DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

Hello, Is It Me You're Looking For? A Cautionary Tale About WordPress Honeypots

Patrick Duggan
Dec 14, 2025
3 min read

The Setup

At 09:25 UTC on a quiet Saturday morning, our WordPress honeypot at analytics.dugganusa.com received a visitor from Frankfurt. Nothing unusual—we get dozens of wp-login.php probes daily from cloud infrastructure worldwide.

But this one was different.

Thirty-eight seconds after the initial GET request from 81.199.26.7, a POST request arrived from a different IP—85.203.15.182. Same User-Agent (iPhone iOS 18.7), same datacenter (Clouvider, Frankfurt), different IP. Classic proxy rotation.

The credentials submitted?

username: hello
password: Is it me you're looking for?

Someone was singing Lionel Richie to our honeypot.

The Investigation

A romantic gesture? A security researcher with a sense of humor? Let's check the receipts.

• 81.199.26.7: Abuse score 35, 10 reports from 7 users, last reported *today*

• 85.203.15.182: Abuse score 30, 6 reports from 5 users

• 81.199.26.7: Present in 7 threat intelligence pulses, including:

• 85.203.15.182: Present in 5 pulses, same webscanner collections

The Moral

Here's the thing about threat intelligence in 2025: we share notes.

When you probe a honeypot, you're not just talking to one security researcher. You're adding yourself to a global ledger of suspicious activity. AbuseIPDB, OTX, ThreatFox, GreyNoise—these platforms correlate data from thousands of honeypots, firewalls, and security operations centers worldwide.

Our German friend thought they were being clever. Maybe they even chuckled while typing that Lionel Richie lyric. But here's what actually happened:

1. Their IPs were already flagged in 7+ threat intelligence feeds before they touched our honeypot 2. Their activity was logged with full headers, timing analysis, and behavioral fingerprinting 3. This blog post now exists, permanently associating those IPs with WordPress scanning activity 4. The enrichment data (ISP, ASN, geolocation, historical reports) is now part of our STIX feed that Microsoft and other enterprises poll weekly

The Technical Breakdown

For the defenders reading this, here's what the attack pattern looked like:

09:25:53 UTC - GET /wp-login.php
  IP: 81.199.26.7 (Clouvider/netutils.io)
  UA: iPhone iOS 18.7 Safari (spoofed)

09:26:31 UTC - POST /wp-login.php IP: 85.203.15.182 (Falco Networks) UA: iPhone iOS 18.7 Safari (same spoofed string) Body: {"log":"hello","pwd":"Is it me you're looking for?"} Referer: https://analytics.dugganusa.com//wp-login.php ```

• 38-second delay between recon and exploitation (scripted timing)

• Different IPs, same User-Agent (proxy rotation without UA rotation)

• Proper referer header (mimicking browser flow)

• Double-slash in referer path (sloppy URL construction)

• First request: "Internet Utilities Europe and Asia Limited" (netutils.io)

• Second request: "Falco Networks B.V." (falco-networks.com)

• Both resolve to Clouvider infrastructure in Frankfurt

What We Do With This

These IPs are now: 1. Logged in our honeypotcaptures table with full request metadata 2. Cross-referenced against AbuseIPDB, OTX, and ThreatFox 3. Available in our public STIX 2.1 feed at analytics.dugganusa.com/api/v1/stix/master 4. Added to our Cloudflare blocklist (Pattern 54 automation)

The attacker's operational security was actually decent—proxy rotation, spoofed mobile User-Agent, proper browser flow mimicry. But none of that matters when your infrastructure is already burned across multiple threat intelligence platforms.

The Real Message

To whoever typed "Is it me you're looking for?"—yes, it was. And now we have your receipt.

To defenders: run honeypots. Share IOCs. Subscribe to threat intelligence feeds. The more we collaborate, the smaller the internet gets for attackers.

To Lionel Richie: sorry your lyrics are being used for WordPress brute-forcing. You deserve better.

*DugganUSA LLC operates threat intelligence infrastructure including honeypots, STIX feeds, and automated IOC enrichment. Our feeds are consumed by enterprises including Microsoft Sentinel. If you're seeing your IP in this post, consider a career change.*

• 81.199.26.7 (AS62240 - Clouvider)

• 85.203.15.182 (AS62240 - Clouvider)