DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

The Mentat's Analysis: Who's Behind Pattern 38?

Patrick Duggan
Nov 25, 2025
5 min read

*"It is by will alone I set my mind in motion."*

I Warned You I'm a Mentat

For the uninitiated: In Frank Herbert's Dune universe, a Mentat is a human trained to perform computer-like analysis after thinking machines were banned. They cultivate "the naïve mind" - perception without prejudice - to extract patterns from data.

I've been telling GitHub Security this for days. They haven't responded. But they've suspended four accounts I reported, so someone's listening.

Now let's do what Mentats do: analyze the data and make educated guesses about attribution.

The Data Points

Over the past 72 hours, we've collected:

• FireSuper (404)

• rampubg14-cmyk (404)

• anuxagfr (404)

• winchmrsmilegodsgf (404)

• standardgalactic: 911,935 following, Canada

• dirambora: 63,468 following, "Nairobi, Kenya" + "Google Women TechMakers Ambassador"

• andrecrafts: 11,959 following, = WafflesExploits security researcher

• barrylustig: 827 repos, 98.97% mechanical timing

• esin: 190,939 following, account from 2009

• fenngjixuchui: Chinese username, 2012

• chennqqi: Chinese username (chen = surname, qq = messenger), 2013

• C2: 149.102.156.62 (Contabo GmbH, Germany)

• Malware: Stealc/Rhadamanthys (Russian-speaking forum MaaS)

• `winchmrsmilegodsgf` = "Mr Smile" tribute

• `siagfnd` = Sigmund Freud anagram

The First Mistake: Assuming Profiles = Attackers

Here's where most analysts go wrong.

They see "Nairobi, Kenya" and think "Kenyan threat actor." They see a Chinese username and think "PRC operation."

Wrong.

These accounts aren't created by the attackers. They're stolen.

The 2022-2023 Credential Breach Connection

Remember what happened in 2022-2023?

| Breach | Date | What Leaked | |--------|------|-------------| | CircleCI | Jan 2023 | GitHub tokens | | LastPass | Dec 2022 | Password vaults | | Heroku/Travis CI | Apr 2022 | OAuth tokens | | GitHub OAuth | Apr 2022 | Direct token theft |

Millions of developer credentials hit the market. Genesis Market. Russian Market. 2easy.

The Pattern 38 operators didn't create accounts. They purchased them.

This explains everything:

1. Geographic diversity - Kenya, Canada, China locations are the VICTIMS, not attackers 2. Legitimate bios - "Google Women TechMakers Ambassador" was a real person whose account got jacked 3. Account ages (2009-2018) - Older accounts are more valuable, pre-breach 4. 90-180 day dormancy - Gap between breach and attacker activation 5. No password resets - Attackers have the actual credentials

The profiles tell us about the victims. Not the attackers.

What DOES Tell Us About the Attackers

1. Malware Choice: Russian-Speaking Forums

Stealc and Rhadamanthys are sold on XSS, Exploit, and other Russian-speaking cybercrime forums. Rhadamanthys runs about $250/month for a subscription.

You don't need to BE Russian to buy it. But you need to navigate Russian-speaking underground markets.

Indicator: CIS ecosystem integration

2. C2 Infrastructure: Contabo GmbH

• Cheap VPS ($5-10/month)

• Low KYC requirements

• Slow abuse response

• Popular with Eastern European actors

It's not "bulletproof" like TEHCOFF or those shady Romanian hosts, but it's bulletproof-*friendly*.

Indicator: CIS operational pattern

3. Cultural Signatures: Mr Smile

This is where it gets interesting.

`winchmrsmilegodsgf` is a tribute to Hamza Bendelladj, an Algerian hacker known as "Mr Smile" who stole $217 million via the SpyEye trojan. Arrested in Thailand in 2013, extradited to the US, sentenced to 15 years.

In North African and MENA hacker culture, Bendelladj is a folk hero. The smiling mugshot. The Robin Hood narrative (allegedly donated to Palestine, though never proven).

Someone in this operation idolizes Hamza Bendelladj.

Indicator: North African cultural affinity

4. Psyops Sophistication: Sigmund Freud

`siagfnd` is an anagram of "Sigmund Freud."

• Knows Western psychological references

• Thinks about perception and manipulation

• Has a sense of humor about it

Combined with the mechanical timing analysis (Pattern 41), we're looking at operators who understand both automation AND psychology.

Indicator: European/Western education, psyops awareness

The Mentat's Hypothesis

┌─────────────────────────────────────────────────────────────────┐
│  PATTERN 38 OPERATORS: "Mr Smile Crew"                          │
├─────────────────────────────────────────────────────────────────┤
│                                                                  │
│  ORIGIN: CIS (Russia/Ukraine/Belarus)                           │
│  CONFIDENCE: 65%                                                 │
│                                                                  │
│  EVIDENCE:                                                       │
│  ├─ Malware: Russian-speaking forum MaaS                        │
│  ├─ C2: Contabo (CIS-friendly infrastructure)                   │
│  ├─ Credentials: Purchased from Genesis/Russian Market          │
│  └─ Operations: Sophisticated automation + psyops               │
│                                                                  │
│  CULTURAL AFFINITY: North African (MENA)                        │
│  CONFIDENCE: 75%                                                 │
│                                                                  │
│  EVIDENCE:                                                       │
│  ├─ "Mr Smile" tribute usernames                                │
│  └─ Hamza Bendelladj hero worship                               │
│                                                                  │
│  STATE AFFILIATION: Tolerated, possibly contracted              │
│  CONFIDENCE: 50%                                                 │
│                                                                  │
│  REASONING:                                                      │
│  ├─ Russian cybercrime operates with tacit state approval       │
│  ├─ Financial motivation aligns with state interests            │
│  └─ No evidence of direct state control                         │
│                                                                  │
└─────────────────────────────────────────────────────────────────┘

What This Is NOT

This is not APT28/Fancy Bear. Wrong targeting profile. APT28 does espionage, not credential theft.

This is not Lazarus Group. Wrong malware. Lazarus uses custom tools, not commodity MaaS.

This is not a Chinese operation. The Chinese usernames are from stolen accounts, not operator OPSEC.

This is not a North African operation. Cultural affinity ≠ nationality. Western hackers idolize Kevin Mitnick too.

What This Probably IS

A CIS-origin cybercrime syndicate that:

1. Purchases stolen developer credentials from 2022-2023 breaches 2. Activates accounts after 90-180 day dormancy periods 3. Deploys commodity infostealers (Stealc/Rhadamanthys) 4. Operates C2 on bulletproof-friendly German hosting 5. Has cultural ties to the North African hacker scene 6. Operates with likely Russian state tolerance (not control)

They're not nation-state. They're not script kiddies. They're professional criminals operating in the gray zone.

The Follow-Farm Connection

The follow-farm network (standardgalactic with 911K follows, etc.) serves a purpose:

1. Social proof - Accounts with followers look legitimate 2. Network obfuscation - Hard to trace real relationships 3. Platform gaming - Inflate metrics that GitHub's algorithms reward

But here's the thing: the follow-farm accounts are ALSO probably stolen.

An account created in 2009 (esin) that suddenly starts following 190,000 accounts? That's not the original owner. That's someone who bought access and is using it to build infrastructure.

What Happens Next

We've reported this to GitHub Security. They've acted on the malware accounts (4 suspended). They haven't touched the follow-farm network yet.

The STIX bundle is updated with attribution data. The IOCs are public.

What we can't do: arrest anyone. That's for law enforcement.

What we CAN do: make their infrastructure visible. Document their patterns. Burn their accounts faster than they can buy new ones.

Conclusion: The Naïve Mind

The Mentat cultivates "the naïve mind" - analysis without prejudice.

• Kenyan location ≠ Kenyan attacker

• Russian malware = Russian ecosystem access

• Mr Smile tribute = cultural affinity marker

• 2009 account + 2025 suspicious activity = stolen credentials

The pattern is clear. The attribution is moderate confidence. The operation continues.

*"The first step in avoiding a trap is knowing of its existence."*

STIX Feed: analytics.dugganusa.com/api/v1/stix-feed

• [Follow the Followers: Unraveling GitHub's Shadow Social Graph](https://www.dugganusa.com/post/follow-the-followers-unraveling-github-s-shadow-social-graph)

• [Dear GitHub Security: You're Welcome](https://www.dugganusa.com/post/dear-github-security-you-re-welcome)

*DugganUSA LLC - "It is by will alone I set my mind in motion."*