The Probe: 7,498 Threats in One Day, and the French Infrastructure Behind Them

# The Probe: 7,498 Threats in One Day, and the French Infrastructure Behind Them

On February 24, 2026, someone ran a coordinated reconnaissance operation against DugganUSA's infrastructure. Not a botnet. Not script kiddies. A structured, two-phase probe from French intelligence-adjacent infrastructure during Paris business hours — with Chinese follow-on and Microsoft Azure persistence.

We know because we log everything. Server-side. No JavaScript required. Can't be blocked.

The Timeline

Our Cloudflare data shows two surgical bursts four hours apart:

- **06:00 UTC (7:00 AM Paris)**: 3,064 threats out of 4,387 requests. 69.8% of all traffic was hostile.

- **10:00 UTC (11:00 AM Paris)**: 3,008 threats out of 4,168 requests. 72.2% hostile.

Between the bursts: quiet. They were analyzing what they found. The baseline for the week was 1,000-1,700 threats per day. They delivered 7,498 in 24 hours.

The Actors

**185.177.72.13 — FBW Networks SAS, France.** Appeared at 06:32 UTC, inside the first spike. Hit 50 unique paths in 18 seconds. PHP vulnerability scanning, admin panel hunting, secret file hunting, backup file hunting. That's not manual exploration. That's a pre-built target list executed by automated tooling. Someone provisioned infrastructure specifically for this scan.

**101.36.123.228 — UCloud HK (China-adjacent).** Appeared at 07:10 UTC, right after the French wave subsided. Same technique: 50 paths in 10 seconds. PHP scanning plus admin panel hunting. Either piggybacking or coordinated.

**2a01:e0a:b71:ede0:* — Free SAS, French residential ISP.** Multiple IPv6 addresses active between 20:00 and 21:48 UTC. Someone went home from work and kept looking from their home connection. Enrichment API access — they were testing what our threat intel endpoints return.

**52.167.144.x and 20.215.220.x — Microsoft Azure.** Multiple IPs flagged for admin panel hunting and sharing /24 address blocks with known indicators of compromise. Someone is running reconnaissance tooling from Azure infrastructure. These weren't one-off hits — they've been recurring since February 13.

The Country Breakdown

France accounted for 6,298 of 7,498 threats — **84% of the entire day's hostile traffic**.

The full Five Eyes and allied intelligence community showed up in the data:

| Alliance | Countries | Threats | Requests |

|----------|-----------|---------|----------|

| Five Eyes | US, GB, AU, CA, NZ | 626 | 20,039 |

| Nine/Fourteen Eyes | FR, DE, NL, NO, SE | 6,595 | 8,900 |

| Adversary States | CN, RU | 18 | 243 |

France alone generated more threat traffic than the rest of the world combined. Germany added another 287 threats at a 43.9% threat ratio. Poland hit 87.8%. Belgium: 77.8%.

The Five Eyes countries (US, GB, AU, CA) were comparatively polite — high request counts but low threat ratios (1-3.6%). They were reading, not probing. France was probing.

What They Were Looking For

The behavioral analysis tells us exactly what the scanners targeted:

- **PHP vulnerability scanning** — testing for unpatched frameworks

- **Admin panel hunting** — looking for /admin, /wp-admin, /dashboard, login pages

- **Secret hunting probes** — searching for .env files, config files, API keys, credentials

- **Backup file hunting** — looking for .bak, .sql, .tar.gz files left exposed

This is a standard offensive security reconnaissance playbook. You build a target list, provision infrastructure, run the scan during business hours so it blends with normal traffic, then analyze results offline.

What They Found

Nothing.

Three Azure services. Debian containers. No PHP. No WordPress. No admin panels. No .env files exposed. No backup files. The attack surface is a locked door with no doorknob.

Our auto-blocker caught every probe. Our behavioral analysis scored every IP. Our Cloudflare layer blocked the threats before they touched origin. The 7,498 "threats" are 7,498 failures.

Why This Matters

We run the largest searchable index of Epstein files on the internet. 388,000+ DOJ documents. 2 million ICIJ offshore entities. 920,000 threat indicators. Cross-indexed and searchable in seconds.

When you make 10.3 million government documents searchable — documents the government itself released but buried in unsearchable formats — people notice. Some of those people have .gov email addresses and scanning infrastructure in allied countries.

We expected this. That's why we built the behavioral analysis engine. That's why we log server-side. That's why our auto-blocker reports to AbuseIPDB and maintains a Cloudflare IP list called, and we're not making this up, "malicious_assholes."

The Recorded Future Signal

The same day as the probe, an analyst from Recorded Future — the intelligence community's preferred threat intelligence vendor — registered for our STIX feed. We upgraded them to enterprise tier for free. When the IC's commercial intel provider shows up at your door, you know the product works.

Also this week: Goldman Sachs' Ontic physical security platform was crawling our site. Someone searched our Epstein index for "Babel Street" — a surveillance analytics vendor used by DHS, DOJ, and the intelligence community. Microsoft Teams users are sharing our links internally and spending 14 minutes per session.

The Math

Two people. Three Azure services. $600/month. 10.3 million documents. 275+ STIX consumers in 46 countries. 14 press articles in 4 countries. A tool built on our API that became the #1 Epstein tool on GitHub. And now, a coordinated reconnaissance operation from French infrastructure that found exactly nothing to exploit.

The government's own documents, made searchable, are interesting enough to probe. The probe found a locked door.

We see you. We log you. We publish about you.

That's the point.

*DugganUSA LLC is a Minnesota-based threat intelligence company. Our Epstein Files search engine is free, requires no login, and is available at [epstein.dugganusa.com](https://epstein.dugganusa.com). Our STIX feed serves 275+ consumers in 46 countries. We guarantee 5% of this analysis is wrong. That's honest.*

*Her name was Renee Nicole Good.*

*His name was Alex Jeffery Pretti.*

The cheapest, fastest, most accurate threat feed on the internet.

275+ enterprises pulling daily. 1M+ IOCs. 17.4M indexed documents. We beat Zscaler by 43 days on NrodeCodeRAT. Starter tier $9/mo — less than any competitor’s sales demo.

Look up an IOC → · Audit your brand on AIPM → · See pricing →