DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

Scattered Spider Meets Honeypot: When the Hunters Become the Hunted

Patrick Duggan
Jan 8
3 min read

The Setup

After detecting reconnaissance activity targeting their externally exposed services, Resecurity didn't just block the traffic. They steered it.

They built a honeypot. Not a simple one—a convincing one.

28,000+ synthetic consumer records (impersonated individuals)
190,000+ fake payment transactions
Generated messages within collaboration systems
Already-breached data from the dark web to add authenticity

They used real breach data to make fake systems look lived-in. That's tradecraft.

The Sting

The threat actors—claiming to be ShinyHunters, a faction of the Scattered Lapsus$ Hunters (SLH) alliance—took the bait.

They accessed the emulated applications. They exfiltrated the synthetic data. They posted screenshots as proof, claiming "full access" to Resecurity's systems.

Then Resecurity dropped the reveal.

The "compromised" systems were isolated honeypots. The "stolen" data was fabricated. The screenshots proved nothing except that the attackers fell for a trap.

The Denial

After the reveal, someone claiming to represent "the actual ShinyHunters" denied involvement. Classic.

It wasn't them (and someone used their name)
It was them (and they're embarrassed)
The group is fragmented enough that different factions operate independently

Option 3 is most likely. "Scattered Spider" isn't a monolithic organization—it's a loose alliance of actors using similar techniques. Some hit ESA. Some got honeypotted.

The Counter-Intel Playbook

What Resecurity did is textbook counter-intelligence:

┌─────────────────────────────────────────────────────────────────┐
│                    ACTIVE DEFENSE PLAYBOOK                       │
├─────────────────────────────────────────────────────────────────┤
│                                                                  │
│  1. DETECT RECONNAISSANCE                                        │
│     └── Monitor for scanning, enumeration, probing               │
│     └── Don't just block—observe and categorize                  │
│                                                                  │
│  2. PREPARE THE TRAP                                             │
│     └── Build isolated honeypot environment                      │
│     └── Populate with convincing synthetic data                  │
│     └── Use real breach data for authenticity                    │
│                                                                  │
│  3. STEER THE ADVERSARY                                          │
│     └── Make honeypot more attractive than production            │
│     └── Allow "successful" access                                │
│     └── Let them exfiltrate fake data                            │
│                                                                  │
│  4. COLLECT INTELLIGENCE                                         │
│     └── Log TTPs, tools, infrastructure                          │
│     └── Attribute activity to known groups                       │
│     └── Build defensive signatures                               │
│                                                                  │
│  5. BURN THE OPERATION                                           │
│     └── Public reveal damages attacker credibility               │
│     └── "Full access" claims become embarrassment                │
│     └── Other targets become more skeptical of extortion         │
│                                                                  │
└─────────────────────────────────────────────────────────────────┘

This isn't passive defense. This is hunting.

Why This Matters

For defenders: You can do more than block. You can deceive. You can waste attacker resources. You can burn their operations publicly.

For the threat landscape: Scattered Spider's credibility takes a hit. When they claim to have breached the next target, there's now precedent for it being a trap. That uncertainty has value.

For attribution: The "real ShinyHunters" denial reveals fragmentation. These groups aren't unified commands—they're loose affiliations. Different cells, different targets, different outcomes.

The Contrast

Date	Target	Outcome
January 2026	ESA	500GB exfiltrated, ongoing access claimed
January 2026	Resecurity	Honeypotted, fake data, public embarrassment

Same week. Same group (allegedly). Wildly different results.

The difference? Resecurity was watching for them. ESA apparently wasn't.

Recommendations

Don't just block—consider why they're interested
Evaluate whether a honeypot makes sense for your threat model
Document everything for attribution and intelligence sharing

Isolate honeypots completely from production
Make fake data convincing (Resecurity used real breach data)
Have a disclosure plan—the reveal is part of the operation

Verify before paying or panicking
Ask for proof that isn't publicly available
Consider that you might be looking at honeypot data

The Larger Pattern

We've now written three posts about Scattered Spider in the last 24 hours:

**Scattered Spider Goes to Space** - ESA breach, 500GB spacecraft data
This post - Resecurity honeypot, fake data, burned operation
(Ongoing) - The OAuth arc continues

The group isn't slowing down. But neither are defenders. Some get owned. Some do the owning.

Sources

About DugganUSA: We publish free threat intelligence for the 99% who can't afford enterprise security. Our STIX 2.1 feed tracks 2,200+ blocked IPs with MITRE ATT&CK attribution. Sometimes the hunters become the hunted.

STIX Feed | OTX Profile