Research & Side Projects

Building to understand.

To truly understand privacy and adversarial thinking, you have to operate in the environments you're trying to defend. This page documents my ongoing research projects — the most substantial of which is DarkPulse Security.

🧅 LIVE · TOR HIDDEN SERVICE

DarkPulse Security

DarkPulse Security is a privacy-first cybersecurity news aggregator that operates exclusively as a Tor hidden service. It exists because most mainstream security news sites are heavy with trackers, ads, and fingerprinting — which is a strange way to deliver news to an audience whose whole professional concern is surveillance.

The site aggregates content from 18+ public RSS feeds — CISA, Krebs on Security, BleepingComputer, The Hacker News, SANS ISC, Dark Reading, and others — and republishes summaries in a minimal, static, JavaScript-free format. No cookies, no analytics, no third-party requests.

Alongside the news stream it maintains a mirror of the CISA Known Exploited Vulnerabilities catalog (1,500+ actively exploited CVEs, refreshed daily), a ransomware group tracker covering 300+ active and defunct groups, and a weekly long-form case file series dissecting events like Silk Road, Stuxnet, NotPetya, SolarWinds, Equifax, and Colonial Pipeline. A daily threat-temperature gauge gives a rough read of the current operational environment.

DarkPulse is operated under the pseudonym TheMacwan. That is deliberate. The operational separation between the professional identity writing these words and the pseudonymous identity running the onion is part of the research, not a marketing gimmick.

http://547wvakqims5btixp25iob3cmouz32i77ar24eaddlqpqnh3mja3lqyd.onion

Requires Tor Browser. The site will not load over the clearnet, by design.

The Architecture: Whonix + VirtualBox

DarkPulse is hosted on a Whonix stack running on VirtualBox. Whonix is a two-VM design: a Gateway VM that does nothing but route traffic through Tor, and a Workstation VM that hosts the actual services but has no idea what its real IP address is. The Workstation can only reach the network through the Gateway, and the Gateway will not route anything outside of Tor.

This is traffic-isolation discipline at the hypervisor level, not the application level. It means even a full compromise of the Workstation — a bad dependency, a zero-day in the web server, a misconfiguration — cannot leak the origin IP, because the Workstation genuinely does not know it. The only network interface it sees is an internal virtual one that speaks to the Gateway.

That's a structurally different guarantee than "we configured the firewall carefully." Most Tor hidden-service deopsxsxs fail because an application running on the host accidentally makes a clearnet request — an errant DNS lookup, a call to a CDN, a telemetry ping. With Whonix, those requests have nowhere to go.

VirtualBox was chosen over KVM or Xen for honest reasons: it runs on the commodity hardware I already own, the documentation is excellent, and Whonix distributes first-class VirtualBox images. When the goal is learning, using the best-documented path is usually the right call.

The Content Pipeline

The aggregator itself is a small Python application. It polls RSS feeds on a four-hour refresh cycle, deduplicates against a local cache, and regenerates static HTML. There is no database. There is no dynamic content. Every page the visitor sees was written to disk before they arrived.

The feed list is split into tiers. Tier 1 sources (CISA advisories, the KEV catalog, a small number of high-signal blogs) are always pulled. Tier 2 is split into 2A and 2B and alternates — this keeps the total request volume reasonable while still surfacing a broad range of perspectives over a 24-hour window.

Alongside the news stream, the site carries a set of curated resource pages: a breach-response checklist, a plain-English glossary, a safety guide for people who think they might be targeted. Those are hand-written and updated when something meaningful changes, not on a schedule.

The weekly case files drop on Mondays. They are written in advance, queued, and released by a cron job. Writing them a week ahead lets me edit with a cooler head than I'd have if I were publishing in real time.

Operational Separation

TheMacwan is a different identity from Raj Macwan. Different PGP key (RSA-4096, separate keyring), different writing voice, different signing habits. The only crosswalk between the two identities is this page — and the blog post linked at the bottom — because I've decided the research itself is worth publishing under my real name.

The onion carries a PGP-signed warrant canary that rotates on a known cadence. Canaries are signaling, not legal protection. They are a convention that lets a careful reader notice when something changes, without requiring the operator to say anything they are not allowed to say. If the canary stops updating, that is information.

Why bother with the separation at all, if I'm publishing the connection here? Because the two identities serve different purposes. Raj Macwan is a professional identity with a career, an employer, and a public track record. TheMacwan is an experimental identity for a research project whose whole point is understanding how hidden services are built and defended. Mixing those contexts would compromise both: the professional identity would pick up operational-security mistakes, and the research identity would pick up commercial pressure.

What I Learned

Privacy engineering is a discipline, not a toolset. Tor, Whonix, and PGP do not make a system private. A rigorous operating procedure does. The tools make the procedure possible.
Hidden services are slow — design for that. Three-hop circuits add real latency. Static HTML, no JavaScript, small images. Anything that requires a second round-trip will feel broken to the user.
Static is safer than dynamic. No database means no SQL injection. No server-side rendering means a much smaller attack surface. "Boring" is a security posture.
Journaled aggregation gives you resilience. When a source feed goes down — and they do — a local cache means the site keeps working. Don't call live; call once, store, serve from storage.
Canaries are signaling, not shields. They cannot compel anyone to do anything. They only tell a careful reader that conditions have changed.
Operational separation is harder than it sounds. Writing style leaks. Time-of-day patterns leak. Vocabulary leaks. Maintaining two voices consistently is the part of the project that required the most deliberate practice.
Open-source tooling is genuinely better for privacy infrastructure. Not for ideological reasons — because you can audit it, fork it, and freeze a version that you trust. Proprietary stacks force you to trust the vendor's update cycle.
Most "dark web" coverage is nonsense. The vast majority of Tor traffic is ordinary people avoiding surveillance. The criminal fraction is real but small, and it is not the interesting engineering story.

Why I Publish This

Both the project and the identity separation are public facts. The onion's existence does not need to be a secret — it is advertised, linked, and discussed. What needs protection is the identity of visitors, not the operator. Readers of a security news site have good reasons to want their reading habits private: they may be researchers, journalists, vulnerable people, or simply professionals whose employers would rather not see them reading about ransomware on the corporate VPN.

Publishing the research under my real name, on a page like this one, makes the intent legible. This is not a market; it is not a product; it is a body of work. If that is useful to anyone else trying to think through the same questions, better that it is out in the open than whispered about.

Visit DarkPulse (.onion — requires Tor Browser) Read the Blog Post