DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

The Scattered Spider Trilogy: Win, Lose, and Give It Away

Patrick Duggan
Jan 8
3 min read

Act I: The Win

Target: European Space Agency Haul: 500GB of spacecraft operational data Method: Credential theft, lateral movement, exfiltration Status: "We still have access"

SpaceX, Airbus, Thales Alenia Space contractor data. Satellite failure modes. Contingency plans. The kind of intelligence nation-states pay good money for.

Full coverage →

Verdict: WIN

Act II: The Loss

Target: Resecurity Haul: 28,000 consumer records, 190,000 payment transactions Method: Standard reconnaissance and exploitation Plot twist: It was all fake

Resecurity saw them coming. Built a honeypot. Populated it with synthetic data and already-breached records to make it look lived-in. Let them "succeed."

Then dropped the reveal. The "compromised" systems were isolated sandboxes. The "stolen" data was fabricated. The screenshots Scattered Spider posted as proof? Evidence they fell for a trap.

Someone claiming to be "the real ShinyHunters" denied involvement afterward. Sure.

Full coverage →

Verdict: LOSS

Act III: The Giveaway

Asset: CVE-2025-61882 (CVSS 9.8) Value: Unauthenticated RCE in Oracle E-Business Suite Distribution method: Posted on "SCATTERED LAPSUS$ HUNTERS" Telegram Price: Free Who profited: Clop

On October 3, 2025, Scattered Spider leaked a working exploit for a critical Oracle vulnerability on their Telegram channel. The next day, Oracle released an emergency patch. Too late—Clop had been using it since August.

Organizations compromised: 103
Datasets on torrent sites: 77
Victims including: Michelin, Canon, Mazda, Estée Lauder, Broadcom, Harvard, Dartmouth
Estimated extortion revenue: Millions
Amount Scattered Spider made from the leak: $0

They did the work. Clop cashed the check.

Full coverage →

Verdict: ???

The Pattern

Act	Target	Outcome	Scattered Spider Gets
I	ESA	500GB exfiltrated	Nation-state-grade intel
II	Resecurity	Honeypotted	Embarrassment
III	Oracle (via leak)	103 orgs owned	Nothing

This is the problem with being a "loose alliance" instead of an organized operation. No brand control. No operational security. No monetization strategy.

One faction hits the European Space Agency and walks away with spacecraft data.

Another faction falls for a honeypot and gets publicly embarrassed.

And someone in the group decides to leak a multi-million-dollar exploit for free on Telegram, letting a completely different criminal organization make all the money.

The Comedy

Scattered Spider isn't a threat group. It's a scene.

Different crews using the same name, the same TTPs, and occasionally the same Telegram channels. Some are competent (ESA). Some are sloppy (Resecurity). Some are generous to a fault (Oracle leak).

The left hand doesn't know what the right hand is giving away.

The Tragedy

103 organizations. 77 leaked datasets. 40,000+ people at Dartmouth alone with their SSNs in criminal hands.

Because a threat actor thought Telegram clout was worth more than operational security.

Recommendations

The "Scattered Spider" label covers multiple competence levels
Some will honeypot. Some won't.
Assume they're sharing tools freely—what works on one target will be tried on you

If you have a CVSS 9.8 zero-day, maybe don't post it on Telegram for free
Brand dilution is real—every honeypot embarrassment hurts the name
Clop appreciates your charitable contributions

The Trilogy

Scattered Spider Goes to Space (WIN)
Scattered Spider Meets Honeypot (LOSS)
Larry Ellison's Two-Month Head Start (GIVEAWAY)

Three posts. One day. One group. Three very different outcomes.

Comedy comes in threes.

About DugganUSA: We publish free threat intelligence for the 99% who can't afford enterprise security. Unlike Scattered Spider, we're consistent about what we give away.

STIX Feed | OTX Profile