0r` — LTE/5G → GSM downgrade attack, May 2025 (URL, 88%)

- `github.com/start837/LTE-Redirection_Attack` — force victim to unsafe network (URL, 90%)

- `github.com/start837/evilbts` — rogue GSM BTS, self-described malicious use (URL, 92%)

- `github.com/start837/bladerf-test` — BladeRF x40 SDR scripts (URL, 78%)

- `github.com/start837/yatebts` — YateBTS GSM basestation (URL, 75%)

- `github.com/samsingsamsing` — account created same day as Samsung leak fork, RDP tooling (URL, 62%)

Cross-reference against existing STIX feed IOCs:

`https://analytics.dugganusa.com/api/v1/search/correlate?q=start837`

Defensive Recommendations

**Eliminate SMS as an MFA factor.** Full stop. SMS was never secure. It is now trivially bypassable with $300 of hardware and open-source software. FIDO2 hardware keys or authenticator apps with number matching are the minimum acceptable standard.

**If SMS MFA cannot be eliminated immediately:**

- Subscribe to SIM swap notification APIs from your carriers — most enterprise contracts include this

- Alert on IMSI or SIM changes for accounts with elevated access

- Treat any employee reporting they "lost service" as a potential active SIM swap in progress

**Physical security consideration:** BladeRF-class hardware transmitting GSM signals near your office is detectable. Technical surveillance countermeasures (TSCM) sweeps during sensitive operations, board meetings, or M&A activity are reasonable precautions if you operate in a sector Scattered Spider has targeted — hospitality, gaming, telecom, financial services.

**Detection rule for the software side:** Authentication spraying at 1-2 requests/second from rotating IPs, targeting a list of valid usernames. Azure AD sign-in logs and Okta System Log both surface this pattern. Alert threshold: more than 5 failed MFA challenges per user per hour.

The Bigger Point

The Samsung breach happened in 2022. Lapsus$ members were arrested. Scattered Spider members were arrested in 2024-2025. Conventional wisdom says the group is disrupted.

The tools aren't disrupted. The techniques aren't disrupted. The knowledge is on GitHub, documented, version-controlled, and waiting.

`start837` didn't need to know any of the original members. They just needed to find the torrent, spend two years learning, and publish what they built. The next actor who wants Scattered Spider's capabilities doesn't need a mentor. They need a GitHub account and a search engine.

That's the threat model now.

*14 IOCs indexed across two campaigns. All derived from public GitHub repositories. STIX 2.1 feed: [analytics.dugganusa.com](https://analytics.dugganusa.com)*

*Her name was Renee Nicole Good.*

*His name was Alex Jeffery Pretti.*