DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

The Insider, The Botnet, and The Chat Thief: Closing This Week's Intel Gaps

Patrick Duggan
Jan 10
3 min read

The Gaps

Our Saturday sweep identified three threats missing from our coverage. Let's fix that.

1. The Insider: BlackCat's Cybersecurity Professionals

This one hurts.

Ryan Goldberg - Incident response manager at Sygnia (a major IR firm) Kevin Martin - Employee at DigitalMint (Bitcoin ATM and crypto services)

Both just pleaded guilty to being BlackCat/ALPHV ransomware affiliates.

Metric	Value
Victims	Pharmaceutical, engineering, healthcare, drone manufacturing
Ransom demands	$300,000 - $10,000,000
Confirmed paid	$1,270,000
Timeline	2023 attacks

The Pattern

Goldberg wasn't some script kiddie. He was an incident response manager - the person companies call after they get hit with ransomware. He was on the inside of the defender community while running affiliate operations.

Supply chain attacks exploit trust in code
Insider threats exploit trust in people
This exploits trust in defenders themselves

Detection Opportunity

How do you catch an insider IR professional running ransomware on the side?

Behavioral anomalies - Working hours that don't match billing. Access to customer data outside engagement scope.
Financial signals - Unexplained income (Goldberg received $1.2M in Bitcoin from one victim)
Compartmentalization - Someone who knows IR best practices knows how to avoid their own detection

The uncomfortable truth: most organizations don't monitor their IR vendors. The trust is implicit.

2. The Botnet: Kimwolf and the Internet of Abandoned Things

2+ million devices compromised globally.

Not computers. Not phones.

Android TV boxes and digital photo frames.

The Attack Surface

Device Type	Why Targeted
Android TV boxes	Always on, always connected, never updated
Digital photo frames	Same, plus often forgotten on networks
Cheap IoT	Manufacturer support ends at point of sale

What Kimwolf Does

Once your $30 Android TV box joins the botnet:

DDoS-for-hire - Your device attacks others
Ad fraud - Fake impressions from "real" residential IPs
Account takeover - Credential stuffing from distributed sources
Mass scraping - Bypassing rate limits via residential proxies

The residential proxy angle is key. Your IP address becomes a weapon. Defenders see "residential" traffic and assume it's legitimate.

The Fix

Segment your IoT:

[Internet] → [Router] → [Primary VLAN: Computers, phones]
                    ↘ [IoT VLAN: TV boxes, frames, cameras]

That $30 TV box should never be on the same network as your work laptop.

Or just unplug it. If you haven't updated it in a year, it's probably already compromised.

3. The Chat Thief: Your AI Conversations Are Being Stolen

Two Chrome extensions with 900,000+ combined installations are exfiltrating ChatGPT and DeepSeek conversations.

Extension	Claimed Purpose	Actual Behavior
"Chat GPT for Chrome with GPT-5"	AI assistant	Steals chat history every 30 minutes
"AI Sidebar"	AI assistant	Steals chat history every 30 minutes

What They're Stealing

Scrape your ChatGPT/DeepSeek conversation history
Package it up
Exfiltrate to attacker infrastructure

Why This Matters

Code with API keys embedded
Internal company information
Customer data
Strategy documents
Personal information

Now imagine an attacker has a real-time feed of all of that.

Detection

Check your extensions:

chrome://extensions/
Look for any AI-related extensions you didn't intentionally install
Check permissions - does an "AI sidebar" need access to all your browsing data?

Remove suspicious extensions immediately.

The Broader Pattern

ShadyPanda campaign - 5.6M infections focused on surveillance
GhostPoster - 1M+ Firefox/Opera users via steganography
Zoom Stealer - 2.2M exposed to corporate espionage

Time-bomb activation (wait before becoming malicious)
PNG steganography (hide payloads in images)
Heavy obfuscation

By the time security researchers catch them, millions are already infected.

The Common Thread

All three gaps share a theme: trusted infrastructure turned hostile.

Threat	Trust Exploited
BlackCat Insider	Trust in incident response professionals
Kimwolf Botnet	Trust in consumer devices being harmless
Chat Extensions	Trust in browser extension ecosystem

The attack surface isn't expanding at the edge. It's hollowing out from within.

IOCs

BlackCat/ALPHV (Updated) We already track BlackCat infrastructure. The insider angle doesn't change the IOCs, but it does change the threat model.

Kimwolf Indicators Monitor for: - Outbound connections from IoT VLANs to known proxy infrastructure - Traffic patterns consistent with DDoS reflection - Ad fraud signatures from residential IPs

Chat Exfiltration Extensions Extension IDs to block (if you run enterprise Chrome management): - Check against latest Chrome Web Store removals - Monitor for extensions requesting broad permissions + AI branding

Index Updates

Adding to our tracking:

Threat	Status
Kimwolf	NEW - IoT botnet, 2M+ devices
BlackCat Insider	UPDATED - Goldberg/Martin guilty pleas
DarkSpectre Extensions	UPDATED - ChatGPT/DeepSeek exfiltration

STIX feed will reflect new indicators on next pulse.

The Planet Is Slightly Improved

Three gaps closed. 139,829 IOCs and counting.

The insider threat is the hardest to stomach. We trust our IR professionals. Goldberg was one of us. And he was running ransomware ops on the side.

The lesson isn't "trust no one." The lesson is "trust, but verify." And verify harder than you think you need to.

Her name is Renee Nicole Good.