DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

The FBI's Wiretap Network Got Hacked. They Called It a 'Major Incident.' That Almost Never Happens.

Patrick Duggan
Apr 2
4 min read

The FBI just told Congress that the breach of its wiretap and surveillance network qualifies as a "major incident." The former deputy assistant director of the FBI's cyber division says she can't recall the bureau making that determination about its own systems since at least 2020.

The affected system manages electronic surveillance — wiretaps, pen registers, trap and trace data, and personally identifiable information on subjects of FBI investigations. The people the FBI is watching got exposed to the people watching the FBI.

The suspected attacker: Salt Typhoon. Chinese Ministry of State Security. The same group that spent months inside American telecom networks last year.

The breach was detected on February 17. The FBI disclosed it to Congress. Bloomberg reported it today.

What Was Compromised

This isn't an email server or a public-facing website. This is the network the FBI uses to manage court-authorized surveillance. Specifically:

Pen register data — records of every phone number a subject calls or receives calls from
Trap and trace data — incoming call records for surveillance targets
Legal process returns — the data collected under court orders (wiretaps, data intercepts)
PII on subjects of FBI investigations — names, identifying information on people the FBI is actively investigating

If you're a target of an FBI investigation, the hackers may now know the FBI is watching you. If you're a source, the hackers may know you're cooperating. If you're under surveillance for counterintelligence, the foreign intelligence service that hacked the FBI now knows the scope and methods of the surveillance.

The intelligence value of this data to a foreign adversary is incalculable.

Salt Typhoon

The methods described in the congressional notification closely resemble Salt Typhoon — a Chinese APT attributed to the Ministry of State Security. Salt Typhoon spent months inside AT&T, Verizon, and other telecom providers in 2024-2025, accessing the same type of wiretap and surveillance infrastructure from the carrier side.

Now they appear to have accessed it from the FBI side.

The telecom breaches gave China visibility into who the FBI was surveilling through the carriers. This breach gives them visibility into the FBI's own surveillance management systems — the internal records of what was collected, who authorized it, and what was found.

Two sides of the same coin. The carriers had the pipes. The FBI had the warrants. Salt Typhoon got both.

The Timeline — Everything Is Connected

February 17, 2026: FBI detects abnormal activity on its surveillance network. Opens investigation.

February 28, 2026: US and Israel launch strikes on Iran. The cyber war escalates.

March 6, 2026: We detect probing of our STIX feed infrastructure from an AT&T IP. We start tracking.

March 11, 2026: Handala (Iran/MOIS) wipes 200,000 Stryker devices via Microsoft Intune.

March 20, 2026: DOJ attributes Handala to MOIS. Seizes domains. $10M reward.

March 27, 2026: Handala breaches FBI Director Kash Patel's personal Gmail. 300+ emails published.

April 1, 2026: IRGC names 18 US tech companies as military targets. Google GTIG attributes Axios npm attack to North Korea.

April 2, 2026: Bloomberg reports the FBI has declared its surveillance network breach a "major incident." Attribution: China (Salt Typhoon).

Three nation-states. Three concurrent campaigns. China in the FBI's wiretap network. Iran in the FBI Director's email and a medical device manufacturer's MDM. North Korea in the npm supply chain stealing cryptocurrency.

The FBI is being attacked by at least two of them simultaneously — Salt Typhoon through the surveillance network, Handala through the Director's personal accounts. The agency responsible for defending against all three is itself compromised by two of them.

What "Major Incident" Means

Under FISMA (Federal Information Security Management Act), a "major incident" is a designation with legal teeth. It triggers:

Mandatory congressional notification
Criminal investigation
Independent security review
Potential infrastructure rebuild
Public disclosure requirements

The former deputy assistant director of the FBI's cyber division says this almost never happens to the FBI's own systems. The threshold is "quite high." The FBI declaring a major incident on its own networks means the damage is severe enough that they can't handle it quietly.

The Surveillance Paradox

The FBI builds surveillance networks to watch threats. Those surveillance networks are themselves threat surfaces. The data collected under court orders — the most sensitive law enforcement information in the country — sits on systems connected to networks that nation-state hackers can reach.

The pen register data tells an adversary who the FBI is watching. The trap and trace data tells them who's calling. The legal process returns tell them what the FBI found. The PII tells them who to target, recruit, or eliminate.

This is the "your security tool is your attack surface" thesis at the national security level. The system designed to protect the country through surveillance became the vulnerability that exposed the country's surveillance to adversaries.

CrowdStrike's Falcon agent bricked 8.5 million machines. Microsoft's Intune wiped 200,000 devices. Aqua's Trivy stole CI/CD credentials. The FBI's wiretap network exposed investigation subjects to Chinese intelligence.

Different scale. Same pattern. The tool you trust most is the tool that hurts you worst when it's compromised.

What We Track

Our STIX feed carries IOCs for Salt Typhoon, Handala/MOIS, and UNC1069 (DPRK). All three nation-state clusters are actively targeting US infrastructure.

28 Iranian adversary profiles — Handala, MuddyWater, Cotton Sandstorm, Educated Manticore
Chinese APT indicators — Salt Typhoon, UNC6201 (Dell RecoverPoint), Volt Typhoon
DPRK indicators — UNC1069 (Axios), WAVESHAPER malware family

The FBI's surveillance network breach is the biggest story of the week. But it's not isolated. It's the latest link in a chain that started with telecom breaches, continued through medical device wipers and supply chain attacks, and now reaches into the FBI's own investigative infrastructure.

275+ organizations pull our STIX feed daily. The indicators for all three nation-state campaigns are in the next pull.

The FBI watches threats for a living. Today we learned the threats were watching back — and had been since February. Salt Typhoon in the wiretap network. Handala in the Director's inbox. The watchers got watched.

"Major incident" almost never applies to the FBI's own systems. It applies now.