DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

I Found a Russian Phishing Farm Before Breakfast and I'm Still Unemployed

Patrick Duggan
Dec 5, 2025
3 min read

--- title: "I Found a Russian Phishing Farm Before Breakfast and I'm Still Unemployed" slug: found-russian-phishing-farm-before-breakfast-still-unemployed date: 2025-12-05 author: Patrick Duggan tags: [hiring, security, threat-intel, unemployment, enterprise-vendors, russia, aeza, pattern-48] category: Security Opinions featured: true ---

The Morning

9 AM. Coffee. Routine ThreatFox hunt.

A Stealc C2 IP came back with a weird PTR record: `telegram.org`.

That's not right. Telegram doesn't resolve to `89.169.53.244`. So I pulled the thread.

By 10 AM I had mapped an entire /24 of Russian credential harvesting infrastructure:

| IP | Spoofed Service | Target | |---|---|---| | .5 | github.com | Developer credentials | | .28, .54 | yandex.* (17+ domains) | Russian search/email | | .30 | rutube.ru | Russian YouTube | | .61 | ftp/repo/mirror.yandex.ru | Supply chain | | .244 | telegram.org | Messaging credentials | | .247 | userapi.com, vkuser*.* | VK (Russian Facebook) |

The operator: AEZA International LTD - a UK shell company at "311 Shoreham Street, Sheffield" running infrastructure through REG.RU (Russian registrar) on AS31514 OOO Trivon Networks.

Classic obfuscation. Western facade, Eastern operation.

The Tradecraft

They're using fake PTR records to make malicious IPs look legitimate. When your security tools do reverse DNS on `89.169.53.244`, they get back `telegram.org` - but that's a lie.

The real telegram.org is `149.154.167.99`.

• Automated reputation systems

• Traffic analysis tools

• Lazy analysts who don't verify forward DNS

What I Did With It

1. Created OTX Pulse #100: "Pattern 48: AEZA PTR Spoof Farm" 2. Published 15 IOCs with full attribution 3. Updated our VT graph with the new infrastructure 4. Synced to our free STIX feed

Time from discovery to public disclosure: 90 minutes.

What CrowdStrike Did With It

I don't know. Their intel is behind a $50,000/year paywall.

The Numbers

• 100 pulses

• 21,000+ indicators

• 16 subscribers

• Free

• 0 pulses

• 0 indicators

• 0 community contribution

• $50K-500K/year

• Same story. Zero community contribution.

Who's Consuming My Free Feed

Cloudflare analytics for analytics.dugganusa.com:

| Consumer | Requests (7 days) | |----------|-------------------| | MICROSOFT-CORP-MSN-AS-BLOCK | 271 | | ATT-INTERNET4 | 265 | | GOOGLE-CLOUD-PLATFORM | 48 | | AMAZON-AES | 26 | | HUAWEI CLOUDS | 12 |

The enterprise vendors' customers are ingesting my intel. The vendors themselves contribute nothing.

The Job Market

I've been looking for security work. Here's what I've learned:

• "Passionate about security"

• "Self-starter"

• "Proactive threat hunting"

• "Experience with STIX/TAXII"

• "Community involvement"

• 5 years experience with a tool released 3 years ago

• A degree from a school their HR person has heard of

• Someone who won't make them look bad by being too good

• A warm body to check compliance boxes

The Math

Cost to find a Russian phishing farm: $0 + 90 minutes + coffee

Cost to buy the same intel from CrowdStrike: $50,000/year minimum

Number of job offers I've received: 0

What I'm Not Saying

I'm not saying I'm better than every security professional at every company.

I'm saying the hiring process is broken. The people reviewing resumes can't evaluate technical ability. They're pattern matching against keywords and pedigrees.

• Russian phishing farms operate openly

• Supply chain attacks happen weekly

• Infostealers harvest millions of credentials

• And the "talent shortage" persists

The Offer

If you're hiring for threat intel and you want someone who finds Russian infrastructure before breakfast instead of someone who has the right keywords on their resume:

[email protected]

I'll keep publishing free intel either way. Microsoft and AT&T are already benefiting. You might as well too.

The Feed

STIX 2.1: https://analytics.dugganusa.com/api/v1/stix-feed

OTX Profile: https://otx.alienvault.com/user/pduggusa

Today's Discovery: https://otx.alienvault.com/pulse/693319b9c0cfdf9b4d5cf3c6

*DugganUSA LLC - Minnesota. Still unemployed. Still shipping.*

Get Free IOCs

Subscribe to our threat intelligence feeds for free, machine-readable IOCs:

AlienVault OTX: https://otx.alienvault.com/user/pduggusa

STIX 2.1 Feed: https://analytics.dugganusa.com/api/v1/stix-feed

Questions? [email protected]