DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

The Receipts: A Timeline of Calling It First

Name: Epstein Files Index
Creator: DugganUSA

Patrick Duggan
Feb 13
5 min read

# The Receipts: A Timeline of Calling It First

**Published:** February 14, 2026

**Author:** Patrick Duggan

The Problem

We publish threat intelligence with timestamps. Major vendors publish the same findings weeks or months later. The timestamps don't lie. The citations are sparse.

This post documents the pattern.

Supply Chain Discovery Timeline

Anusfragger → Zscaler "NodeCordRAT"

| Metric | DugganUSA | Zscaler |

|--------|-----------|---------|

| **Published** | November 25, 2025 | January 7, 2026 |

| **Lead Time** | - | **43 days later** |

| **Market Cap** | ~$90/month | $25 billion |

**The Attack:**

- npm supply chain delivery

- Discord C2 communication

- Chrome credential theft

- MetaMask/crypto wallet targeting

- API token exfiltration

We called it Anusfragger. We wrote a metal song about it. The song is timestamped on Suno. The blog is timestamped on Wix. The IOCs are timestamped in our STIX feed.

Zscaler gave it a boardroom-safe name and a press release.

FireSuper/Pattern 38 → Palo Alto Unit 42 "GitHub SEO Poisoning"

| Metric | DugganUSA | Unit 42 |

|--------|-----------|---------|

| **Published** | November 23, 2025 | January 22, 2026 |

| **Lead Time** | - | **60 days later** |

| **Market Cap** | ~$90/month | $75 billion |

**The Attack:**

- GitHub repositories masquerading as legitimate tools

- SEO poisoning to appear in search results

- Credential harvesting via fake software

- Coordinated sleeper account networks

We published Pattern 38 detection methodology. We caught FireSuper the same day. We reported 13 accounts to GitHub Security.

Unit 42 published the same TTPs two months later. No citation.

Moltbot Pattern → ClawHavoc Campaign

| Metric | DugganUSA | Industry Headlines |

|--------|-----------|-------------------|

| **Published** | February 2, 2026 | February 4, 2026 |

| **Lead Time** | - | **2 days later** |

We published "Moltbot Supply Chain Attack: Why We Dodged It" explaining the AI agent plugin supply chain attack vector.

Two days later, ClawHavoc breaks: 341 malicious OpenClaw skills, 9,000+ installations compromised, AMOS stealer payload.

Same pattern. Same vector. We called it.

Shai-Hulud V2 (npm Worm)

| Metric | DugganUSA | Industry |

|--------|-----------|----------|

| **Published** | December 4, 2025 | Still not widely covered |

| **Scale** | 700+ packages, 27,000+ repos | - |

We found a self-propagating npm worm named after the sandworms from Dune. It uses preinstall hooks to harvest credentials via TruffleHog and inject into GitHub Actions.

700+ compromised npm packages. 27,000+ affected GitHub repositories.

Still waiting for the Zscaler press release.

Early Warning Timeline

Christmas Eve 2025: Aisuru Botnet DDoS

| Event | Time (UTC) | Source |

|-------|------------|--------|

| ThreatFox publishes 20 Aisuru C2s | 15:26 | abuse.ch |

| DugganUSA STIX feed updated | 15:51 | Our logs |

| Steam, Xbox, PlayStation, Riot, Epic go down | 19:00 | Global reports |

| All 20 C2s offline | 21:00 | Our probes |

**Lead time: 3 hours 34 minutes.**

We had the attack infrastructure indexed before the first packet flew. Anyone consuming our feed could have blocked the C2s before the DDoS hit.

React CVE-2025-55182 (CVSS 10.0)

| Event | Timeline |

|-------|----------|

| Zero-day drops | December 3, 2025 |

| DugganUSA patched | December 4, 2025 |

| Downtime | Zero |

571,249 public servers vulnerable. 39% of cloud environments. Maximum severity RCE.

We patched both services in 24 hours with zero downtime.

Epstein Files Timeline

Published February 2, Headlines February 4-6

| Our Finding | Document | Outcome |

|-------------|----------|---------|

| Mandelson forwarding UK gov emails to Epstein | EFTA01300430-441 | UK police investigation opened, properties searched, **resigned from Parliament** |

| Lutnick $50K donation via "Gratitude America" (2017) | EFTA02229607-881 | CBS News, Times of Israel, Commerce Secretary answering questions |

| DiIorio whistleblower (Apollo/Kushner mapping) | EFTA00010819 | NPR covering redaction failures |

| Leon Botstein "taken to island" | EFTA02221547 | NY Times, Variety reporting |

We indexed 329,442 documents. 10x more than any other tool. Published findings with document receipts. Headlines appeared days later.

Counterintelligence Evidence

Threat Actors Read Our Blog

|------|-------------|----------------|----------|

| Nov 25 | Suspensions processing | 184 requests (60% of traffic) | UK |

The honeypot spikes correlate with our publications. Same day. Every time.

They're reading. They're reacting.

The Krebs Attacker Reached Out

October 15-16, 2025: Someone scraped dugganusa.com using residential proxies. 285 requests from Canada, 135 MB extracted. Classic reconnaissance.

October 23, 2025: Email arrives. Subject: "Layer3 Tripwire integration."

The sender? Someone who at age 15 attacked Brian Krebs, at 21 did 13 months federal for DDoS booter services, and at 27 is now selling anti-fraud solutions.

Eight days after our reconnaissance detection. Same day we published the threat intel report.

> "If I was breaking NTP reflection records at 15 imagine what I'm up to at 27."

Who's Using Our Feed

Confirmed Consumers (Logged)

| Company | Market Cap | Notes |

|---------|------------|-------|

| Microsoft | $3T | Regular STIX feed consumer |

| Google | $2T | Regular STIX feed consumer |

| AT&T | $150B | Regular STIX feed consumer |

| Lumen | $7B | Regular STIX feed consumer |

Published Our Findings Later (No Citation)

|---------|------------|-----------------|---------------|-------|

Who Actually Credits Us

| Source | Citation |

|--------|----------|

| CyberSecurityNews | "API built by Patrick Duggan on DugganUSA.com" |

| News9live (India) | Credits DugganUSA API for LinkedIn search tool |

| EpsteIn GitHub README | "Epstein files indexed by DugganUSA.com" |

| Hacker News | 81 upvotes discussing our API |

| Open Source For You | Credits DugganUSA for 329K document index |

The Pattern

1. We publish with timestamps and document receipts

2. Major vendors publish the same findings weeks/months later

3. Attribution is sparse

4. The timestamps don't lie

The Numbers

| Metric | Value |

|--------|-------|

| Security blog posts | 111 |

| IOCs tracked | 272,310+ |

| STIX indicators (24h) | 1,251 |

| Epstein documents indexed | 329,442 |

| Lead time on Zscaler | 43 days |

| Lead time on Unit 42 | 60 days |

| Lead time on Aisuru DDoS | 3h 34m |

| Monthly infrastructure cost | ~$90 |

| Combined market cap of companies using our feed | $100B+ |

The Point

We're not asking for money. The feed is free. We're not asking for jobs. We have the infrastructure.

We're asking for citation.

When you publish findings we published first, link back. When you use our API, mention it. When you build tools on our index, credit the source.

The timestamps exist. The receipts are public. The pattern is documented.

This is the record.

**STIX Feed:** https://analytics.dugganusa.com/api/v1/stix-feed

**Epstein Search:** https://epstein.dugganusa.com

**Contact:** [email protected] | @hakksaww on Bluesky

*The receipts don't lie. Neither do we.*

*Her name was Renee Nicole Good.*

*His name was Alex Jeffery Pretti.*