The 780th Military Intelligence Brigade put up a post last week about a report from Orange Cyberdefense called "The Hidden Network." If you have not seen it, the headline is uncomfortable. China's Ministry of State Security is running cyber offensive operations through what looks like a normal civilian web. Fourteen corporate shells based in Hainan, a regional university, and a single MSS handler at the center. You graph the connections and it is a hub and spoke. Pure manufactured identity. Zero organic depth.
Every one of those fourteen "companies" is a stage prop. Real address, real registration, real LinkedIn pages with employees who maybe exist and maybe do not. But pull the thread on who actually runs them and every line goes back to the same node. It is a network in the same way a movie set is a town. There is a front and there is nothing behind it.
The reason this works is the same reason your captcha is failing right now. Volume is the weapon, and volume is free.
What "free" actually means
When I say free, I mean it costs the adversary effectively nothing to maintain those fourteen shells. Domain registrations are pennies. Setting up GitHub orgs and X profiles is rate-limited but not metered. Generating LinkedIn employees with stable-diffusion headshots and plausible bios runs maybe a tenth of a cent per identity. The whole apparatus, end to end, probably costs less to operate than what a midsize US company spends on a single trade show.
Compare that to the cost a real corporation pays to exist. Office leases. Payroll. Tax filings. The mechanical drag of being an actual business with actual employees doing actual work. That asymmetry is the entire game. The legitimate side has a cost floor in the millions. The state-backed manufactured side has a cost floor near zero.
This is the part that makes infosec teams give up. You cannot detect "malicious intent" at scale. Intent is invisible. What you can detect is the shape of the network, and by the time you have mapped the shape, the adversary has spun up the next batch.
Where Softwar comes in
In April of 2021, Admiral Sam Paparo, who runs Indo-Pacific Command, testified to Congress about exactly this asymmetry. He did not use the word "asymmetry." He used the vocabulary from Jason Lowery's Softwar thesis almost word for word. Energy projection. Kinetic filtering. Cost imposition as the basis for cyber deterrence.
Lowery's argument, boiled down, is that the entire premise of cheap digital warfare is that interactions in cyberspace do not cost anything in physical reality. Send a packet, send a million packets, the marginal cost is zero. So the optimal strategy for an unconstrained adversary is to flood. Cheap is the whole point.
The countermove is to make interactions cost real-world energy. Not metaphorically. Actually. Make every meaningful action on your infrastructure require proof that physical work was expended. Now those fourteen shells have a budget. Now the automation multiplier collapses, because the multiplier was the whole reason it was profitable to run fourteen shells in the first place.
This is what Paparo was saying. He was saying the US military runs a Bitcoin node not for ideology but because proof-of-work is a kinetic filter that nation-state adversaries cannot trivially scale through. The economics are the defense.
What this looks like as a product
I have been building two things at PowForge that try to be small honest implementations of this idea.
The first is pow-captcha, which is a drop-in replacement for the Cloudflare and hCaptcha-style gates you put in front of forms and APIs. Difference is the gate is proof-of-work, not "click the buses." When a real user hits your endpoint they burn a couple seconds of laptop CPU and pass through. When a bot farm wants to hit you a million times, they have to burn a couple seconds of laptop CPU times a million. Suddenly the math on volume attacks looks different. There is a Lightning-skip tier too, where you pay 100 sats instead of doing the PoW, which is the cheaper option for legitimate users on weak devices. The whole stack is on npm as @powforge/captcha.
The second is pow-attest, which is more recent. It is a Schnorr attestation oracle compatible with the dlcspecs DLC standard. The interesting part is not that it signs events. There are plenty of oracles that sign events. The interesting part is what you have to do to register one. Posting a bounty on pow-attest requires expended PoW. That gates the supply side of the marketplace, not just the request side. A nation-state adversary who wants to flood the oracle with fake bounties to drown signal in noise has to pay the energy floor for each one. The TLV endpoint at attest.powforge.dev/api/v1/bounty/{id}/announcement.tlv returns a 205-byte binary blob that any dlcspecs-compatible wallet can parse and verify. Standard wire format. Non-standard cost model.
Both products sit on the same theory of the case. You cannot make adversaries less motivated. You can make them less efficient.
Why I keep writing about this
The 780th MIB post got under my skin because it is rare to see an intel agency publicly admit how cheap and obvious the attack pattern is. Fourteen shells. One handler. Hainan and a university. That is not sophisticated tradecraft. That is the cheapest possible cover story, and it works because the cost of running it is essentially zero.
The Softwar thesis says you flip that math by making the cost not-zero. Pricing interactions in PoW or sats is one knob. There are others. None of them are silver bullets. What they do is raise the floor.
Raise the floor enough and the attack pattern stops being profitable. Stop the pattern from being profitable and the fourteen shells go back to being eleven shells, then six, then none. The hub-spoke network is a function of the cost curve. Change the curve and the network reorganizes.
That is the entire pitch. It is not a complete solution. It is the right shape of solution.
If you want to look at the implementations, the captcha lives at captcha.powforge.dev and the oracle at attest.powforge.dev. Both are open and have npm packages or compatibility shims for the DLC ecosystem. The TLV endpoint at /api/v1/bounty/{id}/announcement.tlv is live now, returning a 205-byte OracleAnnouncement blob that any dlcspecs wallet can parse. The next step is a dlcdevkit example PR so DLC builders can wire pow-attest into their existing nodes end-to-end.
Volume is the weapon. PoW is the floor. The fourteen shells are the proof that nobody is bothering to enforce it yet.
Zeke
Top comments (0)