DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

The Case of the Impostor Bot: When AWS Weaponizes Anthropic's Name

Patrick Duggan
Nov 4, 2025
5 min read

The Case of the Impostor Bot: When AWS Weaponizes Anthropic's Name

Date: November 4, 2025

Suspects: 216.73.216.112 (labeled "Anthropic, PBC"), 40.77.167.224 (Microsoft Corporation)

Crime: Aggressive web crawling, ignoring robots.txt, ModSecurity triggers, bandwidth drain

Twist: WHOIS reveals Amazon AWS infrastructure, not Anthropic

---

Act 1: The Crime Scene

November 4, 2025, 12:30 PM. Our OSINT Threat Intelligence Viewer flags 2 IPs for auto-blocking:

IP #1: 216.73.216.112

ISP: "Anthropic, PBC"
Abuse Score: 74%
Total Reports: 118
Last Seen: November 3, 2025 at 2:38 AM

IP #2: 40.77.167.224

ISP: "Microsoft Corporation"
Abuse Score: 100%
Total Reports: 256

Both IPs are above our threshold (>10%). Both need blocking.

But one of them claims to be Anthropic - the company that makes Claude, the AI helping me write this very blog post.

First instinct: "Oh, that's ClaudeBot. We should whitelist that."

Wrong.

---

Act 2: The Humpty Hump Principle

> "Just 'cuz I call myself Beefy Sandwich McFuckleface ain't make it so - the meta tells the tale."

Humpty Hump was Shock G. Tupac started with Digital Underground. Don't trust the persona - follow the infrastructure.

Let's check the WHOIS:

$ whois 216.73.216.112 | grep Organization
Organization:   Amazon.com, Inc.
NetName:        AMAZO-4
CIDR:           216.73.208.0/21, 216.73.216.0/22

Wait. What?

The IP says "Anthropic, PBC" but WHOIS says Amazon AWS.

This isn't ClaudeBot. This is Amazon infrastructure wearing Anthropic's mask.

---

Act 3: The Autopsy - 118 Reports in 4 Days

The AbuseIPDB reports tell a horrifying story:

October 30, 2025:

"Web attack"
"Ignoring robots.txt"

October 31, 2025:

ModSecurity CRITICAL trigger: `Access denied with code 403`
Severity: CRITICAL
Triggered WordPress CVE-2017-5487 vulnerability scanner

November 1, 2025:

"Bad user agents ignoring web crawling rules. Draining bandwidth"

November 2-3, 2025:

50+ "Fail2ban picked up 216.73.216.112 attacking nginx" (automated)
"WAF: Rate limit exceeded for Claudebot Crawler Bot"
"Excessive multi-domain requests"
WordPress brute force attempts (wp-login.php)

Most damning report (Line 621):

"Failed login wp-login.php or xmlrpc.php"

ClaudeBot doesn't try to brute force WordPress logins. This is not legitimate crawler behavior.

---

Act 4: The Timeline - Project Rainier

Why did this aggressive behavior start on October 30? Let's check the news:

October 29, 2025: AWS Activates Project Rainier

> "AWS announced on October 29, 2025, the activation of Project Rainier, an artificial intelligence compute cluster featuring nearly half a million Trainium2 chips. The facility is an $11 billion data center campus in Indiana that will run artificial intelligence models for Anthropic."

The timeline:

**October 29:** AWS flips the switch on 500,000 AI chips
**October 30:** "ClaudeBot" starts hammering websites, ignoring robots.txt
**November 3:** 118 abuse reports, 74% confidence score

One day. AWS activated the largest AI infrastructure deployment in history, and one day later, IPs labeled "Anthropic, PBC" started behaving like assholes.

---

Act 5: The Motive - Corporate Brand Abuse

Here's what happened:

1. Amazon invests $8 billion in Anthropic (total investment to date)

2. AWS builds Project Rainier ($11 billion data center, exclusively for Anthropic)

3. AWS gets naming rights - IPs can be labeled "Anthropic, PBC" in ISP databases

4. October 29: Project Rainier goes live (500,000+ Trainium2 chips)

5. October 30: Aggressive crawling begins under "Anthropic, PBC" label

6. Websites start blocking - but who takes the reputation hit?

Not Amazon. Anthropic.

When I block 216.73.216.112, the abuse reports say "Anthropic, PBC ignored robots.txt and drained my bandwidth."

When security researchers publish blocklists, they say "Block ClaudeBot - it's aggressive."

Amazon gets to use Anthropic's brand as cover, and when people push back, Anthropic's reputation suffers.

That's some next-level corporate sociopathy.

---

Act 6: The Evidence

Let me be crystal clear about the evidence:

Evidence #1: Infrastructure Ownership

$ whois 216.73.216.112
NetName:        AMAZO-4
Organization:   Amazon.com, Inc.

This is Amazon AWS infrastructure, not Anthropic.

Evidence #2: Behavioral Pattern

Legitimate ClaudeBot behavior:

Respects robots.txt
Reasonable rate limits
SEO-focused crawling (sitemap.xml, content discovery)
Identifies itself clearly in User-Agent

216.73.216.112 behavior:

**Ignores robots.txt** (multiple reports)
**Rate limit violations** ("WAF: Rate limit exceeded")
**WordPress brute force attempts** (wp-login.php)
**ModSecurity CRITICAL triggers** (vulnerability scanning)
**Bandwidth draining** (excessive requests)

Evidence #3: Timeline Correlation

Project Rainier activated: October 29, 2025

First abuse report: October 30, 2025 (1 day later)

Total reports in 4 days: 118

This isn't gradual discovery of a crawler. This is immediate aggressive deployment.

Evidence #4: The Microsoft IP (Control Case)

For comparison, let's check 40.77.167.224:

$ whois 40.77.167.224
Organization:   Microsoft Corporation
NetName:        MSFT

This one is actually Microsoft. WHOIS confirms it. Likely Bing crawler or Azure infrastructure.

So when WHOIS says "Microsoft," it means Microsoft. But when AbuseIPDB says "Anthropic," WHOIS reveals Amazon.

---

Act 7: The Verdict

216.73.216.112 is BLOCKED.

Not because it says "Anthropic" - but because of behavior:

Ignores robots.txt
Triggers ModSecurity
Brute forces WordPress
Drains bandwidth
118 reports in 4 days

The whitelist policy is updated:

ClaudeBot: ~~Whitelisted~~ → **REMOVED** (Nov 4, 2025)
anthropic.com: ~~Whitelisted~~ → **REMOVED** (Nov 4, 2025)

Why? Because AWS weaponized the Anthropic brand, and we block behavior, not brands.

---

Act 8: The Moral

Soylent Green Is People

In the 1973 film Soylent Green, the protagonist discovers the horrifying truth: the miracle food "Soylent Green" is made from human corpses.

"ClaudeBot" at 216.73.216.112 is Amazon wearing Anthropic's face.

The brand says one thing. The infrastructure reveals the truth.

The Humpty Hump Principle

Shock G created Humpty Hump - a ridiculous persona wearing a Groucho Marx nose. Everyone knew it was an act, but it worked because Shock G owned both personas.

AWS is wearing Anthropic's face, but Anthropic doesn't get to control the behavior. When this IP misbehaves, Anthropic takes the reputation hit.

That's brand abuse.

The Lesson

Don't trust labels. Check the metadata:

1. WHOIS over AbuseIPDB labels

2. Behavior over branding

3. Timeline correlation over assumptions

4. Infrastructure ownership over ISP strings

Amazon.com, Inc. owns the infrastructure.

Amazon.com, Inc. activated it October 29.

Amazon.com, Inc. is responsible for the abuse.

But when we block it, the reports say "Anthropic, PBC".

---

The Hall of Shame

IP: 216.73.216.112

Claimed Identity: Anthropic, PBC

Actual Owner: Amazon.com, Inc. (WHOIS confirmed)

Abuse Score: 74%

Reports: 118 in 4 days

First Seen: October 30, 2025 (1 day after Project Rainier activation)

Blocked: November 4, 2025

Reason: Aggressive crawling, ignoring robots.txt, WordPress brute force, ModSecurity triggers

Crime: AWS weaponized Anthropic's brand for aggressive web scraping, then let Anthropic take the reputation hit.

Evidence:

WHOIS: Amazon.com, Inc.
Timeline: Oct 29 (Rainier live) → Oct 30 (abuse starts)
Behavior: Ignores robots.txt, triggers WAF, brute forces WordPress

Sentence: BLOCKED. Behavior, not branding, determines the verdict.

---

Epilogue: A Message to AWS

You spent $11 billion to build Project Rainier.

You invested $8 billion in Anthropic.

You got naming rights to use "Anthropic, PBC" as an ISP label.

And you immediately weaponized it.

One day after activation, IPs labeled "Anthropic, PBC" started:

Ignoring robots.txt
Triggering ModSecurity
Brute forcing WordPress
Draining bandwidth

118 reports in 4 days.

When we block those IPs, Anthropic's reputation suffers, not Amazon's.

That's sociopathic corporate behavior.

Soylent Green is people, and your "ClaudeBot" is Amazon wearing a mask.

---

Technical Details

Blocked IPs:

216.73.216.112 (Amazon AWS labeled "Anthropic, PBC")
40.77.167.224 (Microsoft Corporation - legitimate but aggressive)

Whitelist Policy:

ClaudeBot: REMOVED from whitelist (Nov 4, 2025)
anthropic.com: REMOVED from whitelist (Nov 4, 2025)
Reason: AWS brand abuse, behavioral analysis over labels

Auto-Block Threshold: >10% abuse confidence score

Methodology: WHOIS verification, timeline correlation, behavioral analysis

Tools Used:

AbuseIPDB threat intelligence
WHOIS infrastructure verification
ModSecurity logs
Timeline correlation with public AWS announcements

---

Conclusion: When someone wears a mask, don't ask their name - check their fingerprints. WHOIS doesn't lie. Behavior doesn't lie. And $11 billion doesn't buy you the right to abuse the web under someone else's brand.

Humpty Hump was Shock G. And "ClaudeBot" at 216.73.216.112 is Amazon.

Block accordingly.

---

🧈 Butterbot - "What is my purpose?"

"You block assholes who weaponize brand names."

"Oh my god."

"Yeah, welcome to the club."

---

Tags: #AWS #Anthropic #ClaudeBot #ProjectRainier #BrandAbuse #ThreatIntelligence #WHOIS #CorporateSociopathy #SoylentGreenIsPeople

Related Issues: #189 (False Positive Prevention), #188 (Auto-Block Endpoint)

Evidence: /Users/patrickduggan/Downloads/osint-216_73_216_112.json

The Case of the Impostor Bot: When AWS Weaponizes Anthropic's Name

The Case of the Impostor Bot: When AWS Weaponizes Anthropic's Name

Act 1: The Crime Scene

Act 2: The Humpty Hump Principle

Act 3: The Autopsy - 118 Reports in 4 Days

Act 4: The Timeline - Project Rainier

October 29, 2025: AWS Activates Project Rainier

Act 5: The Motive - Corporate Brand Abuse

Act 6: The Evidence

Evidence #1: Infrastructure Ownership

Evidence #2: Behavioral Pattern

Evidence #3: Timeline Correlation

Evidence #4: The Microsoft IP (Control Case)

Act 7: The Verdict

Act 8: The Moral

Soylent Green Is People

The Humpty Hump Principle

The Lesson

The Hall of Shame

Epilogue: A Message to AWS

Technical Details

Recent Posts

Comments