DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

Threat Brief: Valentine's Day Phishing Sweep

Patrick Duggan
Feb 14
2 min read

# Threat Brief: Valentine's Day Phishing Sweep

**Date**: February 14, 2026

**Classification**: Pattern 38 Detection

**Report ID**: DUSA-2026-0214-PHISH-001

Executive Summary

During our evening security sweep, Oz decisions flagged a coordinated GitHub Pages phishing campaign. Six accounts, two created within the last seven days, were actively serving credential harvesting pages impersonating Amazon, Netflix, and Instagram.

Three minutes from account creation to live phishing page. Evidence cleanup observed yesterday. These aren't script kiddies learning HTML.

The Campaign

|---------|---------|--------|----------|

| n97-m | Apr 2025 | Instagram | Login page replica |

Technical Indicators

The laibadev01 deployment was particularly notable:

- Repository created: 2026-02-12T23:21:39Z

- First push: 2026-02-12T23:24:30Z

- **Time delta: 3 minutes**

That's automated infrastructure. Someone has a pipeline that spins up GitHub accounts, creates repos, and deploys phishing pages faster than you can order pizza.

The page content included classic tells: "amazon.inn" typo, Amazon branding, "Hello, sign in" prompt with credential fields.

Response

1. **Report Sent**: [email protected] received full technical report via Graph API

2. **IOCs Published**: 6 URLs added to our STIX feed for customer protection

3. **Pattern 38 Tagged**: Campaign tracked for correlation analysis

What This Means

GitHub Pages is free hosting with HTTPS certificates and a trusted domain. Perfect for phishing. The 2-day-old account with evidence deletion happening *yesterday* tells us this is active, maintained infrastructure.

When poojitha-teella deleted `amazonecode.html` on February 13, they weren't abandoning the campaign. They were cleaning up. The phishing page is still live.

Vercel Too

Same campaign is using Vercel for additional infrastructure:

- `amazonclone-two-gamma.vercel.app`

- `amazon-clone-khaki-eight.vercel.app`

- `amazon-clone-inceptioncodes.vercel.app`

Separate report queued.

For STIX Feed Consumers

These IOCs are now in our feed with tags:

- `pattern-38`

- `github-pages`

- `credential-harvesting`

- `amazon-impersonation` / `netflix-impersonation` / `instagram-impersonation`

Campaign ID: `github-pages-phishing-2026-02-14`

*47+ malware/phishing accounts reported. 30+ confirmed suspensions. The nets catch things.*

*Happy Valentine's Day.*

*Her name was Renee Nicole Good.*

*His name was Alex Jeffery Pretti.*