DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

Scattered Spider Goes to Space: The OAuth Arc Continues

Patrick Duggan
Jan 8
4 min read

The Arc

Date	Target	Damage	Method
August 2025	Jaguar Land Rover	£1.9B, global shutdown	Stolen Jira credentials from 2021
November 2025	Salesforce ecosystem	1B records, 40 companies	OAuth token theft via Gainsight
December 2025	ESA (Breach #1)	200GB, Bitbucket repos	Credential harvesting
January 2026	ESA (Breach #2)	500GB, spacecraft data	Public CVE, September access

The group: Scattered Spider / Lapsus$ / "Scattered Lapsus$ Hunters" / UNC6395

The pattern: Credential theft → lateral movement → data exfiltration → extortion

The constant: OAuth tokens and legacy credentials that nobody rotated.

Jaguar: The £1.9B Lesson Nobody Learned

August 2025. A credential from 2021—four years old—still worked on Jaguar's Jira instance. One compromised third-party contractor account led to:

Full IT infrastructure access
DNS system compromise
Vehicle infotainment systems breached
Connected vehicle modules accessed
Global manufacturing shutdown

Cost: £1.9 billion. UK government bailout: £1.5 billion.

The credential was four years old.

We wrote about this in October: "What Jaguar's £1.9B Cyberattack Teaches Us About Legacy Debt"

Salesforce: The Billion-Record Harvest

November 2025. Same group pivoted to the Salesforce ecosystem. The method:

Compromise third-party apps (Salesloft, Drift, Gainsight)
Steal OAuth tokens from support case notes
Access Salesforce orgs with legitimate credentials
Exfiltrate customer data
Launch extortion campaign

Google
Cloudflare (the $1.43B security company)
Proofpoint (literally a security vendor)
Adidas, Chanel, Pandora, Workday, Bugcrowd, Qantas, TransUnion, Allianz Life

Total: 1 billion records from 40 companies.

We called it in September and again in November: "UNC6395: I Told You So"

ESA: The Final Frontier

Now they've gone orbital.

Attacker: "888" on BreachForums
Haul: 200GB from Bitbucket repositories
Contents: Source code, CI/CD pipelines, API tokens, Terraform files, hardcoded credentials

Attacker: "Scattered Lapsus$ Hunters"
Haul: 500GB
Contents: Spacecraft operational procedures, contingency plans, failure modes, satellite orientation systems
Contractors exposed: SpaceX, Airbus, Thales Alenia Space
Entry point: Public CVE exploited in September 2025

ESA's response: "Only external servers for unclassified collaborative engineering"

Attacker's response: "We still have access"

The Terraform Problem

The December breach included Terraform files and hardcoded credentials. Let me explain why that matters:

Cloud provider configurations
Network architectures
Service dependencies
Often: credentials that "temporarily" got hardcoded and never removed

How ESA's systems connect
Where the secrets are stored
Which services trust which other services
Potential pivot paths to contractor systems (SpaceX, Airbus, Thales)

That's not a breach. That's reconnaissance for the next breach.

The OAuth Pattern

Every major Scattered Spider operation follows the same playbook:

┌─────────────────────────────────────────────────┐
│           THE SCATTERED SPIDER PLAYBOOK         │
├─────────────────────────────────────────────────┤
│                                                 │
│  1. FIND STALE CREDENTIALS                      │
│     └── Third-party contractor accounts         │
│     └── OAuth tokens in support notes           │
│     └── Hardcoded secrets in repos              │
│     └── Credentials from years ago              │
│                                                 │
│  2. LEGITIMATE ACCESS                           │
│     └── No exploits needed                      │
│     └── Just login with valid credentials       │
│     └── Bypass MFA via session tokens           │
│                                                 │
│  3. LATERAL MOVEMENT                            │
│     └── Jira → IT infra → DNS → cars            │
│     └── Salesforce → CRM → customer data        │
│     └── Bitbucket → CI/CD → spacecraft          │
│                                                 │
│  4. EXFILTRATE & EXTORT                         │
│     └── Leak sites                              │
│     └── Ransom demands                          │
│     └── Public embarrassment                    │
│                                                 │
└─────────────────────────────────────────────────┘

No zero-days. No sophisticated exploits. Just credentials that should have been rotated years ago.

Why Security Vendors Keep Getting Hit

Cloudflare processes 20% of internet traffic. Got breached.

Proofpoint sells enterprise email security. Got breached.

Google has unlimited security budget. Got breached.

Why?

Malware signatures
DDoS patterns
Phishing emails

OAuth tokens pasted in support tickets
Four-year-old contractor credentials
Hardcoded secrets in Terraform files

Scattered Spider doesn't hack systems. They log in.

The Space Angle

Why does spacecraft data matter?

Operational procedures: How satellites are controlled, maintained, positioned.

Failure modes: What breaks, how it breaks, what happens when it breaks.

Contingency plans: What to do when things go wrong.

Contractor data: SpaceX, Airbus, Thales Alenia—these companies build spacecraft for governments and militaries worldwide.

Competing space agencies
Nation-states
Anyone planning to interfere with space assets

Scattered Spider claims they're just criminals doing extortion. But the data they're stealing has nation-state value.

What We've Been Saying

September 2025: "If your secrets haven't been rotated since August, they're stale."

October 2025: "Legacy debt compounds like interest. Jaguar just paid £1.9B in accumulated interest."

November 2025: "I told you this would keep happening. It did. Rotate your damn secrets."

January 2026: They're stealing spacecraft failure modes now.

The pattern doesn't change. The altitude does.

Recommendations

If you're an enterprise:

Audit OAuth tokens NOW - Salesloft, Drift, Gainsight, HubSpot, Marketo, Zendesk
Search support notes for secrets - "API key", "token", "password", "secret"
Enforce 90-day credential rotation - No exceptions
Revoke third-party access quarterly - Not annually, not "when we remember"
Assume you're compromised - Hunt for anomalous access patterns

If you're ESA:

Rotate everything - The attackers claim they still have access
Notify contractors - SpaceX, Airbus, Thales need to know their data is out there
Audit Terraform state - Every secret referenced in those files is burned

The Timeline Receipts

Our Coverage	Date	What We Said
Jaguar Legacy Debt	Oct 2025	"Legacy debt compounds like interest"
UNC6395 I Told You So	Nov 2025	"It's going to happen again"
This post	Jan 2026	It happened again. In space.

The songs don't lie about when they were made. Neither do the blog posts.

Get Protected

All IOCs in machine-readable format:

STIX 2.1 Feed: ``bash curl https://analytics.dugganusa.com/api/v1/stix-feed ``

OTX Profile: https://otx.alienvault.com/user/pduggusa

Free. Timestamped. No enterprise contract required.

Sources

About DugganUSA: We publish free threat intelligence for the 99% who can't afford enterprise security. Our STIX 2.1 feed tracks 2,200+ blocked IPs with MITRE ATT&CK attribution. We've been tracking Scattered Spider since they were earthbound.

STIX Feed | OTX Profile

Her name is Renee Nicole Good.