DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

OSINT: Where ICE's Surveillance Vendors Actually Live

Patrick Duggan
Jan 13
4 min read

The Question

ICE spent $28.7 billion on surveillance technology this year. We know what they bought - phone tracking, location data, device forensics, social media monitoring. But where does all this infrastructure actually run?

We did the OSINT. The answer is surprisingly homogeneous.

The Architecture

flowchart TB
    subgraph AWS["AWS us-east-1 (Virginia)"]
        subgraph Gravy["Gravy Analytics (BREACHED)"]
            G_ELB[gravy-data-api-lb\nus-east-1.elb.amazonaws.com]
            G_S3[(S3 Buckets\n17TB EXFILTRATED)]
        end

subgraph Babel["Babel Street"] B_ELB[app-app-1533153096\nus-east-1.elb.amazonaws.com] B_API[API Gateway\nexecute-api.us-east-1] end

subgraph Cellebrite["Cellebrite"] C_CF[CloudFront CDN] C_ACM[Amazon RSA Certs] end

subgraph Paragon["Paragon Solutions"] P_EC2[EC2: 54.237.57.21] end end

ICE[ICE / DHS] --> AWS

style G_S3 fill:#ff6b6b,color:#fff style AWS fill:#ff9900,color:#000 ```

Four of ICE's major surveillance vendors - representing billions in contracts - all running in the same AWS region.

Vendor-by-Vendor Breakdown

Gravy Analytics / Venntel (Location Data)

Contract value: $2M+ Status: BREACHED - 17TB exfiltrated January 2025

flowchart LR
    subgraph Frontend
        HubSpot[HubSpot CMS\n199.60.103.x]
        Webflow[Webflow\nvenntel.com]
    end

subgraph Backend ELB[AWS ELB\nus-east-1] S3[(S3 Buckets\nCOMPROMISED)] end

subgraph Email GSuite[Google Workspace\naspmx.l.google.com] end

Frontend --> Backend Backend --> S3

style S3 fill:#ff0000,color:#fff ```

Main site: HubSpot hosted
Venntel: Webflow
API: gravy-data-api-lb-697972304.us-east-1.elb.amazonaws.com
Email: Google Workspace

The breach: Russian hackers gained root access to servers and S3 buckets. The exact infrastructure pattern (ELB → S3) that got them owned.

Babel Street (Locate X Tracking)

Contract value: $3M Status: Operational, lawsuit pending

flowchart LR
    subgraph Frontend
        Vercel[Vercel\nvercel-dns-016.com]
    end

subgraph Backend["AWS us-east-1"] ELB[ELB\napp-app-1533153096] APIGW[API Gateway\nd-v2lec069uc.execute-api] end

subgraph Email O365[Microsoft 365\nprotection.outlook.com] end

Frontend --> Backend

style Backend fill:#ff9900 ```

Frontend: Vercel (Let's Encrypt cert)
App: app-app-1533153096.us-east-1.elb.amazonaws.com
API: d-v2lec069uc.execute-api.us-east-1.amazonaws.com
Email: Microsoft 365

Notable: Using AWS API Gateway for their tracking API - standard serverless pattern.

Cellebrite (Phone Forensics)

Contract value: $11M Status: Software leaked, zero-days exposed

flowchart LR
    subgraph CDN["AWS CloudFront"]
        CF[CloudFront\n13.227.87.x]
    end

subgraph Certs ACM[Amazon Certificate Manager\nRSA 2048 M01] end

subgraph Email Proofpoint[Proofpoint\npphosted.com] end

CDN --> ACM

style CDN fill:#ff9900 ```

Frontend: AWS CloudFront (13.227.87.x range)
SSL: Amazon-issued certificates
Email: Proofpoint (enterprise email security)

1Password (password management)
DocuSign (contracts)
Microsoft integration

Paragon Solutions (Graphite Spyware)

Contract value: $2M Status: Controversial but no known breach

flowchart LR
    subgraph Minimal["Minimal Footprint"]
        EC2[Single EC2\n54.237.57.21]
    end

subgraph Security SPF[SPF: -all\nNo email allowed] end

style Minimal fill:#333,color:#fff ```

Single IP: 54.237.57.21 (AWS EC2 us-east-1)
SPF record: -all (rejects all email - no spoofing possible)
Minimal public footprint

Analysis: Paragon runs lean. Single EC2 instance, locked-down email, minimal DNS exposure. The spyware vendor has better OPSEC than the location data vendors.

PenLink (Webloc/Tangles)

Contract value: $5M

flowchart LR
    subgraph Frontend
        WPE[WP Engine\nwpeproxy.com]
    end

subgraph Email Mimecast[Mimecast\nus-smtp-inbound] end

subgraph SaaS["SaaS Stack"] SF[Salesforce] Pardot[Pardot] Cisco[Cisco] HIBP[Have I Been Pwned ✓] end

Frontend --> SaaS ```

have-i-been-pwned-verification - They're monitoring if their domains appear in breaches
Salesforce + Pardot (sales/marketing)
Cisco integration
Amazon SES for transactional email

Analysis: PenLink has HIBP verification set up. They're at least checking if they've been breached. Points for self-awareness.

ShadowDragon (Social Media Intel)

Contract value: $4.2M

flowchart LR
    subgraph Frontend
        CF[Cloudflare\n104.26.x.x]
    end

subgraph App Direct[Direct IP\n65.181.116.35] end

subgraph AI["AI Integration"] OpenAI[OpenAI\nGPT Integration] end

subgraph SaaS HubSpot[HubSpot] Atlassian[Atlassian] end

Frontend --> App App --> AI

style AI fill:#10a37f,color:#fff ```

openai-domain-verification - They're using GPT in their OSINT platform
HubSpot (marketing)
Atlassian (project management)

Analysis: ShadowDragon has OpenAI domain verification. Their social media surveillance tool is AI-powered. Interesting implications for the accuracy and scale of their analysis.

The Complete Picture

flowchart TB
    ICE[ICE / DHS\n$28.7B Budget] --> Contracts

subgraph Contracts["Surveillance Contracts"] Gravy[Gravy/Venntel\n$2M - BREACHED] Babel[Babel Street\n$3M] Cellebrite[Cellebrite\n$11M - LEAKED] Paragon[Paragon\n$2M] PenLink[PenLink\n$5M] Shadow[ShadowDragon\n$4.2M] end

subgraph Infra["Infrastructure"] AWS[AWS us-east-1] Cloudflare[Cloudflare] Vercel[Vercel] WPEngine[WP Engine] end

Gravy --> AWS Babel --> AWS Cellebrite --> AWS Paragon --> AWS PenLink --> WPEngine Shadow --> Cloudflare

style Gravy fill:#ff0000,color:#fff style Cellebrite fill:#ff6b6b,color:#fff style AWS fill:#ff9900,color:#000 ```

Key Findings

1. Concentration Risk

Four major vendors in the same AWS region. A regional outage, a targeted attack on AWS us-east-1, or a legal action against Amazon could impact multiple surveillance capabilities simultaneously.

2. The Gravy Pattern

ELB frontend
S3 backend storage
Root access achieved

The other vendors using similar patterns should take note.

3. Email Security Spectrum

Vendor	Email Security	Rating
Paragon	SPF -all (no email)	Locked down
Cellebrite	Proofpoint	Enterprise
PenLink	Mimecast	Enterprise
Babel Street	Microsoft 365	Standard
Gravy/Venntel	Google Workspace	Standard
ShadowDragon	Google Workspace	Standard

4. SaaS Sprawl

Salesforce, HubSpot, Pardot (sales/marketing)
Atlassian, DocuSign (operations)
1Password (credentials)
OpenAI (AI-powered analysis)

Each integration is a potential attack surface.

5. The Paragon Exception

The spyware vendor has the smallest footprint. Single IP, no email, minimal DNS records. They understand OPSEC better than the data brokers.

What This Means

For ICE: Your surveillance supply chain has concentration risk. Multiple vendors in one AWS region, shared infrastructure patterns, and at least one catastrophic breach (Gravy) that compromised the data you purchased.

For the vendors: Your infrastructure is discoverable via basic OSINT. The same techniques you sell to law enforcement can be used to map your own attack surface.

For everyone else: The companies tracking millions of phones chose convenience over resilience. They're running on the same cloud, in the same region, with the same patterns that got Gravy Analytics breached.

The watchers can be watched.

The author runs DugganUSA's threat intelligence platform and has reported 102,171 malicious IPs to AbuseIPDB. This OSINT was conducted using public DNS records, SSL certificates, and TXT record enumeration - the same techniques available to any security researcher.

DNS enumeration via dig
SSL certificate inspection via OpenSSL
WHOIS lookups
Public TXT/SPF/MX records

Her name is Renee Nicole Good.