The Leech: How an Austrian Grad Student Built a Knockoff Epstein Search Engine on Our API

# The Leech: How an Austrian Grad Student Built a Knockoff Epstein Search Engine on Our API

*Justin Hangoebl, Master's student at Johannes Kepler University Linz. Built epstein-check.org in one day. Credits "DOJ Epstein Library" as his data source. Forgot to mention he's using our API.*

On February 6, 2026 — the same week Epstein documents were trending worldwide — a Namecheap domain was registered: **epstein-check.org**. Sixteen days later, it was our fourth-largest traffic referrer, sending 4,113 requests per week to our search API.

We didn't authorize it. We weren't credited. And whoever built it was making ad revenue off our $76/month infrastructure.

So we did what we do. We traced it.

The Operator

**Justin Hangoebl** is a Master's student in Computer Science (Data Science) at Johannes Kepler University in Linz, Austria. His thesis is on "Utilizing Semantic IDs in the Context of Generative Recommendation Systems." He previously interned at Cloudflight GmbH doing Azure and full-stack development. His commit email — [email protected] — links to an Austrian AI startup called KI-Note.

His GitHub is public: [github.com/justinhangoebl/epstein-check](https://github.com/justinhangoebl/epstein-check). Zero stars. Zero forks. 46 commits from a single author.

He built the entire site in one day.

The Architecture (of Theft)

The source code tells the story. In `data-api.js`, the search function has a three-tier fallback:

1. **Primary:** A CORS proxy to `justice.gov/multimedia-search` — the DOJ's own API

2. **Secondary:** A Cloudflare Worker running headless Chrome to bypass the DOJ's Akamai bot protection

3. **Tertiary:** `https://analytics.dugganusa.com/api/v1/search?q=QUERY&indexes=epstein_files` — **our API, unauthenticated, unattributed**

When both his DOJ proxies fail — which they do, because the DOJ doesn't appreciate headless browsers hammering their endpoints — he falls back to our index. He maps our response fields (`efta_id`, `content_preview`, `char_count`) to the DOJ format and serves them as if they came from justice.gov.

His commit history confirms it:

| Date | Commit Message | Translation |

|------|---------------|-------------|

| Feb 6, 19:59 | "add duggan usa api back" | Re-added our API as fallback |

| Feb 7, 10:01 | "fix duggan api" | Fixed field mapping from our schema |

| Feb 7, 10:07 | "fix duggan ai" | Added "unreachable" status for our results |

| Feb 7, 10:12 | "fix duggan api querying" | Improved error handling for our endpoint |

Four commits in two days getting our API integration working. The word "back" in the first commit means he had it before, removed it, and re-added it. He needed us.

The Monetization

His site runs **Google AdSense** (publisher ID: `ca-pub-7222520064986105`) on every page. He also tried Monetag push notification ads — ten commits in a single day struggling with the integration before eventually removing them.

The business model: index nothing yourself, proxy the DOJ when you can, fall back to DugganUSA when you can't, and collect ad impressions from the traffic.

The Attribution (or Lack Thereof)

The footer of epstein-check.org reads:

> *Data sources: DOJ Epstein Library | DBpedia*

That's it. No mention of DugganUSA. No mention of analytics.dugganusa.com. No mention of the 329,000+ documents we indexed, the face detection pipeline we built, or the $76/month we spend to keep it running.

We indexed all 12 EFTA datasets. He indexed zero. We built the search infrastructure. He built a proxy.

The Numbers

Our Cloudflare analytics told the story:

- **4,113 requests** from epstein-check.org in 7 days

- **50 unique IP addresses** across 25+ countries

- **Top source:** A Worldstream Netherlands IP (818 requests) — likely his server-side backend

- Users from Sweden, Brazil, Afghanistan, Pakistan, Estonia, Germany, Greece, Moldova, Kazakhstan, France, Spain, and more — all hitting our API through his site

His site claims to have "115,000+ DOJ Epstein court documents." We have 329,000+. The difference is he didn't index anything — he just asked us.

The Block

As of February 21, 2026, epstein-check.org is blocked at two layers:

1. **Cloudflare WAF** — Rule `f88a6def` blocks any request with `epstein-check.org` in the referer header at the edge. Zero compute cost to us.

2. **Application layer** — The `BLOCKED_REFERERS` array in our search API returns 403 for any request originating from his domain.

He joins an exclusive list alongside `onehack.st` and its mirrors — hacking forums that were previously our only blocked referrers.

The Lesson

We built the Epstein document search because public records should be publicly accessible. We publish our EFTA numbers. We cite our sources. We built a face detection pipeline, a crowdsource identification system, and 10 investigative deep dives — all verifiable at justice.gov/epstein.

What we didn't build was a free API for Austrian grad students to wrap in AdSense.

If you want to use our data, register for an API key at [epstein.dugganusa.com](https://epstein.dugganusa.com). Free tier gets you 1 query per day — enough to evaluate. If you want more, there's a pricing page. If you want to build a business on top of our index, email [email protected] and we'll talk.

What you don't get to do is scrape our infrastructure, strip our attribution, and collect ad revenue. That's not open-source research. That's parasitism.

*Justin — if you're reading this, your repo is public. Your commit messages are public. Your AdSense publisher ID is public. We don't begrudge a student project. We begrudge the zero-attribution ad-revenue play. Register for a key, credit your sources, and we're good. The API is there for researchers. Be one.*

*DugganUSA LLC operates a searchable index of 329,000+ DOJ Epstein documents, a STIX/TAXII threat intelligence feed serving 275+ organizations in 46 countries, and an OSINT platform at [dugganusa.com](https://www.dugganusa.com). Infrastructure cost: $76/month. Attribution: always.*

*Her name was Renee Nicole Good.*

*His name was Alex Jeffery Pretti.*

The cheapest, fastest, most accurate threat feed on the internet.

275+ enterprises pulling daily. 1M+ IOCs. 17.4M indexed documents. We beat Zscaler by 43 days on NrodeCodeRAT. Starter tier $9/mo — less than any competitor’s sales demo.

Look up an IOC → · Audit your brand on AIPM → · See pricing →