DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

One IP. One Script. 100,000 Requests. Who Is Polling Our STIX Feed From the Space Coast?

Patrick Duggan
3 minutes ago
5 min read

# One IP. One Script. 100,000 Requests. Who Is Polling Our STIX Feed From the Space Coast?

On February 7, 2026, someone started polling our STIX/TAXII threat intelligence endpoint. Every 30 seconds. From an AT&T Wireless mobile device. Geolocated to Titusville, Florida — twenty miles from Kennedy Space Center.

They have not stopped.

As of today, April 12, we have logged over 100,000 requests from a single IP hash. Every request hits the same path: /api/v1/stix-feed/collections/idkkk/objects/. Every request gets a 403. Every request comes from the same user agent: axios/1.12.0. No other IP has ever hit our /collections/ endpoint. This is not a scanner. This is one actor, one script, one target.

The collection name "idkkk" does not exist. We never created it. It is not a valid UUID, which is what TAXII 2.1 expects for collection identifiers. It is a string someone chose and hardcoded into a custom polling script.

Here is what we know. Here is what we do not know. Here are the questions we are asking publicly because the answers matter.

What we know

The IP resolves to 108-219-97-19.lightspeed.dybhfl.sbcglobal.net. AT&T Enterprises, AS7018. The carrier classification is AT&T Wireless — MCC 310, MNC 410. This is a mobile device or cellular hotspot, not a fixed-line residential connection. The "dybhfl" node code is Daytona Beach, Florida. More precise geolocation places the IP in Titusville, FL, postal code 32781, Brevard County.

Brevard County is home to Kennedy Space Center, Cape Canaveral Space Force Station, Patrick Space Force Base, and the most active commercial spaceport on Earth. SpaceX, Lockheed Martin, Boeing, Northrop Grumman, and L3Harris all have operations there. Vanity Fair published a feature in April 2026 titled "Spylandia" documenting sustained foreign intelligence operations in this exact corridor. The FBI has been opening China-related counterintelligence cases at a rate of roughly one every ten hours nationally, with the Space Coast as a priority region. Between 2022 and 2025, multiple Chinese nationals were arrested for drone surveillance of Kennedy Space Center and Cape Canaveral, including one individual discovered in a wetsuit inside the KSC security perimeter with specialized equipment.

The string "idkkk" is a GitHub username. The account belongs to a developer who lists their employer as Alibaba Group and their location as Beijing, China. The account was created in 2011 and has been largely dormant since 2018, with 13 forked repositories — all Java and Scala libraries from Square and Twitter. Standard backend developer profile.

That same developer operates a second, active account created in April 2025. This account runs a Chinese-language AI tools blog. The blog covers Claude Code, OpenCode, LLM benchmarks, and AI agent frameworks. On March 31, 2026 — during the active polling window — this account forked a repository containing leaked Claude Code source code. A configuration file on the blog site contains a copy-paste error that references the "idkkk" username, cross-confirming that both accounts belong to the same person.

No other GitHub user or published TAXII client library uses "idkkk" as a collection identifier. The string does not appear in any OASIS TAXII 2.1 test suite, SDK, or reference implementation.

The IP has zero reports on AbuseIPDB, zero exposure on Shodan, is not a Tor exit node, is not flagged as a VPN or proxy, and does not appear in any public threat feed. It is operationally clean.

What we do not know

We do not know whether the person behind the GitHub accounts is physically located in Titusville, Florida or is routing traffic through a VPN, corporate proxy, or US-based cloud instance. The AT&T Wireless carrier classification could indicate a physical mobile device or a cloud-hosted cellular modem. We cannot determine physical location from network data alone.

We do not know why this script has run for 65 consecutive days against an endpoint that returns 403 on every request. A forgotten test script would be plausible if it ran for a week. Sixty-five days of continuous polling with zero success suggests either no one is monitoring the script's output, or the persistence is intentional.

We do not know whether Alibaba Group operates automated TAXII polling infrastructure that could explain this traffic as corporate threat intelligence collection. If it does, the use of an employee's personal GitHub username as the collection identifier would be an unusual OPSEC choice.

We do not have a TLS fingerprint (JA3 hash) for the connection. Our edge infrastructure does not currently log JA3 data. A TLS fingerprint would identify the exact Node.js version and TLS library configuration, which could be matched against known tooling.

We do not have code fingerprints — the actual source code of the polling script. Without it, the connection between the GitHub username and the TAXII collection name is a correlation, not an attribution.

What we blocked

As of today, the path /api/v1/stix-feed/collections/idkkk/objects/ returns HTTP 410 Gone. The response body says: "This collection does not exist and never did."

No data was ever exfiltrated. Our authentication held on every one of the 100,000+ requests.

The questions

We are publishing this because the intersection of facts raises questions that deserve to be asked in the open.

Why is a mobile device in the Kennedy Space Center corridor polling a threat intelligence feed that tracks nation-state IOCs — including Chinese APT infrastructure — every 30 seconds for 65 days?

Why does the collection name in the polling script match the GitHub username of a Beijing-based developer at one of China's largest technology companies?

Why is that same developer actively researching Claude Code and AI agent frameworks during the exact window the polling is occurring?

Is there a legitimate explanation — a forgotten test script, a misconfigured TAXII client, an Alibaba corporate intelligence collection tool that happens to use an employee's handle? If so, we would welcome that explanation. Our contact is [email protected]. We will update this post with any response received.

Is there a concerning explanation — an individual affiliated with a Chinese technology company operating intelligence collection infrastructure from the most surveilled foreign intelligence corridor in the continental United States? If so, the FBI Orlando field office and the Central Florida Intelligence Exchange (CFIX) are the appropriate points of contact. Our evidence package is available to law enforcement on request.

We are a two-person threat intelligence company. We do not have subpoena power. We do not have access to AT&T subscriber records. We do not have classified intelligence about foreign intelligence operations on the Space Coast. What we have is 100,000 logged requests, a GitHub username that matches a collection name, a cross-confirmed identity, and a geographic coincidence that the FBI, DCSA, and Vanity Fair have all independently documented as significant.

We are asking the questions because that is what threat intelligence is for.

The evidence

Every claim in this post is verifiable.

The page_view records are in our Meilisearch index, timestamped, with IP hash, user agent, ASN, path, and status code. The GitHub accounts are public. The cross-confirmation via the configuration file copy-paste error is reproducible. The Vanity Fair "Spylandia" reporting is published. The FBI arrest records for Chinese nationals at Kennedy Space Center are public court documents.

The investigation folder is maintained internally. If you are a law enforcement agency, intelligence analyst, or threat researcher with relevant information, contact [email protected] with subject line "spylandia" and we will share the full evidence package.

If you are xiajinxin, we have one question: why?

— Patrick

Search our feed: analytics.dugganusa.com/api/v1/search?q=AS7018

Her name was Renee Nicole Good.

His name was Alex Jeffery Pretti.