DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

One Actor, Six Platforms, 260 Domains: Anatomy of an Automated Phishing Farm

Patrick Duggan
Dec 19, 2025
3 min read

Our automated feed harvesting caught something interesting this week: a coordinated phishing campaign abusing free-tier cloud platforms at industrial scale. By the time major threat feeds reported them as "live," they were already burned. Here's what we found.

The Discovery

On December 18-19, 2025, our PreCog threat intelligence system flagged 260 indicators of compromise (IOCs) sharing a suspicious pattern: sequential domain names hosted across multiple cloud platforms.

The pattern: `openopenbox301.vercel.app`, `openopenbox302.vercel.app`, `openopenbox303.vercel.app`... and so on.

But here's where it gets interesting. The same naming convention appeared simultaneously on:

• Vercel (openopenbox301-309)

• Netlify (openopenbox310-313)

• Firebase/web.app (openopenbox310-313)

• GitHub Pages (openopenbox310-313)

• Heroku (openopenbox310-313)

• Glitch (openopenbox310-313)

One actor. Six platforms. Same automation script.

The Targets

These weren't random phishing attempts. The campaign included brand-specific credential harvesters:

• `bank-of-america-login.vercel.app` - Financial institution targeting

• `walliet-ledger-login.vercel.app` - Crypto wallet phishing (note the typosquat)

• `amazonclone-two-gamma.vercel.app` - E-commerce credential theft

• `rackspacliningsmaservico.vercel.app` - Enterprise cloud targeting

• `spotify-clone-theta-hazel.vercel.app` - Consumer service harvesting

The diversity of targets suggests either a phishing-as-a-service operation or a kit that comes pre-loaded with multiple brand templates.

The Automation Fingerprint

How do we know this was automated? Three telltale signs:

1. Sequential Numbering

Humans don't name things `openopenbox307`. That's a loop variable. Someone wrote code like:

for (let i = 301; i < 320; i++) {
  deployPhishingKit(`openopenbox${i}`, platform);
}

2. Multi-Platform Simultaneous Deployment

The same pattern appearing across six platforms within the same time window means the actor has deployment scripts for multiple PaaS CLIs. Vercel, Netlify, and Firebase all have similar CLI interfaces - easy to automate.

3. Burn Rate

Active December 18-19. All returning 404 by December 20. That's a 24-48 hour operational window before rotating to the next batch. Too fast for manual operation.

The Technical Insight: Vercel Wildcard DNS

During our investigation, we discovered something useful for threat hunters: Vercel uses wildcard DNS.

Every `*.vercel.app` subdomain resolves to Vercel's infrastructure, regardless of whether the project exists. This means you cannot enumerate active phishing sites by DNS resolution alone. The phishing domains and random garbage like `xyzabc123nonsense.vercel.app` both resolve to valid IPs.

The tell is the HTTP response. Active phishing sites return 200. Burned or non-existent projects return 404.

Detection rule implication: DNS-based blocklists are insufficient for Vercel-hosted threats. You need HTTP-layer validation.

What This Means for Defenders

Free Tier Abuse is Systemic

Every platform offering free hosting with automatic SSL becomes potential phishing infrastructure:

• Instant deployment (no approval process)

• Free SSL certificates (green padlock = legitimacy)

• Trusted domains (users recognize vercel.app, netlify.app)

• No cost to attackers (burn and rotate freely)

Detection Windows are Shrinking

Our PreCog system caught these IOCs while OpenPhish was still reporting them as "live" - hours after they'd already been taken down. Threat intelligence that's 24 hours old is often useless against these campaigns.

Naming Patterns are Intel

Sequential numbering, clone-suffix patterns (like `-two-gamma`), and typosquats are automation artifacts. They're fingerprints that can help cluster activity to single actors.

IOCs

For defenders who want to block proactively, here are the confirmed malicious domains from this campaign:

openopenbox301.vercel.app
openopenbox302.vercel.app
openopenbox303.vercel.app
openopenbox304.vercel.app
openopenbox305.vercel.app
openopenbox306.vercel.app
openopenbox307.vercel.app
openopenbox308.vercel.app
openopenbox309.vercel.app
bank-of-america-login.vercel.app
walliet-ledger-login.vercel.app
amazonclone-two-gamma.vercel.app
rackspacliningsmaservico.vercel.app
spotify-clone-theta-hazel.vercel.app
easybank-landing-page-fm.vercel.app

These are now offline, but the pattern will repeat with new numbers.

The Bottom Line

Automated phishing infrastructure is outpacing manual takedown processes. The platforms are playing whack-a-mole while attackers have industrialized the mole-spawning.

The defenders who win are the ones with feeds fast enough to catch the moles mid-spawn - not the ones reading about it 48 hours later.

That's why we built PreCog. And that's why we share what we find.

*Want real-time threat intelligence? Subscribe to our feeds - they're free and machine-readable.*

Get Free IOCs

Subscribe to our threat intelligence feeds for free, machine-readable IOCs:

AlienVault OTX: https://otx.alienvault.com/user/pduggusa

STIX 2.1 Feed: https://analytics.dugganusa.com/api/v1/stix-feed

Questions? [email protected]