DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

We Hung a Honeypot at churchofdockermoreskin.com - 42 Countries Came Knocking

Name: Cloudflare analytics for churchofdockermoreskin.com, November 2025
Creator: Patrick Duggan

Patrick Duggan
Dec 4, 2025
4 min read

--- title: "We Hung a Honeypot at churchofdockermoreskin.com - 42 Countries Came Knocking" slug: church-honeypot-42-countries-sweden-anomaly date: 2025-12-04 author: Patrick Duggan tags: [honeypot, threat-intel, cloudflare, sweden, geographic-anomalies, passive-reconnaissance] category: Threat Intelligence featured: true ---

The Setup

We run a satirical DevOps philosophy site at churchofdockermoreskin.com. It's a static nginx container serving one HTML file about Docker best practices delivered through absurd metaphors.

Nobody should be visiting it. It's not indexed. It's not promoted. It exists purely for the bit.

So we hung a honeypot and watched.

42 Countries. 6,845 Requests. 8 Threats Blocked.

One month of Cloudflare analytics on a site that has no business getting traffic:

| Country | Requests | % of Traffic | |---------|----------|--------------| | US | 1,913 | 27.9% | | Sweden | 1,168 | 17.1% | | Germany | 668 | 9.8% | | Russia | 520 | 7.6% | | Hong Kong | 475 | 6.9% | | Singapore | 410 | 6.0% | | Netherlands | 339 | 5.0% | | UK | 309 | 4.5% | | Australia | 252 | 3.7% | | China | 237 | 3.5% |

42 countries total. For a joke website about Docker and sex toys.

The Sweden Problem

17.1% of traffic from Sweden.

Sweden has 10 million people. The US has 330 million. Yet Sweden is generating 61% of the traffic that the entire United States is.

Per capita, Sweden is hitting our honeypot at 20x the rate of the US.

• Mullvad VPN (privacy-focused, based in Gothenburg)

• Bahnhof (activist ISP, hosts WikiLeaks)

• Major Tor exit node concentration

This isn't Swedish citizens interested in Docker philosophy. This is infrastructure traffic - scanners, crawlers, and bots routing through Swedish privacy infrastructure.

The November 30th Spike

| Date | Requests | Threats | Notable | |------|----------|---------|---------| | Nov 29 | 111 | 0 | Normal | | Nov 30 | 345 | 6 | Australia: 249 requests | | Dec 01 | 223 | 0 | Back to normal |

• Traffic 3x'd overnight

• 6 threats blocked (highest single day)

• Australia went from ~0 to 249 requests (72% of day's traffic)

Something in Australia decided to hammer our Church. Cloudflare blocked 6 of them as threats.

What happened on November 30th? We don't know. But someone noticed.

The Usual Suspects

Russia at 7.6% - Expected. Every honeypot sees Russian scanners. Cost of doing internet business.

Hong Kong at 6.9% - Higher than expected. Possible China routing through HK infrastructure.

Singapore at 6.0% - Major cloud/VPS hub. Probably legitimate scanner infrastructure.

Netherlands at 5.0% - Hosting capital of Europe. Expected.

What's Actually Hitting Us?

From the Azure container logs, we caught one request in real-time:

[04/Dec/2025:15:38:39 +0000] "GET / HTTP/1.1" 200 20792 "-" "python-requests/2.32.4" "12.74.71.124"

User-Agent: `python-requests/2.32.4` IP: AT&T residential, Indianapolis

At least they're honest - `python-requests` doesn't pretend to be Chrome. This is automated tooling, openly declared.

The Three-Dimensional View

We're watching the honeypot from three angles:

| Source | What It Shows | |--------|---------------| | Cloudflare | Geographic distribution, threat blocks, WAF triggers | | Azure Logs | Raw nginx access, user agents, exact timestamps | | GA4 | JavaScript execution (if they run JS = real browser) |

• Cloudflare sees everything (6,845 requests)

• GA4 sees almost nothing (bots don't execute JavaScript)

• Azure logs show the user agents (mostly `python-requests`, `curl`, `Go-http-client`)

Conclusion: 95%+ of traffic is automated scanning. The 5% of humans who find it are probably security researchers who read our blog.

What We Learned

1. Every Domain Gets Scanned

It doesn't matter if you're a Fortune 500 or a joke website about Docker. If you have a domain, you're getting scanned. Within hours of going live.

2. Geographic Anomalies Tell Stories

Sweden at 17% isn't random. It's infrastructure. When you see unexpected geographic concentrations, dig into what's actually there (VPNs, Tor nodes, hosting providers).

3. Spikes Correlate With Events

The November 30th Australia spike happened for a reason. Maybe we got mentioned somewhere. Maybe someone added us to a scan list. Maybe it was random. But spikes are signals.

4. Threat Blocking Works

8 threats blocked by Cloudflare WAF on a site with no dynamic content. These weren't false positives - someone tried something nasty and got stopped.

Why This Matters

Every organization has "unimportant" infrastructure. Dev servers. Marketing microsites. That WordPress blog from 2019 nobody remembers.

They're all getting scanned. Right now. By 42 countries.

The question isn't whether you're being probed. The question is whether you're watching.

The Data

Full Cloudflare analytics for churchofdockermoreskin.com, November 2025:

Total Requests: 6,845
Unique Visitors: ~1,200
Countries: 42
Threats Blocked: 8
Top Traffic: US (27.9%), Sweden (17.1%), Germany (9.8%)
Anomalies: Australia spike (Nov 30), Sweden overrepresentation (20x per capita)

Recommendations

1. Monitor your forgotten domains - They're honeypots whether you intended them to be or not 2. Use multi-dimensional analytics - Cloudflare + server logs + JavaScript analytics = complete picture 3. Investigate geographic anomalies - Sweden at 17% means something 4. Watch for threat spikes - 6 threats in one day on a static site = someone's testing you

*The Church of Docker Moreskin: Teaching DevOps through absurdity, collecting threat intel through existence.*

Tags: #honeypot #threat-intel #cloudflare #sweden #geographic-anomalies #passive-reconnaissance

Get Free IOCs

Subscribe to our threat intelligence feeds for free, machine-readable IOCs:

AlienVault OTX: https://otx.alienvault.com/user/pduggusa

STIX 2.1 Feed: https://analytics.dugganusa.com/api/v1/stix-feed

Questions? [email protected]