DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

Pattern 41: The Mechanical Horde - Automated Repository Saturation

Patrick Duggan
Nov 24, 2025
3 min read

Pattern ID: 41 Category: Platform Abuse Severity: MEDIUM

The Soundtrack

Because every good threat hunt deserves a metal anthem:

The Discovery

While investigating GitHub supply chain threats (Pattern 38), we discovered something peculiar: accounts creating hundreds of repositories with mechanical precision - every 2-15 seconds, like clockwork.

Meet siagfnd and barrylustig - two accounts that created 810 and 827 repositories respectively, with timing so precise it screams "automation."

The Technical Signature

What makes this a bot?

Timestamp Analysis:
14:24:26 - vigilant-fortnight
14:24:29 - ideal-giggle (+3 sec)
14:24:31 - cuddly-invention (+2 sec)
14:24:33 - laughing-octo-spoon (+2 sec)

• 827 repositories

• 98.97% mechanical timing (96 out of 97 creation intervals were 2-15 seconds)

• Average interval: 4.97 seconds

• Zero public events

• Zero followers

• 99%+ null language (no actual code)

• 810 repositories

• Created in 11 months (73 repos/month)

• Mechanical timing: 2-13 second intervals

• Zero engagement, all auto-generated names

Why This Matters

Namespace Saturation creates a false baseline for the GitHub ecosystem:

1. Cognitive Overload - Defenders can't review 810 repos individually 2. False Consensus - Makes mass repo creation appear "normal" 3. Camouflage - Malicious repos (Pattern 38 sleepers) blend into the noise 4. Search Pollution - Legitimate projects harder to find

Kill the Body, Ignore the Heads

The Hydra Metaphor applies here:

❌ FUTILE: Delete 810 individual repos (bot creates more)
✅ EFFECTIVE: Report automation infrastructure to GitHub

Reporting individual repos is pointless. The API token that creates them is the real threat. GitHub can suspend the account and investigate the bot network.

The Detection

Our new Pattern 41 scanner uses timestamp analysis:

detectMechanicalTiming(repos) {
  // Calculate intervals between repo creation
  const intervals = [];
  for (let i = 1; i < timestamps.length; i++) {
    const intervalSec = (timestamps[i] - timestamps[i-1]) / 1000;
    if (intervalSec < 60) intervals.push(intervalSec);
  }

// Check for mechanical precision (2-15 sec intervals) const mechanicalIntervals = intervals.filter(i => i >= 2 && i <= 15); const mechanicalRatio = mechanicalIntervals.length / intervals.length;

return { isMechanical: mechanicalRatio > 0.7 }; // 70%+ = bot } ```

barrylustig: 98.97% mechanical ratio → CONFIRMED BOT

The Bot Network

This isn't isolated. We've identified multiple accounts with similar patterns:

• 500-1000+ repos per account

• Mechanical timing (2-15 second intervals)

• Zero engagement (0 public events, 0 followers)

• Burst creation (100+ repos in minutes)

• Null language (99%+ empty repos)

Automated Detection & Disclosure

We've deployed:

1. pattern-38-scanner.js - Daily automated detection 2. Ethical disclosure pipeline - Feed subscribers get IOCs FIRST (5-minute grace period), then public disclosure 3. STIX feed integration - `https://analytics.dugganusa.com/api/v1/stix-feed`

Philosophy: Protect subscribers first. Shame bad actors second. That's the order.

Evidence Package

• Account: siagfnd (User ID: 194684488)

• Account: barrylustig (User ID: 11999741)

• Violation: Terms of Service - Automated Mass Repository Creation

• Evidence: Mechanical timing analysis, zero engagement, namespace pollution

• Requested Action: Account suspension, API key investigation, bot network analysis

Detection Summary

• 500-1000+ repositories

• Mechanical timing (2-15 second intervals)

• 99%+ null language (no code)

• 0 public events

• 0 followers

• All auto-generated repository names

• Burst creation (100+ repos/day)

Confidence: HIGH - automated saturation bot Action: Report to GitHub for ToS violation (mass automation)

Resources

• Pattern Documentation: `/patterns/pattern-41-automated-repository-saturation.json`

• Automation Guide: `/docs/PATTERN-38-AUTOMATION-GUIDE.md`

• STIX Feed: `https://analytics.dugganusa.com/api/v1/stix-feed`

• GitHub Actions: Daily scans at 06:00 UTC

Lessons Learned

1. Timestamp analysis reveals automation - Mechanical precision is the signature 2. Volume matters - 810 repos in 11 months = automated 3. Zero engagement = red flag - No human creates 810 repos without interaction 4. Kill the body, not the heads - Report infrastructure, not individual repos 5. Automate the boring stuff - Daily scans protect the ecosystem

Attribution: Patrick Duggan / DugganUSA LLC License: CC BY 4.0 (Creative Commons Attribution) Evidence: Compliance records available in repository

Making the Internet Safer, Automatically ✅